๐Ÿš—

Automotive / ICS / SCADA Security

CAN bus fuzzing, UDS diagnostic testing, ECU security analysis, and ICS/SCADA protocol auditing for Modbus, DNP3, and EtherNet/IP.

Safety Warning: Never perform active CAN bus injection or ICS protocol fuzzing on live production systems, moving vehicles, or operational industrial equipment. Always test on isolated lab benches with safety coordinators present. Unauthorized access to vehicle networks or industrial control systems is illegal and dangerous.

Prerequisites

  • Test vehicle on a static bench (engine off or ignition only: never in motion)
  • CAN interface adapter: SocketCAN, Peak PCAN, Vector CANalyzer, or Kvaser
  • OBD-II cable connected to vehicle diagnostic port
  • Written authorization from vehicle OEM or fleet operator
  • For ICS: isolated test PLC/RTU: never production systems
  • Safety coordinator present during all active testing
  1. 1

    Select Automotive / ICS from Home Screen

    Click ๐Ÿš— Automotive / ICS. Select assessment type: Automotive (CAN/UDS), ICS/SCADA, or both.

  2. 2

    Configure CAN Interface

    Interface Type : SocketCAN (Linux) / Peak PCAN / Vector / Kvaser Device : can0, can1 (SocketCAN) or USB adapter Baud Rate : 500kbps (standard) / 250kbps (low-speed) / 1Mbps (CAN FD) DBC File : Upload .dbc file if available (for signal decoding)
  3. 3

    Claude Runs Automotive Security Assessment

    Phase 1: CAN traffic capture - cantools, python-can passive monitoring Phase 2: Signal decoding - decode known signals via DBC file Phase 3: ECU enumeration : UDS (ISO 14229) ECU scan via OBD-II Phase 4: UDS service test : test diagnostic services (0x11, 0x27, 0x31) Phase 5: Security access - seed/key bypass attempts (0x27 service) Phase 6: Fuzzing : CAN frame fuzzing on safe non-safety IDs Phase 7: Telematics - cellular/WiFi/BT attack surface analysis Phase 8: Report : findings with UNECE WP.29 mapping
  4. 4

    ICS / SCADA Assessment (if selected)

    Phase 1: Device discovery - PhantomYerra Network Discovery Engine ICS scripts on OT network Phase 2: Protocol audit - Modbus, DNP3, EtherNet/IP, S7, BACnet Phase 3: Auth testing - default credentials on HMI/SCADA servers Phase 4: Firmware check : PLC firmware version โ†’ CVE matching Phase 5: Network seg. : IT/OT boundary verification Phase 6: Report : IEC 62443 compliance mapping
โฑ๏ธ Automotive assessment: 4โ€“8 hours. ICS/SCADA assessment: 1โ€“3 days.

Common Issues

Run lsusb to confirm the CAN adapter is detected. Load the vendor driver module: for Peak PCAN use sudo modprobe peak_usb, for Kvaser use sudo modprobe kvaser_usb. On Windows, use a WSL2 USB passthrough: usbipd attach --wsl --busid [busid].

The vehicle may require the ignition to be in the "ON" position (not engine running). Check the baud rate - some vehicles use 250kbps on body CAN and 500kbps on powertrain CAN. Verify your CAN adapter is connected to the correct bus (OBD-II pin 6 = CAN High, pin 14 = CAN Low for HS-CAN).

Confirm you're on the OT network segment - Modbus devices are typically on isolated networks. Check if the PLC uses a non-standard port. Some PLCs use Modbus RTU over serial (not TCP): use a serial-to-TCP converter or direct serial connection. Verify the PLC is powered and in run/remote mode.

Related Topics

๐Ÿ”Œ Firmware / IoT ๐Ÿ—๏ธ Network Pentest ๐Ÿ“Š Reports
ยฉ Ravi Yerra. All Rights Reserved.
Full Disclosure

264 modules ยท 30+ surfaces ยท 14 vuln families ยท 120+ classes

The sections above describe what this surface tests. For the complete enumeration of every vulnerability class PhantomYerra covers across all surfaces โ€” with scanner module names โ€” see the Coverage Matrix.

View Full Coverage Matrix →