Emile Nijssen's Open Source CAN Bridge Makes Automotive Man-in-the-Middle a Cinch

Emile Nijssen has released a tool that could be of use to anyone investigating automotive systems: a man-in-the-middle bridge for the Controller Area Network (CAN) bus.

"[It's] a little board that transparently relays CAN messages from one bus to the other. A wire, so to speak. That seems useless. But wait, there's more: You can modify the CAN messages in-flight. This is effectively a man-in-the-middle attack on CAN bus," explains Nijssen of the board's operation. "The board has three CAN buses, so if you want, you can actually do two CAN bus MITM attacks at once, or use the third CAN bus as a private bus for debugging, filtering, etc.

"The board natively supports logging CAN messages over its USB port using LUFA's USB-CDC implementation (you might need drivers on some OSes). The hardware is open source, available as TinyCAD schematic and FreePCB layout. There are some additional features in hardware that you may want to use, like an expansion header with analogue/digital I/O."

The board comes complete with source code, but there's no application programming interface or front-end: Any modifications to the board's behavior need to be done by loading the project into Atmel Studio 7 and flashing the resulting firmware using an in-system programmer.

"The sample project already implements everything you need to get started," Nijssen claims, "and has some example lines showing how to modify CAN messages and receive commands and/or send debugging information over USB."

The source code can be found on Bitbucket, while assembled boards are available on Tindie priced at $99 each.