4

For cybersecurity reasons, I want to make sure a device connected to my CAN bus is read-only.

What's the state-of-the-art way of doing this?

My naive plan was to simply use two diodes.

ECU with diodes

JRE
  • 71,321
  • 10
  • 107
  • 188
gbt
  • 691
  • 6
  • 17
  • Use buffers, not diodes. – Eugene Sh. Feb 27 '23 at 20:43
  • Thanks for your answer Eugene, I assume you're suggesting buffers because of the voltage drop? – gbt Feb 27 '23 at 20:51
  • No. Because the CAN bus is voltage based, not current. You want to sense the voltages on the lines without affecting them. – Eugene Sh. Feb 27 '23 at 20:56
  • 1
    CAN bus could be monitored by putting a CAN PHY in receive only mode and disconnecting the transmit mode, but CAN bus packets need to be acknowledged by the receiver, so the device that only monitors the bus cannot participate in any communication, but it cannot also be the target of packet if it can't acknowledge the packet. What are you trying to do and why? – Justme Feb 27 '23 at 22:01
  • 2
    @Justme Probably for monitoring systems in a car. In vehicles, operational system information is broadcast without any acknowledgement, since multiple nodes may need the information, the information is time-critical, and the bus is already sized to handle this traffic. One exception is GMLAN which does have a virtual network presence mechanism, but if the car is operating as normal, the VNs should be up anyway. – user71659 Feb 28 '23 at 08:49
  • Are you designing the ECU or just want to block an existing product where you can't poke around inside? Because the obvious solution is to not route TX to the CAN transceiver or to cut off that pin. – Lundin Feb 28 '23 at 11:16
  • Also the whole cybersecurity nonsense debate about CAN buses is analogous to "how do I design a face recognition system inside my home to ensure that only known people are walking around inside?" The solution is: put a lock on the door (or on the car). Don't design hardware to let everyone and their mother in, then worry about what they might do once you merrily allowed them inside. – Lundin Feb 28 '23 at 11:19
  • What is to the left? A working CAN bus, with two or more CAN devices? Or a (yet not connected) untrusted device? – Peter Mortensen Feb 28 '23 at 16:33

4 Answers4

7

The idea is right, but a diode is the wrong way to do it. Use a buffer IC instead. [EDIT: Actually, you can just use diodes for receive-only operation, as per the setup in TonyM's answer. I had forgotten that CANBus receivers don't need to be able to detect a hi-Z bus state.]

You could also look into using a CANBus firewall device, which allows you to specify filters for the types of frames that can go in each direction. These are becoming more common in connected vehicles due to the increased risks involved. Modern vehicles often include these in the wiring loom at specific junctures, e.g. the interconnect between the head unit and the ECU.

Polynomial
  • 10,691
  • 5
  • 49
  • 88
  • Fantastic answer. Thanks a lot. Regarding Buffer IC, why would you prefer it over a diode? Voltage drop I assume? Regarding the "CANBus firewall", this is new to me. Any product to recommend / resource to get started? – gbt Feb 27 '23 at 20:50
  • The receiving side needs to be actively driven both high and low, so a diode won't work there. Look for a canbus buffer IC. Regarding products, I've only worked with custom devices developed by car manufacturers and expensive commercially available products in marine environments. The RVI project was the last open design I looked at but it has been a while since I investigated open source solutions. Another search term to look for is "data diode", which is a simple device that implements one-way message passing without filtering rules. – Polynomial Feb 27 '23 at 21:04
  • 2
    One option you have is to roll your own with a microcontroller and two CANbus transceivers - receive from one, pass to the other - but you ABSOLUTELY MUST NOT take that approach if you're going to put this in a safety-critical path. That means no driving your car with a custom device plugged into the ODB-II port if there's even the slightest chance that your firmware might glitch out (it's easier than it sounds - vehicle power rails are very noisy) and spam / lock up the CANBus. I know it sounds alarmist but there's a very good reason for safety regs like IEC 61508 and SIL certification. – Polynomial Feb 27 '23 at 21:11
  • 1
    @gberth Sorry, I just realised I was wrong about the active drive issue - you can actually use a diode setup like in TonyM's answer. I misremembered some details of the electrical spec. It's only in a transmit-only setup that you'd need an active driver. – Polynomial Feb 27 '23 at 21:33
  • @gberth Someone just pointed out to me that there's a device called a CANBus Crocodile that acts as a passive snooping tap, which might be perfect for what you want to do. – Polynomial Feb 27 '23 at 21:54
6

You can use your two diodes then series resistors. These ensure that a fault in any circuit or IC, including your suggested buffer IC, cannot clamp either CAN bus line low.

You can go further and use two resistors in series for increased reliability. A single component failure cannot then allow the MCU to load the bus through a fault in bad software.

schematic

simulate this circuit – Schematic created using CircuitLab

TonyM
  • 22,898
  • 4
  • 39
  • 64
  • 1
    Ah, yes, you're 100% right here. I had misremembered some physical layer details about CANbus and thought that the receiver needed to be able to detect a hi-Z bus. Excellent point about minimising the risks from single-part failures. – Polynomial Feb 27 '23 at 21:37
  • Thanks very much, @Polynomial, appreciated :-) – TonyM Feb 27 '23 at 22:16
3

Every CAN transceiver has CANTX and CANRX pins. Simply don't connect CANTX to your controller or MCU CANTX pin and it won't ever be able to transmit but reception will work just fine.

Maybe put a 0R resistor footprint in case you do want to transmit one day.

filo
  • 8,951
  • 1
  • 25
  • 46
  • Your approach adds the benefit that this node will be able to acknowledge CAN messages passively. – Velvet Feb 28 '23 at 10:36
  • 1
    This only works if you're the one connecting the peripheral. Since this is tagged cybersecurity, I think it's fair to assume this is intended to protect from third party peripherals, maybe through some API connection. – William Feb 28 '23 at 10:46
  • "Cybersecurity" that can be circumvented with a soldering iron isn't cybersecurity. – Velvet Feb 28 '23 at 12:52
  • 1
    @Velvel Cybersecurity covers integrity and confidentiality. In this case, integrity is apparently the concern - an untrusted device may read all the bus traffic but it absolutely must not interfere with the bus. – user253751 Feb 28 '23 at 13:42
  • @user253751 I would call it 'information security'. But 'cybersecurity' is probably the catchier phrase. – Velvet Feb 28 '23 at 13:56
  • @Velvel the day a remote attacker is able to remotely solder a missing connection, I'll come back and upvote your comment. For now, though, it appears like an excellent idea to defend against some attacks -- not all, of course (and I'm not aware of any all-encompassing security measures short of going back to sticks and stones), but some, and that is already great. – swineone Feb 28 '23 at 21:05
0

There are capacitive coupled CANbus sniffers, they can listen to a CAN bus, but not transmit data on it.

Lior Bilia
  • 7,560
  • 1
  • 22
  • 31