ICSim Use

  • Author: Dr. Jim Marquardson (jimarqua@nmu.edu)
  • Updated 2024-06-11

This exercise uses the Instrument Cluster Simulator (ICSim) and can-utils to explore CANBUS networks.

Learning Objectives

In this exercise, you will learn to:

  • start ICSim and the controller,
  • use cansniffer to monitor network traffic, and
  • manipulate traffic using cansend.

Prerequisites

This exercise assumes that the following are available:

  • Kali Linux VM with a graphical user interface,
  • can-utils has been installed,
  • ICSim has been installed to ~/ICSim.

Setup a CAN Network

  • Open a terminal.
  • Navigate to the ~/ICSim directory.
cd ~/ICSim
  • Create the vcan0 network. This vcan0 network essentially simulates a physical wire to sensors in a bus topology.
sudo sh setup_vcan.sh

Enter the password (kali) if prompted.

  • You may not see any output. The command likely worked. Check for the vcan0 network using ifconfig.
ifconfig

You should see vcan0 in the list of network adapters.

vcan0: flags=193<UP,RUNNING,NOARP>  mtu 72
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 1000  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
  • If you run sudo sh setup_vcan.sh and see a message like, "RTNETLINK answers: File exists," this means that the vcan0 network has already been set up. You can ignore this message and continue.

Essentially, you have just created the network topology shown below. The vcan0 network uses a bus topology, but no devices are connected to this network.

vcan0 network

Launch the Simulator

  • Run the following command to launch the vehicle simulator. (Note that this must be run when your working directory is ~/ICSim).
./icsim vcan0 &
  • A window will pop up with the interface. The interface shows a minimal car dashboard and a car icon that shows the door lock status.

ICSim Interface

Not much is happening right now because nobody is "driving" the car, so it is just waiting for input.

  • Return to the terminal. You may see the following message and it looks like the program is still running. Just press the enter key to get back to the terminal prompt so that you can enter new commands.
(kali@kali)-[~/ICSim]
$ MESA: error: ZINK: failed to choose pdev
glx: failed to create drisw screen

By attaching ICSim to the vcan0 network, the network topology has been modified. The vcan0 network currently looks like the following diagram.

vcan0 network

Use the Controller

  • Your terminal's working directory should still be ~/ICSim.
  • Launch the controller.
./controls vcan0 &
  • A window with a game controller will pop up.

Controller

Again, the network topology has been modified. Now, ICSim and the controller are part of the vcan0 network. This means that they can communicate on the bus network.

vcan0 network

  • At this point, it's probably necessary to resize your Kali window (if you haven't already). You can maximize the Kali window, or drag the lower-right corner to make it a specific size. Arrange the windows so that you can see the simulator, the controller, and the terminal.
  • The game controller controls the car.
  • Click on the controller window.
  • Press and hold down the up arrow on your keyboard. The speedometer will go up. As soon as you let go, the speedometer will start to fall.
  • Click on the speedometer in the simulator. Hold the up arrow key. Nothing happens. The game controller only controls the simulated car when it has focus. So if you want to use the controls on the controller, you must click on the game controller so that the game controller application is active.
  • Click on the controller.
  • Hold the right shift key and press a. The left front door will unlock.
  • Hold the right shift key and press b. The right front door will unlock.
  • Hold the right shift key and press x to unlock the left rear door.
  • Hold the right shift key and press y to unlock the right rear door.
  • To lock the doors, hold the left shift key and press a, b, x, or y depending on which door you want to lock.
  • Hold the left arrow down to turn on the left blinker. The blinker will stop once you stop holding the key down.
  • Hold the right arrow down to turn on the right blinker.

Investigate CAN Codes

  • With the simulator and controller running, go to the terminal.
  • If needed, press enter to get back to the prompt.
  • Use cansniffer to snoop on the traffic being sent between the controller and the simulator. At this point, the terminal, the controller, and the simulator will act like 3 separate devices connected with a single, shared network cable.
cansniffer -c vcan0

Cansniffer acts like a third device on the vcan0 network. It's as if you've attached a computer that monitors all network traffic. Cansniffer reads the network traffic, but does not modify the network traffic.

vcan0 network

  • Resize the terminal so that there are a few empty lines.
  • Your windows should be arranged similarly to the following.

Window Arrangement

  • Cansniffer shows the data being sent on the CAN network. Values highlighted in red (using the -c option) recently changed.
  • The second column is one of the most important--it shows the 3-character arbitration ID. Each element in the car (blinker, door, accelerator, etc.) has a different arbitration ID.
  • The third column contains the data sent from or to a device. For example, the blinker might report when it is blinking, or the speedometer might report its current speed.
  • Watch the cansniffer output carefully.
  • Click on the controller.
  • Unlock the left front door (right shift + a). A new code will appear in the list for a few seconds, then disappear.
  • Lock the left front door (left shift + a). A new code will appear in the list for a few seconds, then disappear.
  • Unlock and lock the left front door several times until you determine the arbitration ID of the door lock signal.
  • Once you have determined the arbitration ID of the door lock signal, investigate the data associated with it.
  • Make a list of the arbitration IDs and data for the following:
    • Left front door unlock
    • Left front door lock
    • Right front door unlock
    • Right front door lock
    • Left rear door unlock
    • Left rear door lock
    • Right rear door unlock
    • Right rear door lock
    • Left blinker
    • Right blinker
    • Accelerometer (the data is tricky)

Send Codes

  • Keep cansiffer, the simulator, and the controller running.
  • Open a new terminal window. You can right-click on the terminal icon and choose Launch New Instance.
  • Run the following command.
cansend vcan0 188#01

Essentially, the new terminal window became a 4th device on the CAN network. This 4th device can pretend to be the controller and it can manipulate the simulated vehicle directly. If an attacker connected to a car's network, it could manipulate the network traffic using the same method.

vcan0 network

  • Based on your previous investigation, see what other codes you can send to manipulate the car.
    • Lock and unlock the doors.
    • Turn on each blinker individually.
    • Turn on both blinkers at the same time.
    • Manipulate the speedometer (though this is somewhat tricker). The simulated engine might be sending data to the simulated speedometer constantly. If you wanted to spoof the car's current speed, you would be competing with the engine. A quick and dirty way of overcoming this competition is to send data faster. If you figure out the right code to send, you can run the command, hit the up arrow in the terminal to access your previous command, and hit enter. So you can just hit up, enter quickly to bombard the simulator with the message you want. If you're faster, in this case, you win.

Challenge

By default, ICSim and the controller will use the same codes every time you run them. To give yourself a challenge, you can change the codes.

  • Close ICSim and the game controller.
  • Launch ICSim using different codes. This can help you practice looking for changes. The commands below provide a "seed" value that will randomize the codes.
./icsim -s 42 vcan0 &     # Starts ICSim using the seed number 42 (the number can be any number)
./controls -s 42 vcan0 &  # Starts the controls using the same seed

Shutting Down

  • Close the ICSim window. You may have to click Yes to confirm closing it.
  • Close the controller window.
  • If cansniffer is running, press control+c to stop it.

Reflection

  • How would you access the network in your car to pretend to be a blinker or brake sensor?
  • How could a car verify that the message it received came from the controller, or from the terminal using cansend?