Bypassing Vehicle Emissions Testing via CAN Bus Injection

TLDR: Modern vehicle emissions testing relies on the OBD-II port to report the status of internal diagnostic monitors, but these systems lack authentication, making them trivial to spoof. By using a custom hardware proxy to intercept and manipulate CAN bus traffic, researchers can force a vehicle to report a "ready" status to diagnostic scanners even when critical emissions hardware is missing. This research provides a practical, low-cost method for protocol manipulation that highlights the inherent insecurity of automotive diagnostic standards.

Automotive security research often focuses on high-profile remote exploits, but the most practical vulnerabilities frequently reside in the unauthenticated protocols we interact with daily. The OBD-II standard, designed decades ago for diagnostic convenience, remains a glaring example of security through obscurity. When a vehicle undergoes an emissions test, the testing station connects a scanner to the OBD-II port to query the status of various readiness monitors. If those monitors report "not ready," the vehicle fails. This process assumes the data coming from the Engine Control Unit (ECU) is trustworthy, a dangerous assumption in an era where cheap microcontrollers can easily sit between the scanner and the vehicle.

The Mechanics of Protocol Manipulation

At the heart of this vulnerability is the lack of authentication on the CAN bus. When a diagnostic scanner sends a request, it broadcasts a message with a specific identifier. The ECU responds with the requested data. Because there is no cryptographic handshake or verification, any device capable of reading and writing to the CAN bus can perform a man-in-the-middle attack.

The research presented at DEF CON 2025 demonstrates how to build a transparent proxy that sits between the OBD-II port and the vehicle's internal network. By using a Saleae Logic Analyzer to capture the traffic, the researcher identified the specific diagnostic messages used during the readiness check. The goal was to intercept the "not ready" status messages and replace them with "ready" status messages before they reached the scanner.

The implementation uses a custom hardware proxy, OBD2Proxy, which utilizes two breakout boards to bridge the connection. One side communicates with the scanner, and the other with the vehicle's ECU. The proxy monitors the CAN bus for specific OBD-II PIDs and, upon detecting a request for monitor status, injects a spoofed response. This technique effectively blinds the testing equipment to the actual state of the vehicle's emissions control systems.

Technical Implementation and Challenges

Building a reliable proxy requires more than just message injection. The CAN bus is a high-speed, differential signaling environment. If you simply tap into the lines, you risk signal degradation that can cause the ECU to drop the connection or throw a "no link" error. The researcher addressed this by implementing a DC filter and AC coupling to maintain signal integrity while allowing the proxy to inject its own traffic.

The following snippet illustrates the basic logic required to handle the diagnostic message flow:

// Simplified logic for intercepting and spoofing monitor status
if (received_packet.id == 0x7DF) {
    if (received_packet.data[2] == 0x01) { // Service 01: Show current data
        if (received_packet.data[3] == 0x01) { // PID 01: Monitor status
            send_spoofed_response();
            return;
        }
    }
}
forward_to_ecu();

The primary challenge here is timing. The diagnostic scanner expects a response within a very tight window. If the proxy introduces too much latency, the scanner will time out. Furthermore, the proxy must correctly calculate the CRC value for the spoofed frame, or the receiving device will reject the packet as malformed. The OBD2Proxy repository provides the necessary code to handle these timing and checksum requirements, making the attack reproducible for anyone with basic hardware hacking skills.

Real-World Applicability for Researchers

For a penetration tester or a security researcher, this research is a masterclass in protocol analysis. You will encounter these diagnostic systems on almost every modern vehicle. During a red team engagement or a physical security assessment, the ability to manipulate vehicle telemetry can be a powerful tool. While emissions testing is the primary use case here, the same technique applies to any diagnostic data. If you can spoof a readiness monitor, you can likely spoof other sensor data, such as engine temperature, fuel levels, or even diagnostic trouble codes (DTCs) that might be used to hide unauthorized modifications or malicious activity.

The impact of this vulnerability is significant because it bypasses a regulatory control mechanism using nothing more than a few dollars worth of hardware. It demonstrates that even when we have standardized protocols like ISO 15031-5, the lack of built-in security features like authentication or message integrity checks leaves the entire ecosystem open to manipulation.

Defensive Considerations

Defenders, specifically those working in automotive engineering, must move away from the assumption that the OBD-II port is a trusted interface. The industry needs to implement secure diagnostic protocols that require authentication before allowing access to critical ECU functions. While legacy vehicles will remain vulnerable, future designs should incorporate hardware security modules (HSMs) to sign diagnostic traffic, ensuring that the data received by a scanner is authentic and untampered. Until then, monitoring for anomalous CAN bus traffic—such as unexpected response times or malformed frames—is the only way to detect these types of man-in-the-middle attacks.

If you are interested in automotive security, stop looking for remote code execution and start looking at the protocols that govern the vehicle's internal communication. The most interesting bugs are often the ones that have been hiding in plain sight for years, waiting for someone to put a logic analyzer on the bus and ask the right questions.