Modern cars have 50-100 ECUs (Electronic Control Units). The Brakes, Steering, Engine, and Radio all talk to each other over a network called the CAN Bus. Is it encrypted? Usually not. Is it authenticated? No. If you can talk on the bus, you ARE the boss.
The CAN Protocol
It's a broadcast network.
Message format: ID # DATA
Example: 0x244 # 00 00 00 FF 00
ID represents priority (and function). Data represents the state (e.g., RPM=3000, Door=Open).
1. Sniffing Traffic
1. Connect a USB-to-CAN adapter (like CANable) to the OBD-II port under the steering wheel.
2. Use Linux tools: candump can0.
3. You see a matrix of scrolling numbers.
4. Unlock the door. Watch which ID changes. That's the "Door Unlock" packet.
2. Replay Attacks
Record the traffic while unlocking the door.
Replay it: canplayer -I unlock.log.
The door unlocks. The car doesn't know it came from your laptop, not the key fob.
3. Dangerous Attacks
In 2015, Charlie Miller and Chris Valasek hacked a Jeep Cherokee remotely via the radio unit. From the radio (Infotainment), they pivoted to the CAN Bus and disabled the brakes on the highway. This led to a recall of 1.4 million vehicles.
Future: Automotive Ethernet
New cars are moving to "Automotive Ethernet" which supports encryption and higher bandwidth. Gateways now sit between the OBD-II port and critical systems to filter malicious packets.