As electric vehicles (EVs) evolve into connected, software-defined machines, automotive cybersecurity has become one of the most critical domains in modern technology. Today’s cars are essentially high-performance computers on wheels, connected to mobile apps, cloud systems, and public charging networks — all of which present potential attack surfaces.

Automotive penetration testing helps identify and mitigate vulnerabilities across these digital systems. To perform this effectively, researchers and ethical hackers rely on specialized EV security tools designed to analyze, test, and exploit communication protocols such as CAN, UDS, and ISO 15118.

In this article, we’ll explore 10 powerful open-source tools every penetration tester should know when assessing vulnerabilities in electric and connected vehicles.

Introduction

Modern vehicles rely heavily on in-vehicle networking, especially the Controller Area Network (CAN) protocol, to communicate between ECUs (Electronic Control Units). However, CAN was designed without built-in security (no encryption, no authentication), which means that with physical or logical access, an attacker or researcher can sniff, inject, replay, or fuzz automobile traffic.

To work effectively in automotive security, a toolkit of software for CAN communication, decoding, diagnostics, fuzzing, and visualization is essential. In this blog, we’ll examine ten popular open-source tools / libraries, compare their strengths, and discuss how to use them for automotive penetration testing.

Here’s what the blog structure will look like:

1. Tool-by-tool descriptions (with GitHub links, features)

2. Use Cases (how you’d use them together)

3. Why These Tools Matter in automotive pen testing

4. Best Practices

5. Conclusion

Tool Descriptions

Below is a description of each tool, with its GitHub (or project) link, primary features, and use cases. (You can embed screenshots from their repos or UI captures.)

1. can-utils

GitHub / Project Link: https://github.com/linux-can/can-utils

Overview / Purpose:
can-utils is a suite of command line utilities for interacting with CAN interfaces under Linux (especially SocketCAN). It provides simple tools to send, receive, replay, sniff, generate traffic, etc.

Key Tools / Features:

• candump — listen & log CAN frames

• cansend — send a single CAN frame

• cangen — generate (random) CAN traffic

• canplayer — replay CAN traffic from logs

• cansniffer — show differences between successive frames

• cansequence — send sequences of frames

• Tools for ISO-TP / segmented frames (e.g. isotpsend, isotprecv) in some versions GitHub

• Support for J1939 / ISO-15765 types in more advanced versions GitHub+1

2. python-can

GitHub / Project Link: https://github.com/hardbyte/python-can

Overview / Purpose:

python-can is a Python library that abstracts access to CAN buses (via SocketCAN, Kvaser, PCAN, etc.), making it easier to send, receive, filter, and work with CAN frames in Python scripts / applications.

Key Features / Modules:

1. A uniform API for different backend buses (socketcan, kvaser, pcany, etc.)

2. Frame filtering, asynchronous listeners

3. Logging and playback support

4. Integration with other tools like cantools for decoding

5. Support for timestamping, error frames, and custom message handling

3. cantools

GitHub / Project Link: https://github.com/cantools/cantools

Overview / Purpose:

cantools is a Python package for working with CAN bus “database” (DBC, KCD, ARXML, etc.) files. It lets you load message / signal definitions, encode / decode frames, and use those in scripts or CLI workflows.

Key Features:

• Support for DBC, KCD, SYM, ARXML, CDD formats

• Encode and decode messages / signals given IDs and raw data

• Multiplexed signals, scaling, offsets, units

• cantools monitor command to monitor a CAN bus using a database

• Graphical plotting of time series of selected signals cantools

• Generation of C source code from your DBC for embedding in firmware or C-based tools

4. SavvyCAN

GitHub / Project Link: https://github.com/collin80/SavvyCAN

Overview / Purpose:

SavvyCAN is a cross-platform GUI tool (Qt-based) for capturing, analyzing, and visualizing CAN bus traffic. It is geared toward reverse engineering, debugging, and exploratory work.

Key Features:

• Load, save, and capture CAN frames from hardware interfaces

• Supports multiple backends (SocketCAN, Vector, PeakCAN, TinyCAN, etc.)

• Multi-monitor support, 4K capable display

• Visual timeline graphs, filtering, zooming, and frame inspection

• Can integrate DBCs or signal decoding

• Capable of log replay, editing, export, etc.

5. CANToolz

GitHub / Project Link: https://github.com/CANToolz/CANToolz

Overview / Purpose:

CANToolz is a “black-box CAN network analysis” framework that combines multiple modules (sniffing, sniff-to-web UI, fuzzing, replay, ECU detection, UDS, etc.) using a pipe / module architecture.

Key Features / Modules:

• cantoolz command-line / web UI interface

• Modules like fuzz, firewall (block certain CAN IDs), replay, ping, analyze

• ECU discovery, MITM, module chaining

• UDS scanning, integration with diagnostics

6. Kayak

Project / Background Info:
Kayak is an older open-source CAN / ECU testing / reverse engineering GUI (developed in the Genivi / open automotive projects). It influenced formats such as KCD (Kayak’s database format).

Key Concepts / Features / Role:

• Provides a graphical environment for modeling CAN networks (signals, frames)

• Uses the KCD XML file format

• Good for building and editing CAN network definitions

• Many modern tools support import / export of KCD format

7. canmatrix

GitHub / Project Link: https://github.com/ebroecker/canmatrix

Overview / Purpose:
canmatrix is a Python library that focuses on converting / comparing various CAN network database formats (DBC, KCD, ARXML, DBF, ODX, etc.). It also includes utilities to encode / decode frames (less comprehensive than cantools).

Key Features:

• Read & write many automotive database formats (.dbc, .kcd, .arxml, .dbf, etc.)

• Tools: canconvert (to convert between formats) and cancompare (to diff two networks)

• Python object model: BoardUnits, Frames, Signals, Values

• Export to JSON, Excel, etc

8. python-udsoncan

GitHub / Project Link: https://github.com/pylessard/python-udsoncan

Overview / Purpose:
This is a Python implementation of the UDS (Unified Diagnostic Services, ISO-14229) protocol. UDS is the diagnostic protocol used in vehicles (for e.g. read DTC, session change, security unlock).

Key Features:

• Support for many standard UDS services (e.g. session control, read / write data identifier, security access, ECU reset)

• Integration with ISO-TP (for message segmentation) via connection types

• Ability to send UDS requests, parse responses, handle negative responses, timeouts, exceptions

• Customizable client configuration, request timeout, addressing modes

• Useful for fuzzing or testing diagnostic subsystems

9. python-can-isotp / can-isotp

GitHub / Project Link: https://github.com/pylessard/python-can-isotp

Overview / Purpose:
This library implements ISO-TP (ISO 15765-2) transport protocol in Python, which allows you to send / receive multi-frame messages over CAN (i.e. >8 bytes, segmenting & reassembling). It also includes wrappers to integrate with python-can and the Linux SocketCAN ISO-TP kernel module.

Key Features:

• Pure Python ISO-TP logic (flow control, segmentation, reassembly)

• Wrapper over underlying socketcan’s isotp interface

• Support for normal (11-bit) and extended (29-bit) addressing modes

• Easy integration with python-can for sending/receiving full PDUs

10. OpenV2G

Project / Background Info:
OpenV2G is a project for implementing Vehicle-to-Grid (V2G) / electric vehicle charging communication, particularly around standards like ISO 15118 / DIN 70121. (It’s not strictly a CAN / diagnostic tool, but part of EV / automotive protocol stack.)

While my search didn’t immediately fetch a canonical GitHub link in the context of CAN, you can look up openv2g or related projects. (One reference I found is "OpenV2G" in EV charging stacks.)

Role / Features (in the larger automotive / EV context):

• Implements ISO 15118 / V2G application-layer protocols

• Handles authentication, energy management, message exchange between EV and charging station

• Useful when pen testing or simulating EV charging communications

• May integrate with CAN / charger-side ECU communication

Use Cases / Workflows

Here are a few example workflows showing how these tools can be combined in automotive pentesting, reverse engineering, or diagnostics:

1. Passive Monitoring / Reconnaissance

   • Use can-utils (candump) or python-can to sniff traffic on a CAN bus

   • Load a DBC in cantools to decode known signals

   • Use canmatrix to convert or compare network definitions

   • In GUI mode, use SavvyCAN to visualize traffic in time domain

2. Message Injection / Replay Attacks

   • Capture a log (candump)

   • Use canplayer or python-can script to replay recorded frames

   • Use CANToolz fuzz / replay module to test how ECUs respond

3. Diagnostic / UDS Testing

   • Use python-can-isotp to send segmented payloads

   • Use python-udsoncan to issue UDS commands (change session, read DIDs, security unlock)

   • Use CANToolz modules or custom scripts to scan for accessible services

4. Reverse Engineering Unknown Signals

   • Record frame IDs and payloads

   • Use SavvyCAN / GUI to cluster and highlight message patterns

   • Use cantools / canmatrix to build provisional DBC / KCD definitions

   • Use CANToolz to fuzz or test signal flips / bit toggling

5. EV / V2G Testing

   • Simulate EV charging communication with OpenV2G

   • Combine with low-level CAN / diagnostic tools for on-board charger ECUs

Why These Tools Matter

• Bridging raw and interpreted data: Raw CAN frames are just bytes; tools like cantools, python-udsoncan, and canmatrix let you map those to meaningful signals and protocol semantics.

• Flexible access & scripting: Python libraries make it easier to integrate CAN in your own scripts / frameworks for automated testing.

• Speed & modularity: Command-line tools (can-utils) are low-overhead, useful in embedded / minimal environments.

• Visualization & human analysis: GUI tools like SavvyCAN help humans inspect patterns, anomalies, or anomalies in traffic.

• Comprehensive testing & fuzzing: Frameworks like CANToolz let you chain modules for fuzzing, filtering, replay, and analysis as part of penetration workflows.

• Protocol-level testing: UDS and ISO-TP are core to vehicle diagnostics; having robust libraries for them is essential to go beyond simple frame injection.

• Support for standards / EV stacks: For modern electric / hybrid vehicles, V2G, OCPP, etc., are growing in importance; tools like OpenV2G support those domains.

Best Practices for Automotive Penetration Testing

Here are some best practices / guidelines when using these tools:

• Use a controlled test environment first (bench setup)
  Don’t start on a real vehicle; build a bench with ECUs, CAN bus, logs, etc.

• Start passively
  Always begin with passive sniffing (no injection). Use candump, python-can listener, SavvyCAN to observe baseline traffic.

• Understand timing & rate limits
  Many ECUs expect specific timing responses; flooding or sending too quickly can bus-lock or crash modules.

• Use segmentation / pacing when needed
  If payloads >8 bytes, use ISO-TP layer (python-can-isotp) to ensure correct transport.

• Respect diagnostic session & security mechanisms
  Many modern ECUs require switching to extended diagnostic session, unlocking security, then sending commands. Don’t just inject arbitrarily.

• Incremental fuzzing / bit flipping
  When reverse engineering signals, flip one bit / signal at a time and observe effects (e.g. on a dashboard, CAN bus, ECU reaction).

Conclusion

The landscape of CAN / automotive security tooling is rich and evolving. The set of tools I outlined above gives you deep coverage across:

• low-level frame capture/injection (can-utils, python-can)

• signal-level interpretation (cantools, canmatrix)

• GUI / visual inspection (SavvyCAN)

• integrated testing / fuzzing framework (CANToolz)

• diagnostic / protocol-level commands (python-udsoncan, python-can-isotp)

• domain-specific stacks (OpenV2G for EV / charging)