By Jay Turla (Principal Security Researcher, VicOne)
As today’s connected cars navigate an ever-evolving threat landscape, automotive security researchers need robust tools to quickly and efficiently analyze vulnerabilities. Two of the more noteworthy tools in this respect are Python and ChatGPT. As I discuss in this article, when used together, Python and ChatGPT provide powerful capabilities for automating tasks, creating proofs of concept (POCs) of attacks, and exploring vulnerabilities in automotive systems.
Experimenting with the CAN bus through Python
Python, a versatile programming language, has proven to be popular among car hackers and automotive security researchers, along with C++ and Arduino Programming in C. I find it particularly useful for creating POCs of known attacks because of its extensive modules and libraries that simplify automation and scripting tasks.
For automotive security researchers like myself, several libraries stand out in working with a vehicle’s CAN (Controller Area Network) bus. These include can-isotp, python-can, and pyvit. The latter two are particularly good choices for beginners as these libraries simplify interacting with the CAN bus.
As for users who don’t have a car to practice with, they can easily create a virtual CAN bus (vcan0) device for simulation using these bash commands in any Linux virtual machine:
sudo modprobe can
sudo modprobe vcan
sudo ip link add dev vcan0 type vcan
sudo ip link set up vcan0
In the succeeding subsections, I share practical examples of how Python can be used to learn about and experiment with the CAN bus.
Spamming the CAN bus via python-can
The python-can library provides common abstractions to different CAN bus devices and offers pre-built functions for sending and receiving messages to and from the CAN bus. In this example, I show how one can use python-can to send a flood of messages to the CAN bus, all using the same arbitration ID.
Below is a basic python-can library that connects to a virtual CAN bus (vcan0) and sends a single frame.
Figure 1. A basic python-can library that sets up a vcan0 device
Figure 2. An actual CAN dump of the virtual CAN bus interface
Next is an example of a fuzzing script that spams the CAN bus with 100 data frames, all using a single arbitration ID: 1337.
Figure 3. A sample fuzzing script that spams the CAN bus with data frames with one arbitration ID
While the 100 data frames in this example might not be enough to disrupt critical systems, CAN bus spamming can be a stepping stone for more sophisticated attacks. By flooding the bus with seemingly harmless data, malicious actors can mask commands designed to compromise specific electronic control units (ECUs) or even take complete control of a vehicle. This underscores the importance of robust automotive cybersecurity that can detect and thwart such activity.
DoS attack and ECU hard reset using pyvit
Another valuable library for interacting with the CAN bus is pyvit. It offers good examples, code snippets, and documentation to get one started. While the pyvit GitHub repository is currently archived, some automotive security researchers still find it useful. One can still access pyvit by cloning the repository directly or installing it using pip, a common Python package manager.
As an example, the script below demonstrates a denial-of-service (DoS) attack, specifically a Firehose attack, on the CAN bus. A Firehose attack is aptly named since it floods the CAN bus with data, aiming to overwhelm the bus and deny other services or functions.
Figure 4. A Firehose attack using pyvit
The next script demonstrates how to send an ECU Hard Reset command. This could be considered a security vulnerability if a malicious actor could exploit it by sending the reset via the “dirty side” or an authorized access point such as the on-board diagnostics (OBD-II) port or the in-vehicle infotainment (IVI) system.
To determine if the ECU hard reset is successful, a message reply with the following characteristics should appear on the CAN bus: 02 51 01 via an arbitration ID 0x77a.
Figure 5. An ECU hard reset script
An ECU hard reset could have serious security and safety implications. If exploited by a malicious actor, an ECU hard reset could allow them to tamper with a vehicle’s behavior or disable its security features, potentially putting its driver and passengers at significant risk.
Discovering UDS IDs using CaringCaribou
There are other open-source Python tools that help automotive security researchers explore vehicle vulnerabilities and potentially address these through software updates and other security mitigations. Aside from the previously mentioned ones, I also like using CaringCaribou as it is fast and efficient in discovering UDS (Unified Diagnostic Service) identifiers or IDs, the specific codes used for ECU diagnostics.
Figure 6. A sample dialog using CaringCaribou, a Python-based car security exploration tool
While UDS IDs are valuable for researchers in identifying potential vulnerabilities, these same identifiers can be used by attackers. In the wrong hands, they can be exploited to manipulate vehicle settings, execute an ECU hard reset, or even bypass security access — all of which could compromise vehicle safety and security.
Leveraging ChatGPT
Programmers can take advantage of the popular AI chatbot ChatGPT to streamline code development by assisting with writing and debugging programs. Security researchers can also use it as a valuable resource for penetration testing, particularly in the information gathering phase.
Figure 7. A sample use case where ChatGPT is tasked to create a buffer overflow script
Figure 8. Information gathering for penetration testing via ChatGPT
ChatGPT can also be used as a guide in creating automation scripts or POC examples for exploiting automotive security bugs. For instance, ChatGPT can be tasked to create a POC of the low-level CAN bus attack known as the Janus Attack using the python-can module.
Figure 9. A python-can POC of the Janus Attack created using ChatGPT
The possibilities do not end there. I’ve even taught ChatGPT to write a module in CAN Tools of Trade, a CAN bus hacking framework I created that contains known CAN bus vulnerabilities and serves as a guide for both penetration-testing vehicles and learning Python for automotive security research.
Figure 10. CAN Tools of Trade has some examples or modules that automotive security researchers and cybersecurity professionals can practice with.
To teach ChatGPT to write a module in my hacking framework, I simply paste one of the code modules and let ChatGPT analyze it, and then I instruct it to generate a CAN bus attack script.
Below is a POC of a CAN bus DoS attack generated by ChatGPT for the framework CAN Tools of Trade.
Figure 11. Teaching ChatGPT to write a POC of a DoS attack in CAN Tools of Trade
Conclusion
It is important to note that while Python can potentially be used by malicious attackers to exploit vulnerabilities and launch cyberattacks, it can also empower automotive security researchers to stay steps ahead through ethical hacking and responsible vulnerability disclosure. Combining this versatile tool with ChatGPT further enhances the capabilities of researchers by helping them debug and examine different perspectives for their code when automating tasks, scripting POCs, and exploring vulnerabilities in automotive systems.
There are other frameworks and tools that can help researchers in conducting studies and tests for the advancement of automotive cybersecurity. The effective integration of ChatGPT’s capabilities into these frameworks and tools demonstrates the compelling potential of AI-driven assistance in crafting modules and probing uncharted attack vectors, especially in today’s rapidly expanding and evolving automotive threat landscape.
VicOne published a two-part blog series on the potentials of ChatGPT in the automotive industry. The first part discusses how ChatGPT could become the next AI milestone for autonomous driving and the second tackles its impacts on automotive security and safety.
