Automotive CAN penetration testing

Lindwurm is an open source cross-platform tool based on C++ and the Qt framework. It is a CAN bus tracing and fuzzing tool especially aimed for penetration testing.

Alpha preview available soon

About

When it comes to automotive development, there exists a multitude of professional grade CAN development tools, such as the quasi industry standard Vector CANoe. These tools may suite well for a developer working with the given specification. However, the workflow of these tools is anything but ideal for penetration testers.

Working as a penetration tester I have quite a lot of experience using Burp Suite for web application tests. Thereby I've come to appreciate the individual tools of Burp Suite and their workflow. In preparation for a penetration test of an ECU I was conducting, I started hacking a small CAN tracing and sending application. Over time, I considered implementing some of it's features with a workflow similar to Burp and also adapting a frame filtering feature like Wireshark.

Based on this prototype I started Lindwurm as an attempt to build a fully functional and operable tool for automotive CAN penetration tests.

Key Features

  • CAN frame tracing: Freely toogle between chronological or fixed display mode
  • CAN frame display filters similar to Wireshark: Easy copy & paste different filters; manage filter history and favourites
  • CAN interface manager: Manage and connect different CAN interfaces simultaneously
  • CAN bus bridging: Bridge multiple CAN interfaces and capture which frames are sent by each bus
  • Compose and send arbitrary CAN frames in a plain text editor: easy fuzzing by defining byte ranges (e.g. 123-124 01 00-FF 33)

Easy sending and fuzzing

CAN frames to sent can be defined in a plain text editor. This allows fast testing and copy and paste functionality. By defining ranges in IDs or data bytes fuzzing is really easy.
Create multiple sending tabs to manage different test scenarios and attack vectors.

Smooth workflow

Simply create display filters by selecting the appropriate frames and set them as a filter using the Tracer context menu. This way the frames could also be easily sent to the frame composer to replay them on the bus.
To work with the frame data in other tools, they can be further copied to the clipboard as plain text.

Easily manage different display filters

Just copy and paste the frame IDs as display filter. Keep a history of the past used filters and easily switch between them.
More complex filter features (inspired by Wiresharks powerful display filters) planned.

Bridge interfaces to get into a Man-in-the-middle position.

Using two CAN interface devices allows to split a complex CAN bus (or to separate an ECU from the remaining bus). By virtually bridging them together with Lindwurm the different parts could still communicate with each other.
The direction of transmission can be used to determine which CAN frames are sent from which bus. This supports the analysis to assign the CAN frames to the different ECUs.

Planned features & ideas

  • XCP upload/download
  • Decode CAN frames (UDS, signals, etc.) similar to Wireshark dissectors
  • Signal analysis tools
  • Support CAN transport protocols
  • Tiling window based GUI
  • UDS tools
    • Retrieve vehicle/ECU information
    • Call UDS functions
    • Scan for ECUs
  • ...

Contribute

At the moment I am working on the base framework for the application. When the base code is functional and stable I'm planning to provide an alpha preview with an API description and further developing documentation. But there is no time schedule (yet).

However, if you are curios feel free to contact me at sascha@lindwurm-can.org.