Jeremy Daily, David Nnaji, and Ben Ettlinger (Colorado State University)

Controller Area Network (CAN) implementations inherently trust all valid messages on the network. While this feature makes for easy replacement and repair of electronic control units (ECUs), this trust poses some cybersecurity challenges, like making it easy to spoof messages or alter them with a middleperson attack. With an SAE J1939 based network, the meaning of the network messages are often published, which reduces the amount of work needed to reverse engineer the protocol. Furthermore, J1939 is often used on high-value and high-risk cyber-physical systems, like trucks, buses, generator systems, construction, agriculture, forestry, and marine and military systems. Therefore, improving the cybersecurity posture of SAE J1939 networks is crucial for protecting critical infrastructure.

The approach outlined in this paper for an intrusion detection system (IDS) uses so-called CAN Conditioners at or in each of the vehicle ECUSs that communicate with the Secure Gateway near the vehicle’s diagnostic port. Each of the CAN Conditioners and the Secure Gateway includes an allowlist and blocklist procedure to prevent a variety of unauthorized network attacks. In addition, a cipher-based message authentication code (CMAC) is calculated by each node and transmitted across the network using the J1939 Data Security Message parameter group number (PGN). This CMAC message acts as a heartbeat indicator for the Secure Gateway to verify healthy node behavior and unaltered messaging.

Reference prototype hardware and software are described and results from a test implementation on a Class 6 truck with 6.7L diesel engine and an automated transmission are also described. The provisioning process sets up hardware security modules to be able to exchange secrets over the CAN bus using the elliptic-curve Diffie-Hellman protocol (ECDH). Once secrets are exchanged, ephemeral session keys are shared with the Secure Gateway, which keeps track of the CMACs from each CAN Conditioner. If a CMAC fails to match, the Secure Gateway informs the network using the J1939 Diagnostic Message #1 and a message using the J1939 defined Impostor PG Alert parameter group. Results show the IDS can detect alteration of a message or an impersonated message.

View More Papers

FLTrust: Byzantine-robust Federated Learning via Trust Bootstrapping

Xiaoyu Cao (Duke University), Minghong Fang (The Ohio State University), Jia Liu (The Ohio State University), Neil Zhenqiang Gong (Duke University)

Read More

Oblivious DNS over HTTPS (ODoH): A Practical Privacy Enhancement...

Sudheesh Singanamalla*†, Suphanat Chunhapanya*, Jonathan Hoyland*, Marek Vavruša*, Tanya Verma*, Peter Wu*, Marwan Fayed*, Kurtis Heimerl†, Nick Sullivan*, Christopher Wood* (*Cloudflare Inc. †University of Washington)

Read More

Effects of Precise and Imprecise Value-Set Analysis (VSA) Information...

Laura Matzen, Michelle A Leger, Geoffrey Reedy (Sandia National Laboratories)

Read More

User Expectations and Understanding of Encrypted DNS Settings

Alexandra Nisenoff, Nick Feamster, Madeleine A Hoofnagle†, Sydney Zink. (University of Chicago and †Northwestern)

Read More