Threats and Attack Vectors on CAN and CAN FD Networks
This page surveys the threats facing CAN and CAN FD systems. Threats are grouped by attack surface and accompanied by CVSS v4.0 baseline scores derived in EmSA-WP-103. Each category links to a deeper page with detailed analysis and the corresponding mitigations.
Categories of CAN Bus Threats
Threats to CAN and CAN FD systems fall into three broad
categories:
Protocol
Weaknesses (inherent to the bus), Physical Access, and
Remote Attack via
gateways and diagnostic ports.
Real-world attacks usually combine several of these, for
example remote entry through a maintenance gateway followed by
frame injection or replays enabled by the protocol's lack of
authentication.
Threat Categories and CVSS Baseline
The following table summarizes each threat category against
an unprotected classical CAN node. Default CVSS v4.0 baseline
for an unprotected CAN node: 5.2 / Medium with
vector CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N
(source: EmSA-WP-103).
| Threat | Attack Vector | CVSS baseline | Detail |
|---|---|---|---|
| Gateway / service-interface compromise | Network or Adjacent | Higher than baseline | Remote Attack → |
| Replay attacks | Physical or Network | 5.2 / Medium | Protocol Weaknesses → |
| Frame injection / spoofing | Physical or Network | 5.2 / Medium | Protocol Weaknesses → |
| Physical bus tapping / sniffing | Physical |
Low (no integrity impact) | Physical Access → |
| Bus flooding / DoS* | Physical | 5.2 / Medium |
Physical Access → |
* Bus flooding / DoS may often be classified as sabotage rather than a cybersecurity attack: like cutting wires, it disrupts global communication without targeting a specific device or function.
How Threats Relate to IEC 62443 Security Levels
IEC 62443 frames threats by attacker capability:
SL1 (incidental
misuse),
SL2 (intentional,
low resources),
SL3 (intentional,
moderate resources with technology-specific skills) and
SL4 (intentional,
extended resources with technology-specific skills).
Most CAN attack scenarios in practice map to SL2 or SL3. The
defensive response is layered, since no single control covers
all of these threats. Note that even an attacker with low
resources might have access to commercially available
"diagnostic devices" that support pre-loaded attack scenarios
(like opening a vehicle's doors or starting an engine).
IEC 62443
Frequently Asked Questions
Can CAN be attacked remotely?
Not directly. CAN itself is a physical-medium bus. However, almost every modern CAN network is reachable indirectly via a gateway, remote-service interface, diagnostic port or wireless maintenance link. Once that boundary is crossed, the attacker has the same capabilities as a physically attached node. See Remote attack.
What is frame injection on a CAN bus?
Frame injection is the transmission of CAN frames with arbitrary CAN IDs by a node that should not legitimately use those IDs. Because CAN has no authentication, receiving nodes cannot tell legitimate frames from injected ones. See Protocol weaknesses.
How hard is it to attack a physically enclosed CAN system?
Hard, but not impossible. Service technicians, supply-chain insiders and devices added post-deployment (if wires are exposed, it only takes seconds to attach a sniffer) are common physical-access attack vectors. CVSS v4.0 with AV:P captures this; the score is non-zero precisely because physical access is feasible, not impossible.