Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

IoT Security

New Tool From Cisco Hunts Flaws in Automotive Computers

Cisco has released a new hardware tool designed to help researchers, developers and automakers discover vulnerabilities in automobile computers. 

Cisco has released a new hardware tool designed to help researchers, developers and automakers discover vulnerabilities in automobile computers. 

Modern vehicles contain hundreds of sensors that feed information about the surrounding environment to the vehicle computer. These components deliver real-time information to the driver, connect the car to a network, and even automatically drive the vehicle, but they are susceptible to vulnerabilities in software, remote control, or abuse via physical-access. 

The global connected car market is expected to exceed $225 billion by 2025 and Cisco aims to help secure this emerging technology, with the release of a new hardware tool called 4CAN

Released as open-source, the tool is meant for all automobile security researchers who want to test their on-board computers for potential vulnerabilities. 

Access to the vehicle computer, Cisco notes, is possible via Wi-Fi, Bluetooth, or cellular communication protocols, but the backbone of a vehicle’s network is a Controller Area Network (CAN). Typically, a car has multiple CAN buses combined with a gateway, and vehicles that Cisco’s researchers tested have 4 CAN buses. 

While devices that allow testing of the CAN bus do exist, each with pros and cons, none provides the ease of use Cisco was looking for. 

The 4CAN tool was designed to help validate communication policy for intra-CAN bus communication, for fuzzing (sending randomized payloads) components to identify vulnerabilities, to explore the CAN commands used to control/interact with the vehicle, and simplify a testbench setup to keep everything organized and in sync.

George Tarnovsky, a member of Cisco’s Customer Experience Assessment & Penetration Team (CX APT), is the originator or the 4CAN’s design, which was inspired by and is loosely based on the IndustrialBerry QUAD CAN BUS adapter for Raspberry CanBerry. 

Advertisement. Scroll to continue reading.

“Using 4CAN, the test bench setup is vastly simplified. With a single Raspberry Pi, we can simultaneously test four CAN channels, and since the 4CAN exposes the entire 40-pin GPIO header, we can remotely control the test vehicle,” Cisco explains. 

The 4CAN tool has been released in open source and is available on GitHub, licensed under a Creative Commons Attribution Share-Alike license.

Related: Connected Cars Could be a Threat to National Security, Group Claims

Related: Mitsubishi Develops Cybersecurity Technology for Cars

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.

IoT Security

An innocent-looking portable speaker can hide a hacking device that launches CAN injection attacks, which have been used to steal cars.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

ICS/OT

As smart cities evolve with more and more integrated connected services, cybersecurity concerns will increase dramatically.

IoT Security

Hikvision patches CVE-2023-28808, a critical authentication bypass vulnerability that exposes video data stored on its Hybrid SAN and cluster storage products.

IoT Security

Researchers at offensive hacking shop Synacktiv demonstrated successful exploit chains and were able to “fully compromise” Tesla’s newest electric car and take top billing...

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...