An Intelligent Approach to Reverse Engineer CAN Messages in Automotive Systems

Most of the advanced features in today’s automobiles are performed by Electronic Control Units (ECUs) and an intra-vehicle communication network that allows these ECUs to exchange data. The most dominant intra-vehicle communication protocol is the Controller Area Network (CAN) protocol. The broadcast nature of CAN and the ability to access it through multiple interfaces in a vehicle, introduce an array of attack vectors that make vehicles vulnerable to cyber threats. CAN messages are proprietary to manufacturers, and their IDs and contents are guarded closely for intellectual property and security reasons. In this paper, an Automated Current-Based Fuzzing System (ACFS) is introduced. ACFS is a lightweight reverse engineering system that identifies CAN messages related to a specific user-vehicle interaction. It monitors and synchronizes variations in the data of CAN messages with current readings drawn from the vehicle’s battery. Then, it passes the current signal through frequency analysis and filtering stage and associate changes in the output signal with the CAN bus traffic. As a result, a small group of candidate messages, related to a specific user-vehicle interaction, e.g., turning headlights on, are identified. The candidate messages are then played back on the vehicle CAN bus to identify the correct and desired message ID and data. This process allows the user to control specific actions in the vehicle without deep knowledge of its internal setup and functionality, simply by accessing the CAN bus. The ACFS system was tested on a 2017 production prototype BreadBoard Vehicle (BBV) and was able to automatically extract many of the messages that control headlights, turn signals, and information cluster.