Physical Access as a CAN Attack Vector
Direct physical access to CAN wiring is the most fundamental attack vector against classical CAN networks. Attackers might remove headlights or panels from machines to get access. This page explains what an attacker can do once attached to the bus, how the CVSS v4.0 attack vector AV:P (Physical) applies and what mitigations reduce the resulting score.
What Physical Access Enables
CAN communication requires just two wires (CAN low and CAN hi, sometimes a third is used for GND). Insulation-displacement clips, sometimes called crocodile or vampire taps, close around the cables, pierce the insulation, and connect to the bus in a few seconds, with no need to cut, strip, or solder. The interface hardware behind those clips is often disguised as something harmless: a slightly oversized USB stick, a small handheld games console, or a connector that disappears into a service-port housing. Once attached, the attacker has full read and write access.
Bus Tapping and Sniffing
Passive sniffing is the lowest-cost attack: an additional CAN protocol engine on the bus (many can be configured in a listen-only mode) reads every frame without interfering with traffic. Sniffing is undetectable from the bus side. Unless cryptography is introduced, confidentiality of CAN traffic depends entirely on enclosing the bus.
Frame Injection and Replay
Active injection lets the attacker transmit any CAN frame
(any ID, any data). Replay attacks re-send previously captured
legitimate frames to repeat their effect. This can be used to
replay recorded command sequences, like starting a motor,
opening doors or hatches or moving a robot arm.
See Protocol
Weaknesses for the protocol-level reasons these attacks
succeed.
Denial of Service via Bus Flooding or Physical Disruption
The term denial of service (DoS) originated on the Internet,
where it described many compromised endpoints overwhelming a
single target. On CAN the dynamic is inverted: a single
malicious flooder can overload an entire network, every node
sees every frame. The priority based arbitration allows an
attacker to freely choose a priority level for his attack. The
bus is flooded by transmitting frames at higher priority than
legitimate traffic or even by forcing error frames. Physical
disruption, such as short-circuiting the wiring or driving the
bus dominant, is simpler and equally effective.
At the extreme, sustained flooding has the same effect as cutting the wiring: no legitimate frame gets through and the effect is immediately observable. That is considered sabotage, not a cybersecurity attack. For the purposes of this reference, a flood counts as a DoS attack only when it is targeted, for example by suppressing one specific control frame while leaving the rest of the bus running.
Mitigations
Physical enclosures
Lockable cabinets, sealed harnesses, and tamper-evident wiring keep the bus out of reach in normal operation. IEC 62443's zone-and-conduit model treats physical enclosure as a foundational control.
Access control with audit logs
IEC 62443-style identification, authentication, and authorization on service ports, paired with tamper-evident logging of every connection. Logs make insider and supply-chain activity traceable. See Access Limitation.
System monitoring
Bus-load monitoring catches unexpected traffic: sustained high load, bursts of unfamiliar IDs, error-frame storms. Anomaly event monitoring complements this by flagging unexpected message patterns and timing. See Bus Load Monitoring and Anomaly Event Monitoring.
Cryptographic authentication
Frame authentication with CANcrypt or SPsec makes injected and replayed frames detectable even when the attacker is fully attached to the bus. For application-layer object access (configuration locking, authentication of identification), pair with SOFA. See Frame Security.
CVSS Scoring for Physical Access Attacks
Physical-access attacks on classical CAN are scored with
attack vector AV:P. The baseline classical CAN node scores 5.2
/ Medium with vector CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N
per EmSA-WP-103.
See CVSS
for CAN for how the score changes with mitigations.
Frequently Asked Questions
Can a CAN bus be sniffed without disrupting traffic?
Yes. A passive listening node added to the bus reads all traffic without interfering, because CAN controllers receive every frame regardless of CAN ID. There is no native way for the network to detect the addition. Confidentiality depends on enclosure or on cryptographic encryption (see Frame Security).
Why is the CVSS attack vector for CAN typically Physical?
Unless provided, CAN has no remotely accessible network interface; the attacker must physically tap onto the bus. CVSS v4.0 captures this with AV:P, which produces a non-zero score because physical access is feasible in many real environments (service technicians, supply-chain insiders, devices added post-deployment).