CAN network by its nature is supposed to be a "trusted network" with no external Inputs available (Air Gapped). But yeah, because headlights and blinkers needllessly complicated, cough er, need data uplinks.... totally NOT to check with Toyota if you've subscribed to their monthly "safety package" for $7.99, yeah, we've sort violated the Air Gap principal.
Here's the problem everyone needs to pay attention to: If you demand Encrypted OR Signed CAN Bus, you will ABSOLUTELY get it from the manufacturers in the name of security. They will _gladly_ lock out the CAN bus so no third party accessories or diagnostic tools can work with your car.
So be careful what you scream for. We already have enough un-repairable items.
> But yeah, because headlights and blinkers needllessly complicated, cough er, need data uplinks.... totally NOT to check with Toyota if you've subscribed to their monthly "safety package" for $7.99,
That’s not what’s happening. The value in a CAN bus control is that you can significantly reduce the wiring requirements.
Old school blinkers and headlights would require separate power wires for every function: Blinker, low beams, high beams. Those separate wires would each be snaked through long wiring harnesses back to relays somewhere else in a central location.
With CAN, you can run a single large gauge power and ground pair and use the CAN bus to tell the remote module what to do with tiny signal wires. It may not sound like a big deal, but cars have a lot of electronic pieces all over. Simplifying wiring can add up to a significant weight and cost reduction. You now also have the ability to add more monitoring, such as simple sensors to detect when a bulb has failed
Vehicle manufacturing is ruthlessly optimized. Vehicle manufacturers wouldn’t add complexity to common systems if it didn’t pay off.
> Vehicle manufacturing is ruthlessly optimized. Vehicle manufacturers wouldn’t add complexity to common systems if it didn’t pay off.
You make it sound as though this intended to be a benefit to the consumer or the end product. Having worked on and around cars, and being friends with people who do for a living, I am really unconvinced that the manufacturers do a lot of this for any consumer-friendly reason, rather than simply trying to squeeze a buck out of you.
I can absolutely tell you that Volvo, for example, does what the GP is talking about, and then some. On an old school GM or Toyota, if you break a simple switch or knob, or things that really should just be simple devices, you can just pull it out, go to the junkyard or a parts retailer, and put the new one in and be on your way. Not so for Volvo (and I'm sure this has caught on in other manufacturers): if your switch or control or whatever fails, and its hooked up to the CAN-bus, whatever replacement you find simply won't work until you've gone to the dealership (if they even let you use a part that didn't come from there at all) and gotten them to flash the part and whatever other crap needs flashing like a BCM to get them to be compatible (I think just flashing the serial number of a BCM or whatever it needs to play nice with to the switch), at the tune of a couple hundred or more dollars each time.
So in essence, a stupid simple part, that should have been $5-10 that the manufacturer likely never would have seen a dollar from in the aftermarket, is now a $200+ dollar flash at the dealership, using the manufacturer scan tool, and also increasingly requires only parts the manufacturer can generate. So no, I really am extremely skeptical, given what occurs *today* that 95+% of the junk on CAN bus is there for any reason other than to boost dealership and manufacturer profits for no other reason than the fact they can.
Building with one bus is just easier. It's not some nefarious end goal.
It's like putting everything over IP (VoIP, video over IP, audio over IP, etc.) and then just running Ethernet throughout your building. From an engineering perspective, it's just way easier. Routing wires -- on a circuit board, in a building, in a car, in anything -- is just a real PITA.
Now it's definitely true that having to flash something on the CAN bus to make it work is possibly due to greed, but the original idea of putting things on one bus is not.
> You make it sound as though this intended to be a benefit to the consumer or the end product. Having worked on and around cars, and being friends with people who do for a living, I am really unconvinced that the manufacturers do a lot of this for any consumer-friendly reason, rather than simply trying to squeeze a buck out of you.
The "consumer friendly" part is competing on price; they don't care about repair cost, in fact parts for repair is just recurring revenue on top on (till before pandemic) slim margins on selling the car
Isn't that what's supposed to happen in capitalism? Everyone working is getting paid, supply matching demand, prices reducing and ostensibly zero profit for established sectors.
I never got the impression the previous poster was saying this is a benefit for consumers; he's saying it's for the manufacturer, to cut costs.
Edit: that being said, all your points are completely valid.
I own a vehicle built in 1981. I can absolutely assure you that CAN is better for consumers. People seem to forget the two-inch thick bundles of wires, the hours spent tracing one turn indicator cable, the insulation of the cables in the middle starting to rot and things shorting out, water getting trapped in bundles, failures modes including stuff melting inside the dashboard from high-current stuff all being wired back to a central place... I could go on.
After my recent sample n=1 (2015 Honda), I'm left wondering how much mechanic griping is due to a lack of engagement with digital systems rather than a hard lack of ability.
I bought a $20 OBD2/J2534 cable, downloaded an easily-available ["pirated"] copy of Honda HDS, and seemingly had access to all the functionality a dealer would have. From looking at the Honda website, I could have paid by the day/week/etc for official access to flashing tools or the newer iHDS, which I might have needed for a newer car.
If I had wanted to reflash any of the modules, I probably would have wanted a better cable (though it's hard to know if module manufacturers really have such shoddy update processes that interrupting the flashing can really brick a device, or if that's just persistent superstition like so much in the car world). But I was able to replace the VSA/ABS module and perform the necessary "dealer reset" procedures no problem. I just wish I had obtained this setup before I went about misdiagnosing the problem based on a document that claimed to be the OEM service manual but actually wasn't. Luckily the part I misdiagnosed did end up being the problem!
Of course, I would love for there to be some sort of mandate for manufacturers to document the details of all CAN messages. Because there don't seem to be that many different module manufacturers, they must all be working to some kind of internal standards for their own interchange, and end-user visibility into computing systems is critically necessary for preventing computational disenfranchisement where people see these systems as impenetrable black boxes. But it feels at least in Honda land, much of that capability is practically available to the repair market (at least as of 2015 model years). One just needs to get over the activation energy of setting up the OEM software tool.
Good example. Do you know of anywhere that Volvo parts pairing / programming issue is written up or documented?
I'm working on Right to Repair and we get asked for examples like this from various government agencies all the time. It would be very helpful, thanks!
If you're looking for informal evidence, there's plenty of posts on SwedeSpeed and Volvo Forums (and probably Turbo Bricks, for those masochists that own a post-RWD car) bemoaning needing to constantly reprogram tons of things like door switches, and the various lengths owners and enthusiasts will go to in order to attempt to overcome these issues.
If you're looking for something a little more formal, I think the factory service manual probably calls out that the R&R on a ton of parts will involve reprogramming. I no longer own any post-Ford Volvos nor do I have any interest in European cars, so unfortunately I don't have any newer FSMs. A way you might be able to get at one on the cheap is to pick a popular model/year later Volvo (maybe like a 2016+ XC60?), and get a subscription to the make/model/year on Alldata (which was something like $20 a year for just a single combination), or hunt for an FSM on eBay, if it's old enough to still have a paper FSM.
My friend's 2016ish VW jetta straight up uses proprietary bolts and shit in it. He and I are the type to do all our own car maintenance but his car has pushed my patience beyond anything I've seen prior...
Dad used to rebuild and repair late model Volkswagens, and I got a first hand taste of what it's like servicing those. German cars are the absolute worst, especially in this regard. Everything little plastic piece is hundreds of dollars when it breaks, and it all had to have been installed by German contortionists. Need to do something on the engine? Better get if on the lift, because the whole front cradle needs to be dropped out from the bottom of the car if you want to get it done in anything short of a glacial pace. Vag-Com is an expensive and irritating piece of kit, maybe only second to Vida Dice (Volvo) in terms of level of frustration sometimes.
There's no way I would ever recommend someone who wanted to keep their car past the first 50 or so thousand miles ever buy a VW or a VW with slightly shinier wallpaper (Audi). There's a reason the service techs on those and BMWs get paid well, and why they're often hated by mechanics.
"they can be expensive, but you can buy them" seems to be a very surface-level view here.
Say I only need to replace a $5 switch as the parent poster suggests. My options then are pay $200 to the dealership to flash and install it (if they'll even flash a third party part) one time, or I can pay thousands of dollars for a tool I'll use once and do it myself.
That isn't a real choice, and the auto makers are adhering to the letter of the law but not the spirit of the law. Which is legal for them to do, but it doesn't make it any less scummy.
Ford I believe now requires a subscription for diagnostics but I haven't seen anything about per VIN charges yet. I'm not sure about the British or Japanese brands either. This is AFAIK regardless of dealership or independent shop.
Gm is $40 per VIN 1 year,
Chrysler is $35 for flashing but to do that you need 2 more subscriptions which totals about $120
There are aftermarket tools but the subscriptions are for a year and about $1000-$4000
The problem is as I always point, that people want complexity and technology for everyday but as soon as something breaks they want it to be like 1990.
The article complains about CAN bus not being secure but this sort of attack is very rare, you need special tools, skills, physical access to the network and time. Regular car thieves don’t go and make a key to steal a car, that would be the same as a 1980’s one breaking a window and start trying to decode the cylinder and then cutting a key!
How does a towing company get your car in 10 seconds? That’s how they’re stolen most of the time.
God damn. I swear if they could , they would make you buy a fucking new wrench every time you work on a different car. Such bullshit how they tie their tools to a per-vin registration.
this is much more about insurance companies only paying for cheaper 3rd party parts for repairs than it is anything anti-consumer, though I'm sure there's some of that, too.
the automotive parts industry is massive and if you allow third party parts manufacturers to make parts for your car, you are undercutting your own parts replacement business. how do you counter that? you require that replacement parts come from you. the only way to do that is via electronic means, because anything purely mechanical can (and is) reverse engineered quickly.
insurance companies fight against this in court because 3rd party parts are much cheaper than official parts, and usually come with an associated dip in quality as well, which is another reason auto makers fight for first-party parts businesses.
Honda doesn't want Snake Oil Autoparts stuff installed on cars which are still under warranty after a collision, for example, but the insurance company paying for those repairs definitely does.
> you require that replacement parts come from you. the only way to do that is via electronic means, because anything purely mechanical can (and is) reverse engineered quickly.
They lost the right to require things to do with thr car the
y sold the car.
Electronic lockouts will be cobsidered theft one day
> They lost the right to require things to do with [the] car they sold the car.
not if you want a warranty or any manufacturer support on the vehicle at all, and these are things that consumers value a lot.
> Electronic lockouts will be [considered] theft one day
among the most feverish people, they are considered a problem worth fighting, which I agree with, and I don't think it will ever be considered theft. the law just doesn't support electronic lockouts as theft, and precedent on this would be very difficult to undo without changes to laws defining what ownership actually is.
There are also long-standing legal requirements for automakers to be separate from car dealers, which also translate into making the repair/diagnostics equipment available.
yes. the same law (or, rather, the movement at the time within congress) is what standardized the OBD-II connector and mandated its inclusion in all cars from 1996(?) onwards: the idea that consumers should be able to repair their own big-ticket items should they choose to.
> Vehicle manufacturers wouldn’t add complexity to common systems if it didn’t pay off.
I know this stuff "pays off" for the manufacturers, but I really wish they'd avoid including unnecessary complexity such as those horrific touch screens, call connections, etc. That sort of thing is why I won't buy newer cars.
And yet the obvious thing is for someone to be making and selling a "can bulb" - a tiny 4 pin bulb with 12V, GND, CAN-H/L pins. And all bulbs (led or not) on a car would be that. It would turn on/off commanded by the canbus and report status info back.
Yet car manufacturers don't do this. CAN transceivers are still too expensive to build into every bulb. Instead, a single CAN transceiver and microcontroller will control a whole set of nearby bulbs (eg. brake, indicator, reversing lights). That then makes it vehicle specific, so you don't get the economies of scale of just making a single model of can-bulb which fits lots of places in many cars from many manufacturers.
> And yet the obvious thing is for someone to be making and selling a "can bulb" - a tiny 4 pin bulb with 12V, GND, CAN-H/L pins.
No, that's not obvious at all.
Separating the control board and the bulb is obvious. You wouldn't want to replace your entire control circuit every time you need to replace a bulb, would you? You don't want to have to reprogram your ECU to know which bulb serial number corresponds to your front headlight because all of your bulbs are the same.
Moreover, this is impossible because there isn't a single bulb model that goes into a car. High beams, low beams, blinkers, and interior lights are all different. They also differ from model to model depending on the requirements.
> That then makes it vehicle specific, so you don't get the economies of scale of just making a single model of can-bulb which fits lots of places in many cars from many manufacturers.
Car companies make millions or tens of millions of cars per year.
When you're making 10s of millions of something every year (or 2X that for parts that come in pairs, like headlights), you already have economies of scale.
Automotive equipment manufacturers will also share components between car companies, and further upstream you have companies that make chips for auto makers who share chips across the companies.
Automotive manufacturing is a great example of economies of scale. It's not correct to say that auto manufacturers aren't leveraging economies of scale while producing 10s of millions of common parts per year.
Plenty of vehicles only have production runs of ~10,000. At those scales, you really don't get economies of scale. In fact, there were only 25 car models that sold more than 100,000 units in 2021.
Plenty of particular brands of vehicles have smaller production runs. But "vehicle" to the manufacturer doesn't mean "brand". It means "set of pieces and parts that can be the same or nearly so across many brands". For example, a "Cadillac" to you is a different "vehicle" from a "Chevrolet"; but to GM, the vast majority of the pieces and parts and manufacturing processes are shared. So the economy of scale to GM when building "Cadillacs" is huge even if to you it looks like "Cadillac" has a small production run.
Exactly, and this is one of the reasons modules need programming, because it comes “virgin” with only a bootloader and the features are loaded according to the VIN.
I’m guessing you’ve never worked in customer support. The failure modes of mistakes would be nasty. Even smart people swap bulbs around when diagnosing faults.
Simplicity (good usability) is most always crushingly hard to achieve, doubly so for hardware.
Calling things “simple” is often a sign of shallow thinking in my experience - something a customer or manager might naively say but an engineer cannot (because they have to deal with all of the real requirements).
For example, the engineers that build cars can’t say “you simply push a button to start a car” - as an engineer the complexity behind that simple operation is very very deep.
> For the customer-replacement case, you simply tell the customer to replace just one bulb at a time
Just imagining the customer support for this is gonna give me nightmares.
“Sir, you need to make sure your vehicle’s ignition is turned to accessory mode. Then wait for the light to blink twice, that’s the vehicle’s confirmation that it correctly identified the new light. If it blinks three times, it can’t confirm the light’s location, so you should try removing it and re-inserting it. If it blinks four times, that means you didn’t replace the bulbs in the correct order so you need to initiate a manual reset procedure by going to the driver’s seat and…”
CAN frames only have space for 8 bytes of payload, unless you upgrade to CAN-FD at a significant complexity cost. For the sake of a light bulb, you could make it work by being sufficiently clever. You could even use all 8 bytes for serial number, and then use existence of the message itself to turn on the bulb. Have it turn off after 100ms of timeout.
It's really not a sustainable approach to try to address nodes on a CAN bus by serial number, though. CAN is content addressed rather than receiver addressed. Due to the way arbitration works on the bus, it's invalid for two nodes to transmit to the same CAN identifier. The arbitration mechanism breaks down and results in error frames, at which point the CAN bus is in a degraded state.
That would preclude a CAN enabled bulb from being able to send telemetry back, at least until the bulb was provisioned an identifier. That could be done by an ECU sending a frame with the bulb's serial number and assigned identifier. You still need a zero-conf discovery protocol, though, and so you're back to transmitting before provisioning. You could work around all that, but it's a lot of work.
Stepping back a bit, running a car's CAN bus over a light bulb socket is going to cause some practical reliability problems. Compared to a wire harness going into an ECU, a user serviceable bulb socket is going to be much more prone to intermittent connections from vibration, as well as oxidation and wear. Intermittent connections on CAN_H/CAN_L tend to cause a ton of frame errors, and significantly degrade the overall bus performance often to the point of system failure. When a node encounters enough error frames, it is compelled by the standard to go into a BUS-OFF state where it isolates itself from the bus. Because it's a bus and all the nodes share the same two wires, it's pretty much impossible to diagnose where an intermittent connection is without trial and error.
I appreciate the detailed insight! Great point on something subtle re individual bulbs that is non-ideal. I'm learning CAN now, mainly for use in drones. I have got 2 STM32 FDCAN periphs talking to each other; the basics seem easy, but the protocols that go on top of it seem complicated! I suppose this is due to managing a decentralized network. Ie, at first CAN seemed like to offer a bus that simplifies wiring and offers resistance to noise, but the more subtle and interesting point seems to be a common API where hardware access is handled by individual nodes, and communication is through this API layer on top of the hardware. Ie, if you control the whole network, it can seem like the first case, but the interesting things happen, eg as you describe, arise when the nodes are by different manufacturers and are swappable.
Ie, with CAN, each node only needs to do reg reads/writes/datasheet-spelunking for a narrow part; the other nodes just need to know the API that sits on top of the hardware.
CAN only really works out well in a complex system if you have full control over the addressing scheme. Addressing and prioritization are one in the same. Unintuitively, prioritization isn't about the importance of a message so much as it is about the message's urgency. A pretty common approach is to use "rate monotonic" prioritization. The basic idea is that higher rate messages have higher priority (lower address) than lower rate messages.
There's rules of thumb about never overloading a CAN bus beyond, say, 50% utilization. That's because systems with poor prioritization management tend to start falling over around there. With a well thought out scheme, it's possible to push a CAN bus fairly close to 100% utilization. I built several safety critical systems that pushed 80% utilization on average. At that level, you really need to rely on redundancy rather than simple robustness, though. A CAN bus running at 80% falls over very hard when you have a flaky physical connection somewhere.
I used to work for General Motors. Many of the early luxury cars would have 100+ wirings going into the driver's door. Early versions of what has since evolved into CAN were trying to reduce it to 5 wires.
I owned a Peugeot 306 (not a fancy car by any means) that developed a short somewhere in the driver's door complex pre-CAN wiring harness. Getting it replaced cost me around $500.
Mate have you seen old relay controled car? It has 3 times less wires and is repairable with simple tools. "Simplifying wiring can add up to a significant weight and cost reduction" it's just not there.
I work at Ford on vehicle access and security and I’m quite familiar with CAN security challenges and solutions. (Of course, I don’t speak for my employer here.)
Without speaking specifically to Ford’s plans, authenticated CAN communications are absolutely coming. I don’t see many approaches that actually encrypt the data on the bus - instead a MAC is used for each frame with a shared key on both secure ECUs, and some protections against replay attacks and such.
I wouldn’t expect all CAN data to be protected by this kind of security - it’s a pain in the butt, and expensive. Instead, certain specific sensitive information (like whether there’s a key in the ignition!) is protected as needed.
The industry is also moving toward IP-based communications for a lot of vehicle networking, which comes with many of the benefits of the modern infosec world. Automotive has a lot of unique challenges, though - like another poster mentioned, key provisioning and management is a huge pain; latency and hard timing constraints are way more important in the onboard/embedded world; many automotive ICs have limited support for e.g., asymmetric encryption, and of course there’s a lot of pain generated from the way the industry does software development generally. It’s an interesting space.
> hey will _gladly_ lock out the CAN bus so no third party accessories or diagnostic tools can work with your car.
No they won't. One the law requires them to allow third part diagnostics tool (only for things that are about emissions!). Two, the third party tool maters are paying a good chunk of money to get documentation on how to do diagnostics.
While new car buys won't care, car makers know that nobody can afford to buy a new car except by selling their old car (normally done as a trade in), and the buyers of used cars care that the car can be fixed so if third party tools don't work the car has a lot less value.
Or just make the "smart key" controller a dumb passthrough of the key's messages and do the actual decoding and verification of the key messages in the engine ECU. I'm in fact surprised this isn't the case, but then again most "security" you see on cars is more about trying to lock out the legitimate owner from doing their own repairs or key programming as opposed to true security designed to defeat skilled attackers.
Or just have the smart key ECU and the recipient ECU use a rolling code or even a 1 time shared secret. The other ECUs can learn the rolling code in the factory, or in after-service with the left door open, right blinker on, hood open, and horn tapped 8 times, and then wait 20 minutes.
Without the key to see what the code is, no injector can spoof the frame.
With the after-market procedure making tons of noise and spectacle, and a nice long wait for the police to arrive, the thieves can't replace the key ECU.
With the system being simple, no key provisioning is needed, no non-public information, just an extra page in the manual and a software update.
> But yeah, because headlights and blinkers needllessly complicated, cough er, need data uplinks
I can see how they got there. When you're moving getting rid of miles of cables that link everything and move your car to a CAN bus instead, it makes sense to say that you don't want a central blinker-controller that runs separate wires to every blinker. Instead you just run CAN and power to each blinker and give them their own little controller. Fewer wires, less conceptual complexity, at the cost of putting a little PCB in each blinker.
But because "analog" blinkers had the accidental feature that they blink faster if one blinker is broken, you have to replicate that somehow with your new blinkers. And the easiest way to do that is to have the blinker write that to the CAN bus, since it's already right there.
How on Earth adding computer and a little PCB of demultiplexor logic instead of multivibrator-controlled relay might be considered as less of conceptual complexity?
I do even doubt in length of wires point. You need a full bus plus a thick wire from power source per every lamp instead of just a one thick wire from relay.
Simple PCBs are extremely cheap to manufacture at scale.
Copper wiring is expensive and heavy.
It’s far more efficient to have a simple PCB controlling multiple local functions (headlights, high beams, blinkers, additional sensors) and a single power/ground pair.
Automotive systems are 12V, which results in high currents. High currents require thick wires, especially in automotive environments with high under hood temperatures where you might have to de-rate wires. It absolutely makes sense to reduce high current automotive wiring.
I don't understand how a PCB+MCU can reduce the copper wiring. The bulbs will consume the same amount of power requiring the same thickness of copper wiring, no matter if it's 10 separate thin wires, one for each bulb, or just one wire, but 10 times thicker (by section area and weight/meter, not diameter).
Common power wire will still require one or two extra wires for CAN, so it would make sense only as replacement for bundles of 3 or more wires going to the same place.
you have a single bus in a ring topology instead of a star network of wires coming from a central location. much less wire and with most indicators and even some headlights being LEDs the current carrying capacity of the +12V wire can be much smaller. GND is the metal substructure and the CAN (or LIN) bus is just two small gauge wires.
much cheaper and much less wiring needed if the bulbs (or bulb holders) can receive commands themselves.
Without a board: you need a big power wire for low beams, a big power wire for high beams, a smaller power wire for turn signal. And that's all you can do.
With a board: you need a big power wire for everything. And a two tiny wires for CAN--so you're already ahead. If your beams can move, or be directed, or have LEDs that can be modulated, or have a washer, you start coming out WAY ahead.
Do any cars use higher voltage for power distribution to reduce currents and thus reduce the diameter of wire needed? I'm thinking something like having a higher voltage power distribution network that distributes power to nodes that use a DC to DC converter to provide 12 V to the lights, sensors, etc near those nodes.
24v and 36v are common in trucks and industrial vehicles respectively for exactly this reason, among others. It's really expensive to increase voltage though because all the different components' power supplies have to be designed for transients and supply voltages anywhere from 2-5x nominal in normal operation. Companies will often design up to around 200v, for example.
High power systems do exist, particularly in electric vehicles. They have different challenges to do with being incredibly dangerous to work on.
Tesla have been pushing for a standardized 48v supply system for some time for exactly the reason that 12v 15-30A requires much thicker wiring than a 48v 5A system.
Can bus is a bus. You don’t need a dedicated run of wire per device. You can have a single loop that goes around the whole car that everything is connected to. Things that are “on the way” to others are relatively “free”. Compare this to an independent point to point wire for everything that’s under control.
This is trivially observed if you take a moment to compare a modern day wiring harness to something older, while considering the functionality provided by the later.
All new cars in the EU have to have always online SOS connectivity so I don't think anyone can charge for it
" eCall is a system used in vehicles across the EU which automatically makes a free 112 emergency call if your vehicle is involved in a serious road accident. You can also activate eCall manually by pushing a button. "
"Compulsory for new car models
If you buy a new model of car, approved for manufacture after 31 March 2018, it must have the 112-based eCall system installed."
Encrypting everything on the CAN would be overkill and probably cost-prohibitive for manufacturers. Not all messages need to be encrypted -- just the ones that allow you to disable the immobilizer.
The solution is signing packets with PKI and verifying them on receipt. Nothing says you can’t flash firmware to add new packets etc but the CAN bus couldn’t be spoofed unless you had the private key.
As someone who has (successfully) implemented this at multiple manufacturers, it is absolutely not as easy as "just signing it".
First off, almost all vehicles are running CANbuses right to the edge of their available bandwidth. Making the signature data fit is a vehicle-wide refactor unless you've designed for it from the beginning.
Secondly, many automotive MCUs don't have hardware crypto support or enough spare cycles for signing/verification. You have to design for that from the beginning.
Third, key distribution is hard. There are a lot of parties outside the OEM that need to flash firmware for various reasons during production. Do you give them all private keys or do you put up a public image signing service anyone can submit binaries to?
There's lots of other issues I could go on about like what the key rollover looks like, but I hope it's clear that retrofitting cryptography onto complicated systems that weren't designed for it is anything but straightforward.
I’m sure there are a lot of complexities, I think the general shape of the solution is the same. Another poster (perhaps you?) mentioned that luxury cars do sign CAN packets.
Anyways I’m not in this industry but work on SPIFFE and see similarities- you could have a centralized CA in the car that does attestation to remote workloads.
That can be a solution, but I usually push to simply scrap CAN everywhere possible and move to IP networking as mentioned by others in a sibling thread. That requires a ground-up system redesign, but it has a lot of benefits like not requiring a bunch of automotive programmers to implement a custom crypto architecture on constrained systems in C.
With CAN, you're pretty firmly in the land of tradeoffs because the safety-critical stuff you want to auth is also hard realtime and solutions that involve expensive coprocessors like HSMs are usually off the table for a number of reasons like cost, lack of vendors supplying high-integrity solutions, inability to do board spins, etc. Adding authentication also has the nasty problem of sometimes reducing your safety because it makes the channel less noise resistant, as demonstrated by Dariz et al [1]. Navigating these sorts of tradeoffs are why some manufacturers have gone with half-measures like only authenticating a small subset of messages.
While I agree with this instinct: this sounds like a simple "just use PKI" solution but it's really not simple at all. How do the vehicles' or devices' cert keys get provisioned and protected? Are they unique per device, per vehicle, or per manufacturer? Per device or per vehicle increases manufacturing process overhead (read: price) immensely [edit: as well as overhead at service departments]. Every device that can sign messages needs access to perform private key operations, which necessarily either increases cost (eg by storing the keys in a device-local HSM or adding network-based key operations along with the corresponding one-turtle-down auth problems) or decreases security of those private keys. What happens when they inevitably get extracted and baked into spoofing tools? Can the manufacturer rotate the root keys? What happens to vehicles that are offline when that happens?
I thought it was covered in the article but all the devices on the bus would need secret keys that were unique across all devices manufactured. This isn't impossible though since we've been making unique MAC addresses on NICs for many decades, and motherboards often come these days with the actual serial number of the server flashed into the DMI information, etc. It will also take an electron microscope to read the keys out of the chips, which is not a very mobile attack to use against a parked car on the street.
First, those unique MACs and serial numbers are not currently in storage that requires an electron microsocope to read, so that's a pretty big additional cost burden. Second, assuming all devices were to be given secure key storage parts, you also have the cost burden of the pairing process during manufacturing and maintenance, as I mentioned above (not to mention the design and development of that pairing database and its failure/diag/maintenance/factory-reset modes). It's far from trivial.
If you don't provide a convenient interface to read a MAC address then you're going to need an electron microscope to pull it off a NIC chip as well. They just always provide the convenient interface to get at it.
No, you don't need an electron microscope to overcome that type of inconvenience, because those pieces of data are not sensitive and no effort has been made to ensure you can't just read them out using the pins. This is why the problem of storing private keys is so different than the problem of storing a MAC address. Or put another way: inconvenience is not security, and what we're talking about is a security problem.
I think to be feasible from a maintenance and consumer-friendliness standpoint, each vehicle should have its own local CA and have some sort of open standard for how individual devices can have certificates provisioned so that they can be installed on a car. A replacement-part-pairing function that can only be performed by having physical access to a specific secured component (e.g. not just bus access) should work without contacting the manufacturer. I'm in for this startup idea. :D
Sensors whose outputs are used to do cruise control and lane keeping assistance and so on should also be encrypted.
I don't believe anything in this space is cost-prohibitive in the long term, or even in the medium term. It's just dev cost amortization, because the chips are cheap once they tape out.
ASIL-critical inputs/outputs should not be encrypted,full end stop. Do I really trust that the dinky economy-scale micro that GM would pick is always going to hold up that encryption when I'm starting to drift off road? Absolutely the hell not.
I worked in this space (auto RE, including keyless entry) for a while, and there's almost no way this would work at scale without a top-down platform redo for automakers.
> Do I really trust that the dinky economy-scale micro that GM would pick is always going to hold up that encryption when I'm starting to drift off road?
Is your concern that the key management can leave a mess of key disagreement? But that's like the sensors failing altogether, and that already has to be taken into account.
So yes, I would trust "that the dinky economy-scale micro that GM would pick is always going to hold up that encryption when I'm starting to drift off road" because I have to trust that the computers will handle sensor failure correctly.
That said I'd only trust that if the crypto is sensible. Specifically authenticated encryption is essential. Key exchange, pairing -- those are important too. It needn't be complicated to set up: trust-on-first-use-after-reset (with reset being not trivial to execute) should suffice.
> [...] there's almost no way this would work at scale without a top-down platform redo for automakers.
Agreed. Careful what you wish for. All those enthusiasts out their enjoying hacking their vehicles (in the traditional meaning of the term) would not like crypto and HSMs on that bus.
It's like in the old days when internet traffic was unencrypted and so was Wifi. You could have a lot of fun just watching what's happening in your home network, and perhaps your neighbors (so I heard..legal grey area). Today? Nope. Everything is locked down. Wireshark shows you only lots of SSL. And that's not even proprietary stuff as the car crypto will be. The bad guys will obtain the keys or workarounds somehow. The good guys will be locked out.
I had a BMW with encrypted CAN or very similar to what that would be. Would refuse to use a new module unless you had the dealership key. Which my mechanic managed to get from his friend at the dealership but still...
That started with the high intensity headlights. They were such a high theft item that when they're disconnected from the battery, they go into a locked state that requires a dealership to do the unlock.
> So be careful what you scream for. We already have enough un-repairable items.
Couldn't the keys for decryption be stored in a trusted module that can only be unlocked with the presence of the actual car key? Yes, this means key cloning attacks still get you access to the CAN, but if you can clone the key you can drive away with the car anyway.
> you will ABSOLUTELY get it from the manufacturers in the name of security
Fuckin' good. Then they can give me the damn encryption key so I can diagnose it myself. I am absolutely not going to subscribe to any sort of narrative like these things are mutually exclusive. I'll keep screaming for the security and the repairability.
They will never do that in the same name of security. Their aim is appl-ification and johndeerification; it's their object but will let you think it's yours as long as it's a revenue source.
you can scream all you want, most people who buy new cars won't care and will just lease for 3-5 years no matter what the manufacturer puts behind a paid upgrade/software subscription. They never have to repair their cars, because nothing breaks for the first 5 years. The used market might care, but manufacturers don't care about the used market at all, since they get no money from it.
Here's the problem everyone needs to pay attention to: If you demand Encrypted OR Signed CAN Bus, you will ABSOLUTELY get it from the manufacturers in the name of security. They will _gladly_ lock out the CAN bus so no third party accessories or diagnostic tools can work with your car.
So be careful what you scream for. We already have enough un-repairable items.