Know what a determined attacker can reach, before the attacker does.

Threats and Attack Vectors on CAN and CAN FD Networks

This page surveys the threats facing CAN and CAN FD systems. Threats are grouped by attack surface and accompanied by CVSS v4.0 baseline scores derived in EmSA-WP-103. Each category links to a deeper page with detailed analysis and the corresponding mitigations.

Categories of CAN Bus Threats

Threats to CAN and CAN FD systems fall into three broad categories:
Protocol Weaknesses (inherent to the bus), Physical Access, and Remote Attack via gateways and diagnostic ports.
Real-world attacks usually combine several of these, for example remote entry through a maintenance gateway followed by frame injection or replays enabled by the protocol's lack of authentication.

Threat Categories and CVSS Baseline

The following table summarizes each threat category against an unprotected classical CAN node. Default CVSS v4.0 baseline for an unprotected CAN node: 5.2 / Medium with vector CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N (source: EmSA-WP-103).

Threat Attack Vector CVSS baseline Detail
Gateway / service-interface compromise Network or Adjacent Higher than baseline Remote Attack →
Replay attacks Physical or Network 5.2 / Medium Protocol Weaknesses →
Frame injection / spoofing Physical or Network 5.2 / Medium Protocol Weaknesses →
Physical bus tapping / sniffing Physical
Low (no integrity impact) Physical Access →
Bus flooding / DoS* Physical 5.2 / Medium
Physical Access →

* Bus flooding / DoS may often be classified as sabotage rather than a cybersecurity attack: like cutting wires, it disrupts global communication without targeting a specific device or function.

How Threats Relate to IEC 62443 Security Levels

IEC 62443 frames threats by attacker capability:
    SL1 (incidental misuse),
    SL2 (intentional, low resources),
    SL3 (intentional, moderate resources with technology-specific skills) and
    SL4 (intentional, extended resources with technology-specific skills).
Most CAN attack scenarios in practice map to SL2 or SL3. The defensive response is layered, since no single control covers all of these threats. Note that even an attacker with low resources might have access to commercially available "diagnostic devices" that support pre-loaded attack scenarios (like opening a vehicle's doors or starting an engine).
IEC 62443

Frequently Asked Questions

Can CAN be attacked remotely?

Not directly. CAN itself is a physical-medium bus. However, almost every modern CAN network is reachable indirectly via a gateway, remote-service interface, diagnostic port or wireless maintenance link. Once that boundary is crossed, the attacker has the same capabilities as a physically attached node. See Remote attack.

What is frame injection on a CAN bus?

Frame injection is the transmission of CAN frames with arbitrary CAN IDs by a node that should not legitimately use those IDs. Because CAN has no authentication, receiving nodes cannot tell legitimate frames from injected ones. See Protocol weaknesses.

How hard is it to attack a physically enclosed CAN system?

Hard, but not impossible. Service technicians, supply-chain insiders and devices added post-deployment (if wires are exposed, it only takes seconds to attach a sniffer) are common physical-access attack vectors. CVSS v4.0 with AV:P captures this; the score is non-zero precisely because physical access is feasible, not impossible.