Jeremy Daily, David Nnaji, and Ben Ettlinger (Colorado State University)

Controller Area Network (CAN) implementations inherently trust all valid messages on the network. While this feature makes for easy replacement and repair of electronic control units (ECUs), this trust poses some cybersecurity challenges, like making it easy to spoof messages or alter them with a middleperson attack. With an SAE J1939 based network, the meaning of the network messages are often published, which reduces the amount of work needed to reverse engineer the protocol. Furthermore, J1939 is often used on high-value and high-risk cyber-physical systems, like trucks, buses, generator systems, construction, agriculture, forestry, and marine and military systems. Therefore, improving the cybersecurity posture of SAE J1939 networks is crucial for protecting critical infrastructure.

The approach outlined in this paper for an intrusion detection system (IDS) uses so-called CAN Conditioners at or in each of the vehicle ECUSs that communicate with the Secure Gateway near the vehicle’s diagnostic port. Each of the CAN Conditioners and the Secure Gateway includes an allowlist and blocklist procedure to prevent a variety of unauthorized network attacks. In addition, a cipher-based message authentication code (CMAC) is calculated by each node and transmitted across the network using the J1939 Data Security Message parameter group number (PGN). This CMAC message acts as a heartbeat indicator for the Secure Gateway to verify healthy node behavior and unaltered messaging.

Reference prototype hardware and software are described and results from a test implementation on a Class 6 truck with 6.7L diesel engine and an automated transmission are also described. The provisioning process sets up hardware security modules to be able to exchange secrets over the CAN bus using the elliptic-curve Diffie-Hellman protocol (ECDH). Once secrets are exchanged, ephemeral session keys are shared with the Secure Gateway, which keeps track of the CMACs from each CAN Conditioner. If a CMAC fails to match, the Secure Gateway informs the network using the J1939 Diagnostic Message #1 and a message using the J1939 defined Impostor PG Alert parameter group. Results show the IDS can detect alteration of a message or an impersonated message.

View More Papers

From Library Portability to Para-rehosting: Natively Executing Microcontroller Software...

Wenqiang Li (State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences; Department of Computer Science, the University of Georgia, USA; School of Cyber Security, University of Chinese Academy of Sciences; Department of Electrical Engineering and Computer Science, the University of Kansas, USA), Le Guan (Department of Computer Science, the University…

Read More

Differentially Private Health Tokens for Estimating COVID-19 Risk

David Butler, Chris Hicks, James Bell, Carsten Maple, and Jon Crowcroft (The Alan Turing Institute)

Read More

Generation of CAN-based Wheel Lockup Attacks on the Dynamics...

Alireza Mohammadi (University of Michigan-Dearborn), Hafiz Malik (University of Michigan-Dearborn) and Masoud Abbaszadeh (GE Global Research)

Read More

Who's Hosting the Block Party? Studying Third-Party Blockage of...

Marius Steffens (CISPA Helmholtz Center for Information Security), Marius Musch (TU Braunschweig), Martin Johns (TU Braunschweig), Ben Stock (CISPA Helmholtz Center for Information Security)

Read More