Your car's internal network has zero authentication. CAN bus — the protocol connecting every ECU in your vehicle — was designed in the 1980s with no security. DialectForge changes that without replacing a single wire.
Interactive CAN Bus Simulation
Watch data flow through a vehicle's network — then see what happens when an attacker strikes.
Standard CAN bus without protection. Static IDs visible on the wire.
0
Packets Sent
0
Attacks Blocked
0
Dialect Cycles
Vehicle CAN Network
ATTACK BLOCKED
Network secured — dialect mismatch detected
Bus Monitor
Select a scenario and press RUN to begin...
The Problem With CAN Bus
Designed in 1986. Zero authentication. Still in every car on the road.
No Authentication
Any device on the bus can send any message. An ECU has no way to verify who sent a frame. Plug into the OBD-II port and you can talk to every system in the vehicle.
Static, Predictable IDs
CAN message IDs are fixed and publicly documented. Brake commands are always the same ID. Attackers know exactly what to send and where.
Plaintext Payloads
Data travels unencrypted. A brake pressure value of 40 is readable in plain hex on the wire. No obfuscation, no encryption, no protection.
Real-World Exploits
Researchers have demonstrated remote brake disabling, engine shutdown, and steering manipulation. Relay attacks enable keyless vehicle theft in seconds.
STEP 1
Seed at Ignition
When the vehicle starts, a priority CAN frame (ID 0x000) broadcasts a 256-bit seed to every ECU on the bus. This happens once, in under 50ms, before any normal traffic flows.
CAN ID 0x000 | Seed: b4d85f8f6ced4355...
STEP 2
Dialect Negotiation
Each ECU's lightweight AI agent (~256KB) uses the seed to generate dialect proposals. After 3 iterations of proposal exchange, all ECUs converge on a shared dialect map. Total time: under 100ms.
"brake" → 0x19 | "status_ok" → 0xA7
STEP 3
ID Hopping
CAN message IDs hop every 50–500ms while preserving arbitration priority. The brake ECU's ID 0x123 becomes 0x29C, then something else next cycle. Unpredictable without the seed.
ID 0x123 ^ seed → 0x29C (hops every cycle)
STEP 4
Encrypted Payloads
Commands are mapped through the dialect and XOR-encrypted with a session key derived from the seed. "brake=40" becomes raw bytes 19 28 9F 4A. Gibberish to anyone without the seed.
"brake=40" → 19 28 9F 4A (gibberish)
What an attacker sees on the bus
ECU → [DialectForge Encode] → CAN Bus → [Decode] → ECU
Standard CAN Frame
ID: 0x123| DLC: 4 | Data: 62 72 61 6B(ASCII: "brak") ▲ Fixed ID • ▲ Readable payload • Same every time • Trivially spoofable
DF Protected CAN Frame
ID: 0x29C| DLC: 4 | Data: 19 28 9F 4A ▲ Hopped ID • ▲ Encrypted payload • Changes every 50–500ms • Gibberish without seed
Attack → Detect → Lockdown → Rekey
Attacker injects spoofed frame via OBD-II port with fixed ID 0x123 and a forged brake command. ID: 0x123 | Data: 62 72 61 6B
ECUs attempt decryption — it fails. The ID doesn't match any hopped value. The payload doesn't decrypt to a valid dialect entry. Anomaly score incremented. anomaly_score: 1.0 (threshold: 0.7)
Quorum lockdown triggered. >70% of ECUs flag the anomaly (or 3σ deviation detected). Network enters protected state. Malicious frame silently dropped.
Priority rekey in 18ms. CAN ID 0x000 broadcasts a fresh seed. All ECUs re-negotiate a completely new dialect. The attacker's knowledge is instantly worthless. New seed → new IDs, new keys, new dialect
Standard CAN Bus vs. DialectForge CAN
Standard CAN Bus
✗ No authentication whatsoever ✗ Static IDs — easy to spoof ✗ Plaintext payloads — readable on the wire ✗ Any device can inject any message ✗ No intrusion detection ✗ Compromise = full vehicle access
DialectForge CAN
✓ Seed-based authentication at ignition ✓ Hopped IDs — unpredictable without seed ✓ Encrypted gibberish payloads ✓ Injection immunity — foreign frames rejected ✓ AI anomaly detection + quorum lockdown ✓ Compromise triggers rekey in 18ms
Injection Immunity
An attacker plugs into the OBD-II port and sends a brake command. Without the session seed, the frame doesn't match the current dialect — the ID is wrong, the payload doesn't decrypt. Every ECU on the bus rejects it instantly. The bus continues operating normally. This isn't filtering. It's structural immunity.
Simulation Verified
A multi-node CAN bus simulation demonstrates the full lifecycle: dialect negotiation from a shared seed, encrypted message transmission, spoofed frame injection, anomaly detection with automatic lockdown, 2FA-verified recovery, and full re-negotiation with a fresh seed. The attack-detect-lockdown-rekey cycle completes in milliseconds.
Technical Specifications
50–500ms
Dialect Cycle Rate
<500µs
Processing Overhead
<5%
Bandwidth Overhead
256-bit
Seed (SHA-256)
~18ms
Rekey Time
~256KB
AI Agent Size
Target Hardware: NXP S32K, Renesas RH850 •
Compliance: ISO 26262 ASIL-B, ISO 11898 •
Power: <1mJ per negotiation on ARM Cortex-M7
Zero authentication. Fixed IDs. Plaintext payloads.
That's the CAN bus in every car on the road today. DialectForge layers AI-negotiated obfuscation directly onto existing hardware — no wire changes, no protocol overhaul. Just a firmware update that makes your vehicle's internal network speak a language only it understands.