ICSim Use
- Author: Dr. Jim Marquardson (jimarqua@nmu.edu)
- Updated 2024-06-11
This exercise uses the Instrument Cluster Simulator (ICSim) and can-utils to explore CANBUS networks.
Learning Objectives
In this exercise, you will learn to:
- start ICSim and the controller,
- use
cansniffer
to monitor network traffic, and - manipulate traffic using
cansend
.
Prerequisites
This exercise assumes that the following are available:
- Kali Linux VM with a graphical user interface,
- can-utils has been installed,
- ICSim has been installed to
~/ICSim
.
Setup a CAN Network
- Open a terminal.
- Navigate to the
~/ICSim
directory.
cd ~/ICSim
- Create the
vcan0
network. Thisvcan0
network essentially simulates a physical wire to sensors in a bus topology.
sudo sh setup_vcan.sh
Enter the password (kali
) if prompted.
- You may not see any output. The command likely worked. Check for the
vcan0
network usingifconfig
.
ifconfig
You should see vcan0
in the list of network adapters.
vcan0: flags=193<UP,RUNNING,NOARP> mtu 72
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 1000 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
- If you run
sudo sh setup_vcan.sh
and see a message like, "RTNETLINK answers: File exists," this means that thevcan0
network has already been set up. You can ignore this message and continue.
Essentially, you have just created the network topology shown below. The vcan0
network uses a bus topology, but no devices are connected to this network.
Launch the Simulator
- Run the following command to launch the vehicle simulator. (Note that this must be run when your working directory is
~/ICSim
).
./icsim vcan0 &
- A window will pop up with the interface. The interface shows a minimal car dashboard and a car icon that shows the door lock status.
Not much is happening right now because nobody is "driving" the car, so it is just waiting for input.
- Return to the terminal. You may see the following message and it looks like the program is still running. Just press the enter key to get back to the terminal prompt so that you can enter new commands.
(kali@kali)-[~/ICSim]
$ MESA: error: ZINK: failed to choose pdev
glx: failed to create drisw screen
By attaching ICSim to the vcan0
network, the network topology has been modified. The vcan0
network currently looks like the following diagram.
Use the Controller
- Your terminal's working directory should still be
~/ICSim
. - Launch the controller.
./controls vcan0 &
- A window with a game controller will pop up.
Again, the network topology has been modified. Now, ICSim and the controller are part of the vcan0
network. This means that they can communicate on the bus network.
- At this point, it's probably necessary to resize your Kali window (if you haven't already). You can maximize the Kali window, or drag the lower-right corner to make it a specific size. Arrange the windows so that you can see the simulator, the controller, and the terminal.
- The game controller controls the car.
- Click on the controller window.
- Press and hold down the up arrow on your keyboard. The speedometer will go up. As soon as you let go, the speedometer will start to fall.
- Click on the speedometer in the simulator. Hold the up arrow key. Nothing happens. The game controller only controls the simulated car when it has focus. So if you want to use the controls on the controller, you must click on the game controller so that the game controller application is active.
- Click on the controller.
- Hold the
right shift key
and pressa
. The left front door will unlock. - Hold the
right shift key
and pressb
. The right front door will unlock. - Hold the
right shift key
and pressx
to unlock the left rear door. - Hold the
right shift key
and pressy
to unlock the right rear door. - To lock the doors, hold the
left shift key
and pressa
,b
,x
, ory
depending on which door you want to lock. - Hold the
left arrow
down to turn on the left blinker. The blinker will stop once you stop holding the key down. - Hold the
right arrow
down to turn on the right blinker.
Investigate CAN Codes
- With the simulator and controller running, go to the terminal.
- If needed, press
enter
to get back to the prompt. - Use
cansniffer
to snoop on the traffic being sent between the controller and the simulator. At this point, the terminal, the controller, and the simulator will act like 3 separate devices connected with a single, shared network cable.
cansniffer -c vcan0
Cansniffer acts like a third device on the vcan0
network. It's as if you've attached a computer that monitors all network traffic. Cansniffer reads the network traffic, but does not modify the network traffic.
- Resize the terminal so that there are a few empty lines.
- Your windows should be arranged similarly to the following.
Cansniffer
shows the data being sent on the CAN network. Values highlighted in red (using the-c
option) recently changed.- The second column is one of the most important--it shows the 3-character arbitration ID. Each element in the car (blinker, door, accelerator, etc.) has a different arbitration ID.
- The third column contains the data sent from or to a device. For example, the blinker might report when it is blinking, or the speedometer might report its current speed.
- Watch the
cansniffer
output carefully. - Click on the controller.
- Unlock the left front door (
right shift + a
). A new code will appear in the list for a few seconds, then disappear. - Lock the left front door (
left shift + a
). A new code will appear in the list for a few seconds, then disappear. - Unlock and lock the left front door several times until you determine the arbitration ID of the door lock signal.
- Once you have determined the arbitration ID of the door lock signal, investigate the data associated with it.
- Make a list of the arbitration IDs and data for the following:
- Left front door unlock
- Left front door lock
- Right front door unlock
- Right front door lock
- Left rear door unlock
- Left rear door lock
- Right rear door unlock
- Right rear door lock
- Left blinker
- Right blinker
- Accelerometer (the data is tricky)
Send Codes
- Keep
cansiffer
, the simulator, and the controller running. - Open a new terminal window. You can right-click on the terminal icon and choose
Launch New Instance
. - Run the following command.
cansend vcan0 188#01
Essentially, the new terminal window became a 4th device on the CAN network. This 4th device can pretend to be the controller and it can manipulate the simulated vehicle directly. If an attacker connected to a car's network, it could manipulate the network traffic using the same method.
- Based on your previous investigation, see what other codes you can send to manipulate the car.
- Lock and unlock the doors.
- Turn on each blinker individually.
- Turn on both blinkers at the same time.
- Manipulate the speedometer (though this is somewhat tricker). The simulated engine might be sending data to the simulated speedometer constantly. If you wanted to spoof the car's current speed, you would be competing with the engine. A quick and dirty way of overcoming this competition is to send data faster. If you figure out the right code to send, you can run the command, hit the up arrow in the terminal to access your previous command, and hit enter. So you can just hit
up, enter
quickly to bombard the simulator with the message you want. If you're faster, in this case, you win.
Challenge
By default, ICSim and the controller will use the same codes every time you run them. To give yourself a challenge, you can change the codes.
- Close ICSim and the game controller.
- Launch ICSim using different codes. This can help you practice looking for changes. The commands below provide a "seed" value that will randomize the codes.
./icsim -s 42 vcan0 & # Starts ICSim using the seed number 42 (the number can be any number)
./controls -s 42 vcan0 & # Starts the controls using the same seed
Shutting Down
- Close the ICSim window. You may have to click
Yes
to confirm closing it. - Close the controller window.
- If
cansniffer
is running, presscontrol+c
to stop it.
Reflection
- How would you access the network in your car to pretend to be a blinker or brake sensor?
- How could a car verify that the message it received came from the controller, or from the terminal using
cansend
?