Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

IoT Security

New Tool From Cisco Hunts Flaws in Automotive Computers

Cisco has released a new hardware tool designed to help researchers, developers and automakers discover vulnerabilities in automobile computers. 

Cisco has released a new hardware tool designed to help researchers, developers and automakers discover vulnerabilities in automobile computers. 

Modern vehicles contain hundreds of sensors that feed information about the surrounding environment to the vehicle computer. These components deliver real-time information to the driver, connect the car to a network, and even automatically drive the vehicle, but they are susceptible to vulnerabilities in software, remote control, or abuse via physical-access. 

The global connected car market is expected to exceed $225 billion by 2025 and Cisco aims to help secure this emerging technology, with the release of a new hardware tool called 4CAN

Released as open-source, the tool is meant for all automobile security researchers who want to test their on-board computers for potential vulnerabilities. 

Access to the vehicle computer, Cisco notes, is possible via Wi-Fi, Bluetooth, or cellular communication protocols, but the backbone of a vehicle’s network is a Controller Area Network (CAN). Typically, a car has multiple CAN buses combined with a gateway, and vehicles that Cisco’s researchers tested have 4 CAN buses. 

While devices that allow testing of the CAN bus do exist, each with pros and cons, none provides the ease of use Cisco was looking for. 

The 4CAN tool was designed to help validate communication policy for intra-CAN bus communication, for fuzzing (sending randomized payloads) components to identify vulnerabilities, to explore the CAN commands used to control/interact with the vehicle, and simplify a testbench setup to keep everything organized and in sync.

Advertisement. Scroll to continue reading.

George Tarnovsky, a member of Cisco’s Customer Experience Assessment & Penetration Team (CX APT), is the originator or the 4CAN’s design, which was inspired by and is loosely based on the IndustrialBerry QUAD CAN BUS adapter for Raspberry CanBerry. 

“Using 4CAN, the test bench setup is vastly simplified. With a single Raspberry Pi, we can simultaneously test four CAN channels, and since the 4CAN exposes the entire 40-pin GPIO header, we can remotely control the test vehicle,” Cisco explains. 

The 4CAN tool has been released in open source and is available on GitHub, licensed under a Creative Commons Attribution Share-Alike license.

Related: Connected Cars Could be a Threat to National Security, Group Claims

Related: Mitsubishi Develops Cybersecurity Technology for Cars

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

IoT Security

Today’s growing attack surface is dominated by non-traditional endpoints.

IoT Security

An innocent-looking portable speaker can hide a hacking device that launches CAN injection attacks, which have been used to steal cars.

IoT Security

Vulnerabilities in electric vehicle charging management systems can be exploited for DoS attacks and to steal energy or sensitive information.

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...

IoT Security

Chinese video surveillance company Hikvision has patched a critical vulnerability in some of its wireless bridge products. The flaw can lead to remote CCTV...