Automated Cross-Platform Reverse Engineering of CAN Bus Commands From Mobile Apps

Abstract

In modern automobiles, CAN bus commands are necessary for a wide range of applications such as diagnosis, security monitoring, and recently autonomous driving. However, only a small portion of CAN bus commands is standardized, and a vast majority of them is developed privately by car manufacturers. Today, the most effective way of revealing the proprietary CAN bus commands is to reverse engineer with real cars, which unfortunately is time-consuming and costly. In this paper, we propose a cost-effective (no real car needed) and automatic (no human intervention required) system, CANHUNTER, for reverse engineering of CAN bus commands using just car companion mobile apps. To achieve high effectiveness, we design an efficient technique to uncover the syntactics of CAN bus commands with backward slicing and dynamic forced execution, and a novel algorithm to uncover the semantics of CAN bus commands by leveraging code-level semantic clues. We have implemented a prototype of CANHUNTER for both Android and iOS platforms, and tested it with all free car companion apps (236 in total) from both Google Play and Apple App Store. Among these apps, CANHUNTER discovered 182, 619 unique CAN bus commands with 86.1% of them revealed with semantics, covering 360 car models from 21 car manufactures. We have also evaluated their correctness (both syntactics and semantics) using public resources, cross-platform and cross-app validation, and also real-car testing, with which over 70% of all the uncovered commands are validated. We observe no inconsistency in cross-platform and cross-app validation. While there are 3 semantic inconsistency among 241 manually validated CAN bus commands from public resources and real-car testing, we find that these three cases are actually caused by mistakes from app developers.