With the rise of technology in every aspect of the modern world, you probably have heard, seen, or used Smart Cars/ Autonomous vehicles. These technologically advanced vehicles promise a great extent of leisure, luxury, and benefits in every corner of life. But with these vehicles becoming smart the threat of getting them attacked has also risen exponentially. Imagine your car being attacked by a ‘hacker’, and losing complete control of it. The impact of these types of attacks is hazardous and could result in fatal scenarios. 

These smart cars are the one that provides various functionalities which needs internet connections to perform their operations. For some of these, they need to be connected by the vehicle internal network CAN (Controller Area Network) bus, so if this CAN bus can be operated remotely then it would increase the chance of getting it attacked.


CAN (Controller Area Network) is a simple message-based protocol allowing individual systems  (i.e. little embedded systems, electronic control units ECU) to connect and communicate with each other. As modern cars can contain up to 20-100 responsible ECU units which handle one or more functionalities such as DCU (Door Control Unit) or TPMS (Tire Pressure Monitoring System).

Before the CAN protocol was introduced, there were vehicle wiring harnesses that can run up to miles long. Maintaining them and resolving any flaw in them was a tedious process. CAN has been a standard on US cars and light trucks since 1996.


Can bus is a set of two electrical wires CAN_High & CAN_LOW also known as (CANH & CANL) CAN use differential signaling, which means that when a signal comes in, it raises the same amount of voltage on one line and drops on the other. This makes CAN very easy to find as it has a resting voltage of 2.5V, so whenever a signal comes in it will add and subtract 1V (3.5V & 1.5V) 

As already discussed ECU needs to transfer the data from one to another to make the required decision. For instance, if the TPMS sensor detects some anomaly in the tires then it will send the required message, this will be collected by IVI (In-vehicle infotainment system) and displayed the warning, and the decision would be taken accordingly. So when a bit is transmitted on the CAN bus, the signal will simultaneously broadcast both 1V higher and lower, the sensors and ECU have a transceiver that checks for both the signals, if not triggered properly then it will discard it as noise.

Some ECU can communicate from the outside world as well as the internal network, these ECU poses the biggest threat and risk. To communicate with the internal network we need some type of interface or connection that’s when the OBD-II connection comes into the picture.

OBD-II Connector 

Most transceiver vehicle comes equipped with an OBD-II connector (onboard diagnostic) or also known as DLC (Diagnostic Link Connector). These connectors are easily accessible one can find them under the steering wheel or place them somewhere on the dash. 

CANH and CANL connections are on pins 6 & 14 of the OBD-II connector respectively. So pins (6 and 14 ) are for standard high-speed CAN Lines also called ‘HS-CAN’. Some vehicles have communication setup on Mid-speed (MS-CAN) and low-speed (LS-CAN).


There are two types of CAN packets Standard and Extended. Difference between the two lies in the amount of data they can hold.


Each CAN bus packet has four major key elements.

  1. Arbitration ID
  2. IDE (Identifier Extension)
  3. DLC (Data Length Code)
  4. Data

Arbitration ID

The arbitration ID is like the identification number which is used to identify which device is trying to communicate, this ID is a broadcast message and any device can send multiple arbitrations IDs according to fulfill their need in case a device needs to communicate multiple devices at a given timeframe. To resolve the collision if two CAN packets are sent along the bus at the same time the one with the lower ID will be given preference.

IDE (Identifier Extension)

The value of this bit decides the type of packet that is being transmitted, the bit is always 0 for standard and 1 for extended packets.

DLC (Data Length Code)

This field decides the size of the data, which ranges from 0-8 bytes.


This is the data itself, the maximum size it can support is up to 8 bytes but it can be further increased by padding out the packet.

The key point to focus on here is that, as the CAN packet is broadcast, all the controllers, devices on the same network see every packet, just like UDP or Ethernet connection. There is no acknowledgment for the information regarding which controller sent what, it could even be an attacker sitting on the network compromising the integrity of the communication.


Extended packets are similar to standard packets, they are formed by chained together to create longer IDs, these packets are designed in such a way that they provide backward compatibility meaning that they can fit inside standard CAN formatting, so if a sensor does not have support for extended packets, they can still run without breaking it.


CAN is packed with multiple features that give it an edge over other protocols.

  1. Flexibility – CAN have a two-wired, paired, single structure, this enhanced the ease of installation and maintenance. This connected design required fewer wires for connectivity, which reduces the complications of modifying and diagnosing the signal.
  2.  Cost – The lower hardware cost and signaling process reduce the overall cost.
  3. Speed – CAN have far more superior speed than traditional analog wires.

Leave a Reply