[{"data":1,"prerenderedAt":471},["Reactive",2],{"kb-chapters":3,"kb-doc:/knowledge-base/existing-research/introduction/":169},[4,11,17,23,29,35,41,47,53,59,65,71,77,83,89,96,102,108,114,120,126,132,138,144,151,157,163],{"_path":5,"title":6,"description":7,"part":8,"_file":9,"chapterNumber":10},"/knowledge-base/networks/introduction","Introduction","Overview of the communication networks used in modern vehicles, from LIN to Automotive Ethernet.","Vehicle Networks & Protocols","7.knowledge-base/1.networks/1.introduction.md",1,{"_path":12,"title":13,"description":14,"part":8,"_file":15,"chapterNumber":16},"/knowledge-base/networks/vehicle-documentation","Vehicle Documentation","Where to find manufacturer wiring diagrams, J2534 passthrough devices, and the different types of diagrams that are useful when researching a vehicle.","7.knowledge-base/1.networks/2.vehicle-documentation.md",2,{"_path":18,"title":19,"description":20,"part":8,"_file":21,"chapterNumber":22},"/knowledge-base/networks/lin-bus","Local Interconnect Network (LIN)","Local Interconnect Network — a single-wire low-speed bus used as a low-cost alternative to CAN for non-critical body electronics.","7.knowledge-base/1.networks/3.lin-bus.md",3,{"_path":24,"title":25,"description":26,"part":8,"_file":27,"chapterNumber":28},"/knowledge-base/networks/controller-area-network","Controller Area Network (CAN)","ISO 11898 — the differential bus that became the backbone of automotive networking. Frames, bit timing, errors, CAN FD, message contents, and practical attacks.","7.knowledge-base/1.networks/4.controller-area-network.md",4,{"_path":30,"title":31,"description":32,"part":8,"_file":33,"chapterNumber":34},"/knowledge-base/networks/secure-onboard-communication","Secure Onboard Communication (SecOC)","AUTOSAR's standard for cryptographic message authentication on in-vehicle networks — freshness values, MAC computation and key management.","7.knowledge-base/1.networks/5.secure-onboard-communication.md",5,{"_path":36,"title":37,"description":38,"part":8,"_file":39,"chapterNumber":40},"/knowledge-base/networks/flexray","FlexRay","Time-triggered, deterministic automotive bus standardized as ISO 17458, designed for higher speeds and drive-by-wire systems.","7.knowledge-base/1.networks/6.flexray.md",6,{"_path":42,"title":43,"description":44,"part":8,"_file":45,"chapterNumber":46},"/knowledge-base/networks/automotive-ethernet","Automotive Ethernet","Automotive variants of Ethernet — 100BASE-T1, 1000BASE-T1, and 10BASE-T1S — built around single twisted-pair cabling and strict EMC requirements.","7.knowledge-base/1.networks/7.automotive-ethernet.md",7,{"_path":48,"title":6,"description":49,"part":50,"_file":51,"chapterNumber":52},"/knowledge-base/diagnostics/introduction","Overview of automotive diagnostic protocols — ISO-TP, OBD-II, UDS, CCP and XCP — and how they layer on top of CAN.","Diagnostic Protocols","7.knowledge-base/2.diagnostics/1.introduction.md",8,{"_path":54,"title":55,"description":56,"part":50,"_file":57,"chapterNumber":58},"/knowledge-base/diagnostics/iso-tp","ISO 15765-2 (ISO-TP)","ISO 15765-2 transport layer for sending diagnostic payloads larger than 8 bytes over CAN — single, first, consecutive and flow-control frames.","7.knowledge-base/2.diagnostics/2.iso-tp.md",9,{"_path":60,"title":61,"description":62,"part":50,"_file":63,"chapterNumber":64},"/knowledge-base/diagnostics/vw-tp20","VW Transport Protocol 2.0 (TP 2.0)","Volkswagen's pre-ISO-TP transport layer for KWP2000 over CAN — channel setup, parameter negotiation, and the data exchange counter scheme.","7.knowledge-base/2.diagnostics/3.vw-tp20.md",10,{"_path":66,"title":67,"description":68,"part":50,"_file":69,"chapterNumber":70},"/knowledge-base/diagnostics/obd-ii","On-board diagnostics (OBD-II)","On-Board Diagnostics II — the J1962 connector, signal protocols, service IDs, parameter IDs, and DTC encoding.","7.knowledge-base/2.diagnostics/4.obd-ii.md",11,{"_path":72,"title":73,"description":74,"part":50,"_file":75,"chapterNumber":76},"/knowledge-base/diagnostics/uds","Unified Diagnostic Services (UDS)","ISO 14229-1 — the modern diagnostic protocol for sessions, Read/Write DID, Security Access, Routine Control and firmware Request Download / Upload.","7.knowledge-base/2.diagnostics/6.uds.md",12,{"_path":78,"title":79,"description":80,"part":50,"_file":81,"chapterNumber":82},"/knowledge-base/diagnostics/ccp","CAN Calibration Protocol (CCP)","A low-level debug/calibration protocol over CAN — Command Receive Object, Data Transfer Object, and the commands used to read and write ECU memory.","7.knowledge-base/2.diagnostics/7.ccp.md",13,{"_path":84,"title":85,"description":86,"part":50,"_file":87,"chapterNumber":88},"/knowledge-base/diagnostics/xcp","Universal Measurement and Calibration Protocol (XCP)","ASAM XCP — successor to CCP supporting CAN, CAN FD, FlexRay, and Ethernet, with synchronous data acquisition, stimulation, and calibration.","7.knowledge-base/2.diagnostics/8.xcp.md",14,{"_path":90,"title":91,"description":92,"part":93,"_file":94,"chapterNumber":95},"/knowledge-base/reverse-engineering/ecu-flashing","ECU Flashing","How a control unit is reprogrammed over the wire with UDS, walked through step by step, why the sequence is staged the way it is, and how the SecurityAccess seed/key gate works, from weak proprietary LFSR ciphers to the Volkswagen SA2 script.","Reverse Engineering","7.knowledge-base/3.reverse-engineering/1.ecu-flashing.md",15,{"_path":97,"title":98,"description":99,"part":93,"_file":100,"chapterNumber":101},"/knowledge-base/reverse-engineering/oem-update-files","OEM Update Files","Where to find official ECU firmware, why OEMs ship it, and how the major manufacturer update container formats (VW FRF/ODX, Toyota CUW, Ford VBF, BMW psdzdata, Tesla BHX) are structured, decrypted, and unpacked.","7.knowledge-base/3.reverse-engineering/2.oem-update-files.md",16,{"_path":103,"title":6,"description":104,"part":105,"_file":106,"chapterNumber":107},"/knowledge-base/existing-research/introduction","Landmark papers from 2010 to 2016 that defined automotive security research and demonstrated the first complete remote exploit chain against a production vehicle.","Existing Research","7.knowledge-base/4.existing-research/1.introduction.md",17,{"_path":109,"title":110,"description":111,"part":105,"_file":112,"chapterNumber":113},"/knowledge-base/existing-research/engine-control-units","Engine Control Units","Public reverse-engineering work on engine ECUs, focusing on bri3d's documented exploit chains for the Volkswagen Group Simos 18 ECU and its Infineon TriCore TC1791 processor.","7.knowledge-base/4.existing-research/2.engine-control-units.md",18,{"_path":115,"title":116,"description":117,"part":105,"_file":118,"chapterNumber":119},"/knowledge-base/existing-research/ev-charging","EV Charging","Research covering two distinct attack surfaces introduced by electric vehicle charging, the HomePlug Green PHY powerline data layer used by the Combined Charging System, and the AC charger as a peer device with its own firmware and bidirectional communications.","7.knowledge-base/4.existing-research/3.ev-charging.md",19,{"_path":121,"title":122,"description":123,"part":105,"_file":124,"chapterNumber":125},"/knowledge-base/existing-research/fault-injection","Fault Injection","Published fault injection research relevant to automotive microcontrollers, covering voltage glitching, EMFI, debug access, and secure-boot bypasses on Renesas, Infineon, NXP/Freescale, and Tesla compute platforms.","7.knowledge-base/4.existing-research/4.fault-injection.md",20,{"_path":127,"title":128,"description":129,"part":105,"_file":130,"chapterNumber":131},"/knowledge-base/existing-research/infotainment-telematics","Infotainment & Telematics","Sixteen published research entries covering remote exploitation of infotainment and telematics systems across Tesla, BMW, Mercedes-Benz, Volkswagen Group, and Nissan vehicles, plus a cross-industry web API survey.","7.knowledge-base/4.existing-research/5.infotainment-telematics.md",21,{"_path":133,"title":134,"description":135,"part":105,"_file":136,"chapterNumber":137},"/knowledge-base/existing-research/sensors-and-radios","Other Wireless Attack Surfaces","Research covering wireless attack surfaces beyond the primary CAN and telematics interfaces, including tire pressure sensors and DAB radio receivers, both of which accept untrusted RF input and have historically performed no authentication or input validation.","7.knowledge-base/4.existing-research/6.sensors-and-radios.md",22,{"_path":139,"title":140,"description":141,"part":105,"_file":142,"chapterNumber":143},"/knowledge-base/existing-research/remote-keyless-entry","Remote Keyless Entry and Immobilisers","Research on cryptographic attacks against passive keyless entry systems, transponder-based immobilisers, rolling-code RKE, and the CAN-injection theft chain.","7.knowledge-base/4.existing-research/7.remote-keyless-entry.md",23,{"_path":145,"title":146,"description":147,"part":148,"_file":149,"chapterNumber":150},"/knowledge-base/tools/can-adapters","CAN Adapters","USB-to-CAN adapters — comma.ai red panda and PEAK-System PCAN — and the standard DB-9 pinout for CAN.","Tools","7.knowledge-base/5.tools/1.can-adapters.md",24,{"_path":152,"title":153,"description":154,"part":148,"_file":155,"chapterNumber":156},"/knowledge-base/tools/can-analysis","CAN Analysis","Tools for analysing and reverse-engineering CAN traffic — comma.ai cabana, SavyCAN, VehicleSpy, and Wireshark.","7.knowledge-base/5.tools/2.can-analysis.md",25,{"_path":158,"title":159,"description":160,"part":148,"_file":161,"chapterNumber":162},"/knowledge-base/tools/scripting","Scripting","Python libraries and CLI tools for talking to a CAN bus — comma.ai panda, SocketCAN can-utils, python-can, and Scapy with ISO-TP and UDS examples.","7.knowledge-base/5.tools/3.scripting.md",26,{"_path":164,"title":165,"description":166,"part":148,"_file":167,"chapterNumber":168},"/knowledge-base/tools/dbc-files","DBC Files","The DBC file format used to describe the contents of CAN messages — nodes, messages, signals, comments, and value tables.","7.knowledge-base/5.tools/4.dbc-files.md",27,{"_path":103,"_dir":170,"_draft":171,"_partial":171,"_locale":172,"title":6,"description":104,"part":105,"references":173,"body":213,"_type":467,"_id":468,"_source":469,"_file":106,"_extension":470},"existing-research",false,"",[174,181,188,195,201,207],{"id":175,"authors":176,"title":177,"publisher":178,"year":179,"url":180},"koscher-2010","Koscher, Czeskis, Roesner, Patel, Kohno, Checkoway, McCoy, Kantor, Anderson, Shacham, Savage","Experimental Security Analysis of a Modern Automobile","2010 IEEE Symposium on Security and Privacy (IEEE S&P)",2010,"https://www.autosec.org/pubs/cars-oakland2010.pdf",{"id":182,"authors":183,"title":184,"publisher":185,"year":186,"url":187},"checkoway-2011","Checkoway, McCoy, Kantor, Anderson, Shacham, Savage, Koscher, Czeskis, Roesner, Kohno","Comprehensive Experimental Analyses of Automotive Attack Surfaces","USENIX Security 2011",2011,"https://www.autosec.org/pubs/cars-usenixsec2011.pdf",{"id":189,"authors":190,"title":191,"publisher":192,"year":193,"url":194},"miller-valasek-2013","Miller, Valasek","Adventures in Automotive Networks and Control Units","IOActive / DEF CON 21",2013,"https://illmatics.com/car_hacking.pdf",{"id":196,"authors":190,"title":197,"publisher":198,"year":199,"url":200},"miller-valasek-2014","A Survey of Remote Automotive Attack Surfaces","Black Hat USA 2014",2014,"https://illmatics.com/remote%20attack%20surfaces.pdf",{"id":202,"authors":190,"title":203,"publisher":204,"year":205,"url":206},"miller-valasek-jeep-2015","Remote Exploitation of an Unaltered Passenger Vehicle","IOActive, August 2015",2015,"https://illmatics.com/Remote%20Car%20Hacking.pdf",{"id":208,"authors":190,"title":209,"publisher":210,"year":211,"url":212},"miller-valasek-can-2016","CAN Message Injection — OG Dynamite Edition","IOActive, June 2016",2016,"https://illmatics.com/can%20message%20injection.pdf",{"type":214,"children":215,"toc":458},"root",[216,224,230,235,241,256,261,266,275,280,292,297,302,310,315,327,332,337,345,350,362,367,372,380,385,397,402,407,412,420,426,438,443,448,454],{"type":217,"tag":218,"props":219,"children":221},"element","h1",{"id":220},"introduction",[222],{"type":223,"value":6},"text",{"type":217,"tag":225,"props":226,"children":227},"p",{},[228],{"type":223,"value":229},"This chapter contains a reference to public research around car hacking. In this chapter a few general car hacking papers are discussed. The rest of the research is split up by target or entrypoint.",{"type":217,"tag":225,"props":231,"children":232},{},[233],{"type":223,"value":234},"The 2015 Jeep Cherokee hack brought the subject to a mainstream audience and triggered a 1.4 million vehicle recall; the four earlier papers established the technical groundwork that made it possible.",{"type":217,"tag":236,"props":237,"children":239},"h2",{"id":238},"experimental-security-analysis-of-a-modern-automobile",[240],{"type":223,"value":177},{"type":217,"tag":225,"props":242,"children":243},{},[244,250,252],{"type":217,"tag":245,"props":246,"children":247},"em",{},[248],{"type":223,"value":249},"Koscher et al., IEEE S&P 2010",{"type":223,"value":251}," ",{"type":217,"tag":253,"props":254,"children":255},"citation",{"id":175},[],{"type":217,"tag":225,"props":257,"children":258},{},[259],{"type":223,"value":260},"The first systematic empirical security evaluation of a complete production automobile, this IEEE S&P paper connected a laptop running CARSHARK to the OBD-II port of two identical late-model sedans and mapped what an attacker with network access could do. Because the CAN bus carries no source addresses and no authentication, any node can send any frame to any other.",{"type":217,"tag":225,"props":262,"children":263},{},[264],{"type":223,"value":265},"Injecting the right messages could disengage brakes while moving, lock individual wheels, kill the engine, spoof the speedometer, and block the car from restarting. The car's telematics unit was connected to both the low-speed and high-speed CAN subnets; after reprogramming it from the low-speed side, the researchers used it as a bridge onto the high-speed bus, bypassing the BCM gateway. All attacks required prior access via the OBD-II port or a compromised ECU, a constraint the 2011 follow-on paper addressed directly.",{"type":217,"tag":225,"props":267,"children":268},{},[269],{"type":217,"tag":270,"props":271,"children":274},"img",{"alt":272,"src":273},"The CARSHARK tool developed by Koscher et al. for sniffing and injecting CAN packets. The left panel lists ECU nodes on both CAN subnets; recently updated values are highlighted. Figure from Koscher et al., 2010 (Experimental Security Analysis of a Modern Automobile).","/images/knowledge-base/existing-research/introduction/koscher-2010-1.png",[],{"type":217,"tag":236,"props":276,"children":278},{"id":277},"comprehensive-experimental-analyses-of-automotive-attack-surfaces",[279],{"type":223,"value":184},{"type":217,"tag":225,"props":281,"children":282},{},[283,288,289],{"type":217,"tag":245,"props":284,"children":285},{},[286],{"type":223,"value":287},"Checkoway, McCoy, Kantor, Anderson, Shacham, Savage, Koscher, Czeskis, Roesner, Kohno, USENIX Security 2011",{"type":223,"value":251},{"type":217,"tag":253,"props":290,"children":291},{"id":182},[],{"type":217,"tag":225,"props":293,"children":294},{},[295],{"type":223,"value":296},"Where the 2010 paper asked what an attacker could do once on the network, this USENIX Security paper asked how they get there. The same joint UW and UCSD team catalogued external communications channels on a modern sedan, investigated representative examples in each access category, and demonstrated remote compromise through mechanics' tooling, the media player, Bluetooth, and the cellular modem.",{"type":217,"tag":225,"props":298,"children":299},{},[300],{"type":223,"value":301},"Attack vectors were organised in three tiers: indirect physical (OBD-II port via compromised dealer tooling; CD player via a WMA parser buffer overflow; dealership Wi-Fi programmer with weak credentials); short-range wireless (Bluetooth hands-free stack overflow; TPMS receiver); and long-range wireless (cellular telematics unit, containing a modem-layer overflow that bypassed higher-level authentication and accepted audio-encoded commands over a voice call). Post-exploitation, a compromised telematics unit could serve as an IRC command-and-control node over 3G; two vehicles over a thousand miles apart responded to the same IRC command in a live demonstration. The structural finding: automotive software carried the same memory-safety vulnerabilities as desktop software but had no update infrastructure, no per-component privilege isolation, and no bus-level authentication.",{"type":217,"tag":225,"props":303,"children":304},{},[305],{"type":217,"tag":270,"props":306,"children":309},{"alt":307,"src":308},"Attack surface taxonomy for a modern automobile, showing external I/O channels and which ECUs they reach. Colors group ECUs by function. Figure from Checkoway et al., 2011 (Comprehensive Experimental Analyses of Automotive Attack Surfaces).","/images/knowledge-base/existing-research/introduction/checkoway-2011-1.png",[],{"type":217,"tag":236,"props":311,"children":313},{"id":312},"adventures-in-automotive-networks-and-control-units",[314],{"type":223,"value":191},{"type":217,"tag":225,"props":316,"children":317},{},[318,323,324],{"type":217,"tag":245,"props":319,"children":320},{},[321],{"type":223,"value":322},"Miller, Valasek, DEF CON 21, 2013",{"type":223,"value":251},{"type":217,"tag":253,"props":325,"children":326},{"id":189},[],{"type":217,"tag":225,"props":328,"children":329},{},[330],{"type":223,"value":331},"This DEF CON 21 whitepaper targeted a 2010 Toyota Prius and a 2010 Ford Escape. Unlike prior work that withheld vehicle specifics, it released full CAN ID tables, packet formats, source code, and hardware instructions so other researchers could reproduce the results.",{"type":217,"tag":225,"props":333,"children":334},{},[335],{"type":223,"value":336},"The paper covered CAN bus structure, ISO-TP framing, and key UDS diagnostic services, alongside complete ECU topology maps for both vehicles. Attack demonstrations included normal-mode CAN injection to manipulate the speedometer, steering, and braking on the Prius, and diagnostic-mode messages to engage brakes, kill the engine, and reflash the Ford Escape's Parking Assist Module with firmware extracted and disassembled from the HC12 microcontroller. A short section proposed anomaly detection based on the strict periodicity of healthy CAN traffic, prefiguring later IDPS research.",{"type":217,"tag":225,"props":338,"children":339},{},[340],{"type":217,"tag":270,"props":341,"children":344},{"alt":342,"src":343},"CAN v1 bus wiring diagram for the 2010 Toyota Prius, showing ECU nodes and their physical connections. Figure from Miller and Valasek, 2013 (Adventures in Automotive Networks and Control Units).","/images/knowledge-base/existing-research/introduction/miller-valasek-2013-1.png",[],{"type":217,"tag":236,"props":346,"children":348},{"id":347},"a-survey-of-remote-automotive-attack-surfaces",[349],{"type":223,"value":197},{"type":217,"tag":225,"props":351,"children":352},{},[353,358,359],{"type":217,"tag":245,"props":354,"children":355},{},[356],{"type":223,"value":357},"Miller, Valasek, Black Hat USA 2014",{"type":223,"value":251},{"type":217,"tag":253,"props":360,"children":361},{"id":196},[],{"type":217,"tag":225,"props":363,"children":364},{},[365],{"type":223,"value":366},"This Black Hat survey broadened scope from two test vehicles to twenty-four production cars across model years 2006 to 2015. Each vehicle was rated on remote attack surface breadth, internal network topology, and the set of cyber-physical features that let software actuate physical systems.",{"type":217,"tag":225,"props":368,"children":369},{},[370],{"type":223,"value":371},"For each vehicle the authors mapped every ECU with a wireless interface against the safety-critical ECUs it could reach. Forty-two percent of 2014 model-year vehicles had no segmentation between at least one cyber-physical ECU and one with a remote attack surface. The 2014 Jeep Cherokee ranked highest: its Uconnect radio handled Bluetooth, cellular, Wi-Fi, FM RDS, and app connectivity while sitting directly on CAN-C alongside the ABS, electric power steering, and adaptive cruise ECUs, forming a complete three-stage attack chain. Miller and Valasek found the needed software bugs the following year, documented in the next section. The paper also noted that manufacturer patching still largely depended on dealer visits rather than automated OTA updates as of July 2014.",{"type":217,"tag":225,"props":373,"children":374},{},[375],{"type":217,"tag":270,"props":376,"children":379},{"alt":377,"src":378},"Network architecture of the 2014 Jeep Cherokee, showing the Uconnect radio (with Bluetooth, cellular, and internet connectivity) directly bridging onto CAN-C alongside safety-critical ECUs including ABS and power steering. Figure from Miller and Valasek, 2014 (A Survey of Remote Automotive Attack Surfaces).","/images/knowledge-base/existing-research/introduction/miller-valasek-2014-1.png",[],{"type":217,"tag":236,"props":381,"children":383},{"id":382},"remote-exploitation-of-an-unaltered-passenger-vehicle",[384],{"type":223,"value":203},{"type":217,"tag":225,"props":386,"children":387},{},[388,393,394],{"type":217,"tag":245,"props":389,"children":390},{},[391],{"type":223,"value":392},"Miller, Valasek, IOActive 2015",{"type":223,"value":251},{"type":217,"tag":253,"props":395,"children":396},{"id":202},[],{"type":217,"tag":225,"props":398,"children":399},{},[400],{"type":223,"value":401},"Published in August 2015, this IOActive whitepaper delivered the first complete end-to-end remote exploit against a production vehicle with no prior physical access and no vehicle modifications required. The target was a 2014 Jeep Cherokee running the Harman Uconnect 8.4AN head unit on QNX 6.5.0. The Uconnect system held an IP address reachable from other Sprint devices, though not from the public internet, and an unauthenticated D-Bus service accepted arbitrary shell commands from any caller. By scanning Chrysler's allocated cellular IP ranges from a Sprint-connected host, Miller and Valasek could connect to vulnerable vehicles anywhere in the United States and obtain a QNX shell from a laptop miles away.",{"type":217,"tag":225,"props":403,"children":404},{},[405],{"type":223,"value":406},"Gaining shell access to the head unit was only the first stage. The Uconnect OMAP SoC communicated with a NEC V850 microcontroller over SPI; the V850 bridged both the CAN-IHS and CAN-C buses and relayed messages to every ECU in the vehicle. The authors reversed the SPI protocol, discovered an undocumented debug command, and reflashed the V850 with modified firmware that forwarded arbitrary CAN frames from the OMAP. Because V850 firmware updates were accepted without any code-signing verification, this step required no additional vulnerability. With the bridge active, the researchers could disable the transmission, spoof gauges, control body functions, and, at low speeds where diagnostic sessions were accepted, affect brakes and steering through the relevant ECUs.",{"type":217,"tag":225,"props":408,"children":409},{},[410],{"type":223,"value":411},"The disclosure timeline began in October 2014 with the D-Bus finding and concluded with FCA releasing a patch on July 16, 2015, followed by a voluntary recall of 1.4 million vehicles five days later. The Sprint network independently blocked port 6667 traffic. The paper's influence extended beyond FCA: Tesla's subsequent adoption of OTA firmware code signing is widely attributed in part to the attention this research generated.",{"type":217,"tag":225,"props":413,"children":414},{},[415],{"type":217,"tag":270,"props":416,"children":419},{"alt":417,"src":418},"Uconnect touchscreen displaying a firmware update prompt, used in the USB-based jailbreak that established the initial code execution path. Figure from Miller and Valasek, 2015 (Remote Exploitation of an Unaltered Passenger Vehicle).","/images/knowledge-base/existing-research/introduction/jeep-2015-2.png",[],{"type":217,"tag":236,"props":421,"children":423},{"id":422},"can-message-injection-og-dynamite-edition",[424],{"type":223,"value":425},"CAN Message Injection - OG Dynamite Edition",{"type":217,"tag":225,"props":427,"children":428},{},[429,434,435],{"type":217,"tag":245,"props":430,"children":431},{},[432],{"type":223,"value":433},"Miller, Valasek, IOActive 2016",{"type":223,"value":251},{"type":217,"tag":253,"props":436,"children":437},{"id":208},[],{"type":217,"tag":225,"props":439,"children":440},{},[441],{"type":223,"value":442},"Published in June 2016, this IOActive follow-up examined a question left open by the 2015 Jeep paper: given arbitrary CAN message injection, how much physical control is actually achievable, and why do naive injection attempts often fail?",{"type":217,"tag":225,"props":444,"children":445},{},[446],{"type":223,"value":447},"The core problem is confliction. Every legitimate ECU broadcasts its messages continuously at a fixed interval. When an attacker injects an adversarial message with the same CAN ID, the receiving ECU sees two conflicting streams. Safety-critical ECUs in the Jeep resolved confliction by disabling the contested feature rather than acting on either message, which meant flooding the ABS module disabled braking rather than applying it. The paper described three approaches to overcome this: placing the transmitting ECU into a diagnostic session to halt its normal messages, forcing it into Bootrom mode, or fully reflashing it to eliminate the conflicting sender. A fourth technique, analysing how the receiving ECU processes incoming data and exploiting edge cases in that logic, was demonstrated against the Power Steering Control Module. Combining these methods, the authors achieved braking, acceleration via cruise control emulation, and steering on both the Jeep Cherokee and a Toyota Prius. The paper also proposed several defensive countermeasures, including message authentication and anomaly detection on CAN timing.",{"type":217,"tag":236,"props":449,"children":451},{"id":450},"references",[452],{"type":223,"value":453},"References",{"type":217,"tag":455,"props":456,"children":457},"chapter-references",{},[],{"title":172,"searchDepth":16,"depth":16,"links":459},[460,461,462,463,464,465,466],{"id":238,"depth":16,"text":177},{"id":277,"depth":16,"text":184},{"id":312,"depth":16,"text":191},{"id":347,"depth":16,"text":197},{"id":382,"depth":16,"text":203},{"id":422,"depth":16,"text":425},{"id":450,"depth":16,"text":453},"markdown","content:7.knowledge-base:4.existing-research:1.introduction.md","content","md",1779543672134]