-
Notifications
You must be signed in to change notification settings - Fork 4
CANalyse Introduction
Welcome to the CANalyse 2.0 Wiki!
CANalyse is a software tool built to analyse the log files in a creative powerful way to find out unique data sets automatically and inject the refined payload back into the vehicle network. It can also connect to simple interfaces such as Telegram for remote control. Basically, while using this tool you can provide your bot ID and be able to use the tool's inbuilt IDE over the internet through telegram.
CANalyse uses the python-can library to sniff vehicle network packets and analyse the gathered information and uses the analysed information to command & control certain functions of the vehicle. CANalyse can be installed inside a raspberry-PI, to exploit the vehicle through a telegram bot by recording and analysing the vehicle network.
At any given point in time, there are thousands of data packets going on in a CAN Bus network. CANalyse will capture the traffic and extract the unique actions and corresponding data sets. Now, this data set can be used to control a vehicle even through a telegram bot. In vehicles, communication happens on protocols like the CAN bus and its variants. the physical activities such as applying brakes, signals, steering, etc are being handled by the Electronic Control Units (ECUs) which take actions, according to CAN Bus packets they receive.
Each data packet contains an ID and Data field. ECUs are pre-programmed to take action according to the data it receives. It resolves too if we have the correct ID and correct data to impose a specific physical activity, we will be able to gain control of that particular function. The purpose of CANalyse is to identify those specific data packets (ID & Data) through manual and automated ways.
- Smart Scan: automatic data filtration.
- CANalyse IDE: powerful integrated development environment (IDE) using pandasql.
- Telegram: it uses the IDE on a base level and receives commands through a telegram bot.
While the attacker is using CANalyse 2.0 he/she needs to:
- record a source log file that contains data other than the intended action (for example brakes are not applied)
- record an attack log file (in which the brakes are applied).
- Analyse the logs to form a payload file.
- inject the payload file.
CANalyse also helps in pen-testing projects, as it possesses the capability of storing particular tables, and logs and also one can save the entire workflow as a session/project. these sessions and the data included in them can be used in any other sessions in an extremely flexible manner.
I have used the python-can library in this tool at the base and developed functions, since it supports various communication interfaces and makes the tool flexible to be used with different hardware. for filtering and analyzing I have used the pandasql library, which is used to convert the data to data frames and analyse them in a faster way through SQL commands. The python-telegram-bot library is used to access and communicate with the telegram bot.
The smart scan functionality in the tool can identify the data packets which are unique in the intended period by comparing them with the background/source, this can also be done in multiple iterations to improve the quality of the payload file. This means it can narrow down the specific packets of intended action automatically.
The IDE is more of a hands-on approach to the same, sometimes we may want to analyse the recorded logs deeply by comparing them with different logs. IDE makes this very easy by using python-can & pandasql libraries. Also, the user can rapidly create & store multiple payload files in any particular session. the telegram option adds the remote-control ability to the IDE.
In short, using CANalyse an attacker can sniff the CAN network (all python-can supported protocols), analyse (both in automatic and manual methods) rapidly, and inject the payload back into the vehicle network. All this can also be done by using a telegram bot too.
This is an improved version of CANalyse (1.0) [https://github.com/KartheekLade/CANalyse], A prerequisite to using the telegram option of this tool is that the hardware (raspberry-pi) implant is already installed in the car and capable of communicating with the network inside the vehicle. Also, the library requirements are satisfied.