CAN cannot survive in today’s open and exposed environment without a drastic overhaul or complete replacement.
It’s easy for anyone to see that autonomous drive is bringing change to the automotive industry. Autonomous technology impacts the drivers and passengers, which makes it an area ripe for debate. The topic certainly has sex appeal that makes it a naturally attractive topic. However there’s a much less visible change coming that will have a far greater impact on how cars are built. And that is the inevitable replacement of the ubiquitous CAN bus (see sidebar).
The CAN bus has remained a staple of the automobile since the early nineties when it was introduced. Present in nearly every mass produced vehicle today, it remains the nervous system of today’s heavily computerized car, connecting modules as diverse as the airbags, antilock brakes, cruise control, engine control unit, power steering, power windows and locks and transmission. It’s not an exaggeration to say that without CAN the car wouldn’t run.
And herein lies the problem. Not only are all those safety critical systems on the CAN bus, but so are the car’s infotainment and telematics modules. Those modules can hook to the Internet and to consumer devices through USB, Bluetooth and now, even wifi. And those new networks can send lots of new messages, not all o f which are benign. Compounding this is a growing number of companies providing
OBD-II aftermarket dongles—fuel economy, real-time insurance, downloadable apps, or more—all sniffing and slipping data onto the CAN network. The once isolated vehicle communication network that was designed with fixed constraints has been opened to the outside world.
CAN (or Controller Area Network) is a standardized vehicle network – also referred to as a vehicle bus – that allows modules within the car to communicate. This technology is one of the replacements for directly wiring individual components together, which is impractical in modern vehicles due to the large number of components. Many cars contain more than one independent CAN network, one to connect all body modules together (doors, windows, locks, air conditioning, parking sensors, etc), and one for powertrain modules (engine, transmission, power steering); some modules are connected to both networks (ignition, telematics, radio, navigation, infotainment). CAN uses very concise messages of just a couple of bytes long to identify the broadcasting module and associated data if needed (on/off, temperature, speed, angle, etc), with a similar economy of wiring (only one or two wires) to connect modules together. Due to its pervasive nature, most automotive microcontrollers have built-in support for CAN networking.
CAN was designed in a time when data speeds were low and every bit was at a premium. To get the entirety of the car’s messages sent with low latency, high reliability and low cost was an engineering challenge that CAN was made to solve. This was before the threat of exploits were ever-present (witness the difficulties Sony is experiencing due to hacks surrounding the movie The Interview). CAN was designed without a concept of trust. There is no authentication, access rights, or encryption, and anyone with access to the bus can send a message to unlock the doors, turn the wheel, or shut off the engine.
CAN cannot survive in today’s open and exposed environment without a drastic overhaul or complete replacement. With cybersecurity researchers pointing out vehicle network design flaws in public forums, this change needs to come before hackers take advantage of those weaknesses. When CAN was introduced it became a de facto standard allowing automakers and suppliers to coordinate far more easily. It filled a massive need in the auto industry, and every OEM and Tier one supplier worldwide uses it, which magnifies the scope of its replacement. CAN is not the only network—LIN, MOST and FlexRay are also present in the car—but other networks have their own areas of specialty and none is a replacement for the generic workhorse. Getting every automaker and supplier to swap out CAN will not be a simple task.
The most discussed replacement for CAN is Ethernet AVB (EAVB). It was originally designed for transferring real-time digital video and audio fully synchronized even in live performance settings —the AVB stands for Audio Video Bridging. As EAVB was designed for real-time applications with guaranteed low message latency, it is perfect to handle critical messages in the vehicle. It requires relatively minor extensions to the chips and cables used in the ever-present Ethernet, so the cost is comparatively low. But best of all, it also can leverage Ethernet authentication or encryption protocols, allowing trustworthiness to become part of the vehicle network.
The more cars become connected to the outside world, the more pressing the need to protect them. To reduce or remove the risk of significant hacks causing calamity and eroding public confidence, the replacement of CAN needs to happen industry-wide and as soon as possible. With vehicles becoming more tightly Internet integrated through both connected and autonomous cars, Ethernet AVB seems to be a logical replacement.
Contribution by Andy Gryc
Andy is an independent automotive technology evangelist. His reputation in the industry is rooted in hands-on experience in the automotive and embedded trenches – software architecture and engineering, technical sales, and product marketing – for well over two decades at companies like QNX, OnStar, and HP. Andy is the cofounder of a technology-focused consulting business, CX3 Marketing, and the Conference Director for the LA Auto Show’s Connected Car Expo.