Caring Caribou

A friendly car security exploration tool

Rationale

We are lacking a security testing tool for automotive. A zero-knowledge tool that can be dropped onto any CAN network and collect information regarding what services and vulnerabilities exist. This is a start.

This work was initiated as part of the research project HEAVENS (HEAling Vulnerabilities to ENhance Software Security and Safety), but lives on as a stand-alone project.

How to use

The best way to understand how to use Caring Caribou is to look at the help screen:

python cc.py -h

or simply

./cc.py -h

This will list all available modules at the bottom of the output. Help for specific modules works the same way. For example, the help screen for the send module is shown by running

./cc.py send -h

The module help always includes some usage examples. If the module has multiple sub functions, these have similar help screens as well:

./cc.py send message -h
./cc.py send file -h

More detailed usage information is available here.

Features and Architecture

Caring Caribou is based on a master script cc.py, which runs the show. This enables an easy drop-in architecture for new modules, which are located in the /modules folder.

The /lib folder contains various higher level CAN protocol implementations and shared functions, meant to be used by modules.

The /tests folder contains automated test suites and /documentation stores module documentation files.

List of Modules

A clean installation of Caring Caribou includes the following modules:

uds - Universal Diagnostic Services

Discovers and utilizes various ISO 14229-1 services.

• discovery - Scans for ECUs supporting diagnostics services
• services - Scans for diagnostics services supported by an ECU
• ecu_reset - Reset an ECU
• testerpresent - Force an elevated session against an ECU to stay active

Details here: uds module

xcp - Universal Measurement and Calibration Protocol (XCP)

• discovery - Scans for ECUs supporting XCP
• info - XCP Get Basic Information. Retrieves information about XCP abilities of an ECU
• dump - XCP Upload. Used to dump ECU memory (such as SRAM, flash and bootloader) to file

Details here: xcp module

fuzzer - CAN fuzzer

• random - sends random CAN messages
• brute - brute forces all possible messages matching a given bit mask
• mutate - mutate selected nibbles of a given message
• replay - replay a log file from a previous fuzzing session
• identify - replay a log file and identify message causing a specific event

Details here: fuzzer module

dump - Dump CAN traffic

Dumps incoming traffic to stdout (terminal output) or file

Details here: dump module

send - Send CAN packets

Raw message transmission module, used to send messages manually from command line or replay dump files

Details here: send module

listener - Listener

Lists all distinct arbitration IDs being used on the CAN bus

Details here: listener module

test - Run test suite

Runs automated Caring Caribou test suites

dcm - [deprecated] Diagnostics Control Module

Note: This module has been replaced by the UDS module. It is still supported by CC due to legacy reasons.

Details here: dcm module

List of libraries

The /lib folder contains the following libraries:

can_actions.py

Provides abstraction for access to the CAN bus, bruteforce engines etc.

common.py

Contains various common functions, type converters etc.

constants.py

Constant definitions

iso14229_1.py

Implementation of the ISO-14229-1 standard for Unified Diagnostic Services (UDS).

iso15765_2.py

Implementation of the ISO-15765-2 standard (ISO-TP). This is a transport protocol which enables sending of messages longer than 8 bytes over CAN by splitting them into multiple data frames.

Hardware requirements

Some sort of CAN bus interface (http://elinux.org/CAN_Bus#CAN_Support_in_Linux)

Software requirements

• Python 2.7 or 3.x
• python-can
• a pretty modern linux kernel

How to install

Instructions available here

Extending the project

Create a python file with a function module_main(args) and put it in the tool/modules folder. Caring Caribou will automagically recognize it as a module and list it in the output of ./cc.py -h

For example, if your new module is located in modules/foo.py you run it with the command ./cc.py foo. Additional arguments (if any) are passed as arguments to the module_main function.

A template for new modules is available in tool/template

The target

The target ECU used for the development setup is an STM32F107 based dev-board from ArcCore called Arctic EVK-M3, but the tool can be used against any ECU communicating over a CAN bus.

Contributors

• The HEAVENS project, funded by VINNOVA
• Christian Sandberg
• Kasper Karlsson
• Tobias Lans
• Mattias Jidhage
• Johannes Weschke
• Filip Hesslund
• Craig Smith (OpenGarages.org)
• internot
• Mathijs Hubrechtsen
• Lear Corporation
• sigttou
• FearfulSpoon