Hacking an Audi: performing a man-in-the-middle attack on FlexRay

Introduction

Last weekend comma.ai held a 48 hours hackathon at their San Diego office. We’ve seen some really cool projects, and hopefully the results will be upstreamed to openpilot soon. This medium post is about a project by three comma employees. The goal was to inject steering commands onto the FlexRay bus of an Audi as a proof of concept for adding openpilot support for a FlexRay vehicle.

Cars currently supported by openpilot communicate using a CAN bus . A panda is used to isolate the Lane Keeping Assist System (LKAS) camera, and proxies all the messages between the LKAS and the rest of the car. If we want to inject steering commands we can block specific messages coming from the LKAS and send our own.

FlexRay is a different communications protocol developed by a group of companies including Daimler, BMW, Motorola and Philips. It’s supposed to be faster and more reliable than CAN. It’s mostly used on more recent cars from European brands like Audi, BMW and Mercedes.

Compared to CAN, the FlexRay protocol is a lot stricter on timing. For example, the messages from all ECUs are sent on a fixed schedule: each ECU gets assigned time slots where they can send a message. On the Q8, the FlexRay bus has cycle time of 5 ms, so each ECU can send messages at 200 Hz.