# ISOTP Scanning techniques#

Details can be found in this paper: [WRMM20].

To identify all possible communication endpoints and their supported application layer protocols, a transport layer scan has to be performed first. Through the separation into the transport and application layers, every communication endpoint, no matter which application layer protocol it supports, can be identified. This applies even to the GMLAN protocol, where transport and application layer definitions are mixed. Sometimes, OEMs also use ISO-TP endpoints to exchange various data between ECUs. These endpoints use completely proprietary and unknown application layer protocols. Since our approach only targets the transport layer, even these endpoints can be identified on the network.

The above figure clearly shows that more recent or higher priced cars contain more ISO-TP endpoints. An Opel Astra, built 2006, only has two different ISO-TP endpoints, whereby a Skoda Superb, built 2019, shows 26 different ISO-TP endpoints.

## Active scanning#

Summary:

• Can identify all ISO-TP endpoints on a bus

• Causes high bus utilization

• IDS will immediately see illegitimate traffic

• May disturb safety-critical or real-time communication

• No knowledge about the supported application layer protocol necessary

• Procedure:

• Choose an addressing scheme

• Craft FF with payload length e.g. 100

• Send FF with all possible addresses according to the chosen addressing scheme

• Listen for FC frames according to the chosen addressing scheme

• If FC is detected, obtain all address information and information about padding from the last FF and the received FC

This technique is suitable to identify all existing ISO-TP endpoints of a vehicle network or an ECU. An active scan will cause high utilization of the scanned CAN network. Any intrusion detection system will immediately identify an active scan as malformed communication. Therefore an active scan should be used with care since the onboard communication of a vehicle might be disturbed and even safety-critical or real-time communication could be interrupted or delayed.

The figure above highlights all ISO-TP communication parameters for addressing scheme A1. A FF (blue) message with SA 0x603 (green) and a packet size of 100 bytes (red) is sent on the CAN bus. An ISO-TP endpoint with TA 0x703 (orange) acknowledges the FF message with an FC message (blue). The CAN message length of 8 bytes indicates that this ISO-TP endpoint uses padding (brown). The addressing scheme can be determined by the position of the frame type identification (blue).

Another example of addressing schemes A3 or A5 is given in the figure above. In real-world scenarios, these two addressing schemes are not deducible from their communication traffic. On the other hand, for the ISO-TP endpoint identification, it does not matter which one is used. Source and destination ISO-TP endpoint addresses are still encoded in the CAN identifier. Additionally, extended address information is encoded in the first payload byte of each CAN packet (dark orange and dark green). The ISO-TP frame type information is moved to byte position two of the CAN packet payload. This ISO-TP endpoint does not require padding, which can be seen from the shorter CAN message length of the receiver flow control acknowledgment.

## Passive scanning:#

Summary:

• May only identify ISO-TP endpoints with active communication

• May not detect all possible ISO-TP endpoints

• A repair shop tester helps to trigger communication

• Doesn’t interfere with the vehicle communication

• Not detectable by IDS

• Procedure:

• Sniff a CAN bus and filter for FF and FC messages according to a chosen addressing scheme

• If both messages were detected, extract address information

Passive scans have the advantage that no additional bus load is generated during the scan. On the other hand, it might be possible that not all existing ISO-TP endpoints are found since special ISO-TP endpoints might only be used during very rare situations of a vehicle’s life cycle. No communication to this special ISO-TP endpoint will show up in the vehicle’s network traffic. Another disadvantage of passive scans is that ISO-TP endpoints for diagnostic protocols are only used during operations in a repair shop or a car factory. This makes the presence of some additional tool that triggers diagnostic communication necessary to perform a passive ISO-TP scan. To conduct a passive scan, filters on the first and second byte of the CAN payload have to be applied. As soon as a FF is detected by the frame type indicator (0x1) in byte one or two of a CAN message payload, followed by another CAN message with a flow control frame type indicator as acknowledgment, an ISO-TP endpoint is found. The extraction of the relevant communication parameters is identical to the active ISO-TP scan.

## in Scapy#

In this example, we use vcan0 interface.

• Load necessary components in Scapy

conf.contribs['ISOTP'] = {'use-can-isotp-kernel-module': True}
conf.contribs['CANSocket'] = {'use-python-can': False}

• Run scan

socks = isotp_scan(CANSocket("vcan0"), range(0x120, 0x130), can_interface="vcan0")

• Show results

print(socks)
[<<ISOTPNativeSocket: read/write packets at a given CAN interface using CAN_ISOTP socket > at 0x7f25c963ab50>]


[WRMM20]

Nils Weiss, Sebastian Renner, Jürgen Mottok, and Václav Matoušek. Transport layer scanning for attack surface detection in vehicular networks. In Computer Science in Cars Symposium, 1–8. ACM, 12 2020. URL: https://dl.acm.org/doi/10.1145/3385958.3430476, doi:10.1145/3385958.3430476.