A first look at the CANBus Triple [LWN.net]

By Nathan Willis
March 4, 2015

The CANBus Triple is a Kickstarter-funded open-hardware device intended to let car hackers read, write, and potentially modify the messages sent over their vehicle's Controller Area Network (CAN) bus. Although there are other hardware solutions for interacting with CAN traffic, the CANBus Triple offers some unique advantages. It is low-cost, the schematics and designs are all freely available, and it can serve in some roles that other, mass-produced devices cannot. That said, the software side of the project still has some catching up to do compared to the otherwise nice hardware.

The device itself is the work of Derek Kuschel, an independent hardware hacker from Detroit. In 2013, he built and sold a batch of prototype CAN bus devices after other readers on the MazdaSpeed discussion forum expressed interest in the personal CAN-hacking projects he had posted about. Based on the success of the prototype devices, he launched a Kickstarter campaign in mid-2014 intended to ramp up production. The fundraiser beat its target by a comfortable margin in September, and in February 2015, the first generation of production devices were mailed out to supporters—myself included.

The CANBus Triple takes its name from the fact that it provides three independent CAN bus channels (each including a controller chip and a transceiver). It also includes an Atmel ATMEGA 32u4 microcontroller, which allows it to be programmed with Arduino software tools for use in standalone mode, plus a USB serial port and a Bluetooth Low Energy module. The Bluetooth module does not offer sufficient bandwidth to log all of the CAN bus messages that a modern car might produce, but it would suffice for the Triple to be paired with a smartphone or tablet to, say, monitor specific message types or to send commands to the microcontroller's software. The USB port is capable of a high-speed connection to a laptop or other computer, and offers significantly more interaction possibilities.

The hardware included in the device is significantly more powerful than most of the other CAN bus peripherals that are available to consumers. For comparison's sake, USB peripherals can be difficult to find for less than 50 or 60 Euros, and that price range generally only provides a basic serial connection for a single CAN bus (see this vendor for one example). Modern cars often have at least two buses: one for high-priority components like engine sensors and braking modules, and one for monitoring events from low-priority components like the door locks and climate control system. At the other end of the spectrum, there are multiple Arduino shields that offer a CAN controller and transceiver (sometimes more than one), but those devices are difficult to make much use of in a non-Arduino software stack. At best, they can be adapted into logging tools, but few developers seem to succeed in doing much more.

To use the CANBus Triple, one needs the Arduino IDE and a copy of the project's Arduino code. This includes the configuration files necessary for the IDE to compile sketches and upload them to the device, plus a "basic" Arduino sketch (i.e., program) that lets the user connect to the device with a serial console and watch some CAN traffic. I had no trouble getting the Arduino sketch to compile and upload, and the device responded to the basic serial commands it is supposed to.

That said, there is more complexity to actually getting the device to do anything useful. The easiest way to connect to a car's CAN bus is through the OBD-II diagnostic port, which has a standard wiring configuration. Out of the box, the CANBus Triple comes with a custom cable so you can plug the device right into a OBD-II port. Plug in the Triple, start up the car, and one can see CAN bus messages over the serial connection.

For now, that is about the full extent of the device's functionality. Kuschel is working on a Cordova-based app that can be built for iOS, Android, and desktop systems (at least, any system for which Node.js is available). But the app is not yet in a workable state.

There is, however, a modest middleware layer in the Arduino code that lays the groundwork for more interesting development. It includes timers, hooks for catching and acting on specific CAN messages, and a channel-relay function to copy a CAN bus message heard on one of the CAN buses out onto one of the other CAN buses, among other things. The documentation here is currently quite sparse. Kuschel can hardly be blamed for that; as recently as two weeks ago he was still assembling, testing, and mailing out CANBus Triple units to Kickstarter supporters.

But there are a few developers on the discussion forum who have popped in already to announce that they are working on some carmaker-specific software using the CANBus Triple. Alternatively, Kuschel has released a more feature-rich Arduino sketch that is tailored to Mazda cars. Both of these developments highlight one of the challenges of car hacking: almost every manufacturer may use CAN bus, but there is such a wide array of diverse messaging formats that most software can quickly become vehicle-specific.

Nevertheless, I remain optimistic that CANBus Triple has a bright future. The vast majority of CAN-related hacking projects are simple data-logging or monitoring tools that use an Arduino; there has always been a large price-and-functionality gulf between those projects and the expensive USB CAN adapters that a full-fledged Linux box can, theoretically, do more with. The CANBus Triple basically sits right in between: it has an on-board Arduino-style microcontroller, but it has a USB serial port, too.

Furthermore, the Triple is the only device I am aware of that has the hardware configuration required to intercept, modify, and pass on CAN traffic. That functionality is the key to doing innovative things in the automotive environment—especially in the aftermarket arena. Without it, a car computer can eavesdrop on other CAN-connected components' messages or generate its own, but it cannot really override the car's existing modules in their factory configurations.

The possibilities for modifying CAN traffic are literally endless. From simple adaptations like having the audio unit raise the volume level when the car is traveling at a higher speed to more ambitious functions like having an electric car intelligently power-down non-essential components when the battery is running low, modifying CAN messages is a powerful tool.

The device has a few quirks. For example, the included cable (with a standard diagnostic-port connector) is only wired up on two pins (6 and 14, which are standard CAN pin locations), which means that only one of the three CAN buses is reachable. The other pins can be soldered on, although in my case, whenever I popped open the connector's casing, it seemed like one of the other wires had come loose from its pin. Such are the ins and outs of small-production hardware, though.

On the whole, the CANBus Triple is impressive because it fits right into a gap that no other product is addressing. The fact that it is open hardware and it is built on entirely open-source software makes it all the more likely that the car hackers in the community will pounce on it to do something interesting. And it's hard to beat the snappy orange color scheme, either.

to post comments

A first look at the CANBus Triple

Posted Mar 5, 2015 12:04 UTC (Thu) by gidoca (subscriber, #62438) [Link] (1 responses)

This sounds interesting - I would love to see if I can use it to interface with my BionX e-bike. Does anyone know when it will be available for purchase to those who didn't back it on Kickstarter? The website unfortunately doesn't give any indication.

A first look at the CANBus Triple

Posted Mar 5, 2015 14:05 UTC (Thu) by n8willis (subscriber, #43041) [Link]

He hasn't explicitly said, as you alluded, although it has come up from time to time in the Kickstarter updates and elsewhere that he plans to ramp up.

My guess would be that he wants to get the app & software offerings more stable before he attempts to launch any sort of ongoing production. And he has only just now completed sending out the Kickstarter backer devices, so it would naturally be hard to estimate the time frame for that just yet. The GitHub repositories do indicate that he is working, though.

Nate

A first look at the CANBus Triple

Posted Mar 5, 2015 13:00 UTC (Thu) by ortalo (guest, #4654) [Link] (6 responses)

I look forward into further studying the security implications that this wonderful device will allow to highlight.
Hopefully, confronted with such enlightening (and fashion colored indeed) items, the embedded device industry will start to acquire some knowledge about some of the basic things in computer security (such as Ken Thomson's Turing award lecture).
Some naysayers will say I am dreaming. But hey, I dreamed of such a device, and pof, here it appears. Thank you very much Derek.

A first look at the CANBus Triple

Posted Mar 5, 2015 13:53 UTC (Thu) by n8willis (subscriber, #43041) [Link] (5 responses)

I don't believe anyone in the car industry is confused about the security level provided by CAN, if that's what you're worried about.

Nate

A first look at the CANBus Triple

Posted Mar 9, 2015 15:40 UTC (Mon) by ortalo (guest, #4654) [Link] (4 responses)

I am worried. Security is 0 there no?
What you mean is that the car industry is deliberately negligent about it?
I am even more worried.

A first look at the CANBus Triple

Posted Mar 9, 2015 16:11 UTC (Mon) by n8willis (subscriber, #43041) [Link]

What you mean is that the car industry is deliberately negligent about it?

No.

A first look at the CANBus Triple

Posted Mar 9, 2015 18:44 UTC (Mon) by mstone_ (subscriber, #66309) [Link]

pretty much; the security is based on "nobody would do that"

A first look at the CANBus Triple

Posted Mar 9, 2015 18:52 UTC (Mon) by Cyberax (✭ supporter ✭, #52523) [Link]

There's not much you can easily do to secure CAN. A lot of devices on it are dumb sensors that simply continuously output their measurements.

The best way to secure such network is to air-gap them.

A first look at the CANBus Triple

Posted Mar 9, 2015 19:20 UTC (Mon) by raven667 (guest, #5198) [Link]

CAN bus has the same security as the Ethernet standard provides, ie. none. I think the auto industry is aware that the layer2 network doesn't provide security and that security needs to be built into a higher layer, I believe that safety critical stuff can set up some message authentication and won't just blindly trust anything it hears on the bus.

A Raspberry Pi solution would have been even more exiting

Posted Mar 5, 2015 15:09 UTC (Thu) by giggls (subscriber, #48434) [Link] (4 responses)

Hm looks like the beauty of Socketcan, which will present your can-bus as just another network Interface is not understood by most people.

I would have been more exited about a linux based solution using a Raspberry Pi or similar. In this case bridging CAN Interfaces and/or modification of messages would be just a matter of a few lines of socketcode.

Sven

A Raspberry Pi solution would have been even more exiting

Posted Mar 6, 2015 23:37 UTC (Fri) by scientes (guest, #83068) [Link] (1 responses)

Does it support AF_CAN? I can't find anything mentioning it. (the kernel name for SocketCan)

A Raspberry Pi solution would have been even more exiting

Posted Mar 7, 2015 10:07 UTC (Sat) by giggls (subscriber, #48434) [Link]

I would assume that it does not, as it is designed in a way that CAN messages are handled directly on the uC rather than a PC connected via USB.

Given the fact, that the device itself is open Hard and Software it would be at least possible to write a driver which provides 3 AF_CAN compatible network devices.

Sven

A Raspberry Pi solution would have been even more exiting

Posted Mar 9, 2015 16:17 UTC (Mon) by n8willis (subscriber, #43041) [Link] (1 responses)

You can already do that with a Raspberry Pi (like any Linux box) and two CAN bus adapters. What would be the need for special-purpose hardware?

Nate

A Raspberry Pi solution would have been even more exiting

Posted Mar 9, 2015 18:00 UTC (Mon) by Cyberax (✭ supporter ✭, #52523) [Link]

It's not as easy as you think. For example, I want to override navigation messages from OnStar unit.

It has ability to send coordinates to the on-board navigation unit, but actually using this capability requires me to use a clunky and slow RemoteLink app.

The protocol is quite simple - the OnStar unit sends a special message ('10758040 030000' for anyone interested) and then transmits the destination address in a series of messages with another PID.

So in theory it should be a simple matter - just transmit everything from a Raspberry PI and that should do it.

Except that in practice it doesn't work this way. After you transmit the leading message ("here are navigation data"), OnStar unit sends the previous address used!

So you either need to MITM into the actual physical link (messy) or send navigation data fast enough to suppress the OnStar unit. The problem is, all the USB or Bluetooth adapters have too large latency for that.

That's where you want Arduino.

They are

Posted Mar 6, 2015 23:40 UTC (Fri) by scientes (guest, #83068) [Link]

positively sold out.

A first look at the CANBus Triple

Posted Mar 7, 2015 6:56 UTC (Sat) by job (guest, #670) [Link] (8 responses)

Can there be insurance implications of this device? Let's say you have a break malfunction, through no fault of your own, and your insurance company sees this device MITMing CANbus messages. What kind of consequences can that bring? Are there legal precedents?

A first look at the CANBus Triple

Posted Mar 7, 2015 8:20 UTC (Sat) by Cyberax (✭ supporter ✭, #52523) [Link]

Breaks can not depend solely on CAN bus as they have to work even without power. ABS and other systems might depend on it.

However, the burden of proof will be on an insurance company - US laws are ridiculously lax about car modifications.

A first look at the CANBus Triple

Posted Mar 8, 2015 23:23 UTC (Sun) by n8willis (subscriber, #43041) [Link] (6 responses)

What you're describing wouldn't be an insurance issue, it would be a manufacturer/dealer warranty issue. And you can already run afoul of those warranties by replacing your brakes / wheels / shocks / axles / transmission / engine / lowering your car to mere millimeters above the pavement / darkening the windows to within a few photons of the human retina's limit, etc. Heavily customized cars get insurance all the time; your premiums for full coverage will be higher because the car is more expensive, but that doesn't alter your liability level if you hit someone else. Liability (at least in every state I've lived in) is essentially a function of your demonstrated record as a driver.

Nate

A first look at the CANBus Triple

Posted Mar 9, 2015 15:49 UTC (Mon) by ortalo (guest, #4654) [Link] (1 responses)

Until the day someone, to discharge his liability, can raise a legitimate doubt about a (malicious or unintentional) alteration to one's car software as the origin of the malfunction and the accident.

That day approaches more and more.

I bet that Google's cars will be first to be targeted (obviously for... ethical reasons ;-). I would certainly not bet on the case issue though (either side).

A first look at the CANBus Triple

Posted Mar 9, 2015 16:16 UTC (Mon) by n8willis (subscriber, #43041) [Link]

That situation is someone bringing a lawsuit, not an insurance coverage question. People can already bring lawsuits about car software, people modifying their car stereo, chipping their EFI, or anything else. The CANBus Triple does not alter that equation.

Nate

A first look at the CANBus Triple

Posted Mar 9, 2015 18:48 UTC (Mon) by mstone_ (subscriber, #66309) [Link] (3 responses)

I think you're wrong on this: I expect that your policy has a clause that voids coverage if your car is not roadworthy or does not comply with laws/regulations. You can certainly fight the denial in court, but it isn't going to be as easy as you imply.

A first look at the CANBus Triple

Posted Mar 9, 2015 19:01 UTC (Mon) by Cyberax (✭ supporter ✭, #52523) [Link] (2 responses)

It's incredibly hard to make a car non-roadworthy in the US. Even toys like this are legal: http://www.guinnessworldrecords.com/world-records/smalles...

A first look at the CANBus Triple

Posted Mar 9, 2015 19:13 UTC (Mon) by mstone_ (subscriber, #66309) [Link] (1 responses)

At the core of being roadworthy is having essential safety features, like brakes, lights, etc. If you stick something into the car that screws up one or more of the required safety features, it is by definition no longer roadworthy. It is by no means guaranteed that the insurance company will deny coverage based on something like this, but if they're looking at a multimillion dollar liability and find a raspberry pi hacked into the CAN on the car responsible for the accident, I find it hard to believe they won't at least try to deny based on that. Even if they eventually lose the point, you're in for a hell of a lot of headache.

This is not the same as aftermarket rotors or new struts, which will likely show some signs of failure of someone looks at them. The CAN is in the middle of everything the car does, and it is quite plausible that it could screw something up without leaving obvious signs. In reality, nobody really looks at most crashes and the insurance companies just write the check because a forensic investigation isn't worth the money. If you cause enough liability (i.e., you really really need the insurance) it's much more likely that they might bother. Especially if these things get common enough that it turns into a question for them to ask.

A first look at the CANBus Triple

Posted Mar 10, 2015 3:15 UTC (Tue) by dlang (guest, #313) [Link]

There have been devices out there to modify the computer control of your car for a couple decades (a very short time after computer control for cars was shipped). There's been a whole industry that makes devices that intercept the sensor data and feed appropriately faked data to the computer (and similarly intercept and fake the computer's response)

While software may someday be an issue for insurance, it's nowhere close to that today.

In fact, the car companies tried taking the approach that if you modified your car in any way, they would void the warranty entirely (even if you just changed your air filter), after a few years of court cases, its settled down to be that the company has to show that your modification directly caused the failure in question before they can avoid paying for that repair.

It's another variation on that "Innocent until proven Guilty" principal that is at the core of the US legal system.

A first look at the CANBus Triple

Posted Mar 29, 2015 1:56 UTC (Sun) by cansniffer (guest, #101700) [Link]

This is nothing but an arduino is a shiny box he is using the same IDE as arduino and even the same microcontroller you can purchase an arduino and a can shield alot cheaper and it will do the exact same functions.You can buy an arduino and puth the exact same code in it and it will function the same. Look up the design uf this unit and then look up arduino exactly the same it is a rip off!!