In 2017 researchers from the University of Malta — Robert Buttigieg, Mario Farrugia, and Clyde Meli — analyzed the security level and resilience of the CAN protocol using a BMW E90 instrument cluster as a testbed.

The research demonstrated a practical attack using a malicious device built from low-cost, commercially available components, emphasizing the high risk posed by cheap hardware exploits.

The Experiment Setup

1. Test Model: a BMW E90 instrument cluster was used as the primary target.
2. Simulation Environment: the remainder of the vehicle’s network was simulated using a specialized tool. Both the simulator and the malicious device resided on a single Arduino Mega 2560 microcontroller.
3. Attack Vector: a prototype external device was physically connected to the CAN bus. The system utilized a remote connection architecture, where a wireless module provided a communication channel for an operator to send commands to the physically connected malicious device.

Attack Scenarios & Findings

The external device functioned as a Man-in-the-Middle to intercept and modify CAN frames, proving two key attack vectors:

1. Data Spoofing (False Order)The MITM device successfully modified the data field in incoming CAN frames. As a result, the instrument cluster received fabricated values (e.g., speed, engine RPMs) and displayed them to the driver, successfully executing a visual spoofing attack.
2. Denial of Service (Timeout) In a second scenario, the device blocked or dropped expected critical messages (e.g., from ABS or airbag modules). This caused the receiving systems to experience Timeouts and transition into a failure mode, effectively triggering a software-level Denial of Service.

The researchers concluded that the instrument cluster itself lacked built-in mechanisms for verifying the authenticity of the data it received. The failure relies on the CAN protocol’s legacy assumption of internal trust, highlighting a critical vulnerability in ECU endpoints that prioritize speed over cryptographic verification.

---