Automated vulnerability detection in automotive CAN networks is hindered by the inability of conventional fuzzing to perceive ECU physical-layer responses. Method: This paper proposes a physics-aware automated fuzzing approach that deploys a multimodal sensor hub to capture real-time physical behaviors—such as instrument cluster flickering and motor actuation—and constructs the first oracle function specifically designed for ECU physical responses, enabling precise correlation between message injections and observable system state changes. It further introduces a configurable feedback-driven fuzzer architecture and a standardized testing workflow supporting heterogeneous ECUs and distributed in-vehicle networks. Contribution/Results: Evaluated on commercial instrument clusters and a CAN conformance testing platform, the method achieves 92% automation rate in fuzzing execution and successfully uncovers multiple unintended ECU states. It significantly improves vulnerability detection efficiency, reproducibility, and test coverage depth for automotive embedded systems.

Modern vehicles are governed by a network of Electronic Control Units (ECUs), which are programmed to sense inputs from the driver and the environment, to process these inputs, and to control actuators that, e.g., regulate the engine or even control the steering system. ECUs within a vehicle communicate via automotive bus systems such as the Controller Area Network (CAN), and beyond the vehicles boundaries through upcoming vehicle-to-vehicle and vehicle-to-infrastructure channels. Approaches to manipulate the communication between ECUs for the purpose of security testing and reverse-engineering of vehicular functions have been presented in the past, all of which struggle with automating the detection of system change in response to message injection. In this paper we present our findings with fuzzing CAN networks, in particular while observing individual ECUs with a sensor harness. The harness detects physical responses, which we then use in a oracle functions to inform the fuzzing process. We systematically define fuzzers, fuzzing configurations and oracle functions for testing ECUs. We evaluate our approach based on case studies of commercial instrument clusters and with an experimental framework for CAN authentication. Our results show that the approach is capable of identifying interesting ECU states with a high level of automation. Our approach is applicable in distributed cyber-physical systems beyond automotive computing.