NDSS

Securing CAN Traffic on J1939 Networks

Jeremy Daily, David Nnaji, and Ben Ettlinger (Colorado State University)

Controller Area Network (CAN) implementations inherently trust all valid messages on the network. While this feature makes for easy replacement and repair of electronic control units (ECUs), this trust poses some cybersecurity challenges, like making it easy to spoof messages or alter them with a middleperson attack. With an SAE J1939 based network, the meaning of the network messages are often published, which reduces the amount of work needed to reverse engineer the protocol. Furthermore, J1939 is often used on high-value and high-risk cyber-physical systems, like trucks, buses, generator systems, construction, agriculture, forestry, and marine and military systems. Therefore, improving the cybersecurity posture of SAE J1939 networks is crucial for protecting critical infrastructure.

The approach outlined in this paper for an intrusion detection system (IDS) uses so-called CAN Conditioners at or in each of the vehicle ECUSs that communicate with the Secure Gateway near the vehicle’s diagnostic port. Each of the CAN Conditioners and the Secure Gateway includes an allowlist and blocklist procedure to prevent a variety of unauthorized network attacks. In addition, a cipher-based message authentication code (CMAC) is calculated by each node and transmitted across the network using the J1939 Data Security Message parameter group number (PGN). This CMAC message acts as a heartbeat indicator for the Secure Gateway to verify healthy node behavior and unaltered messaging.

Reference prototype hardware and software are described and results from a test implementation on a Class 6 truck with 6.7L diesel engine and an automated transmission are also described. The provisioning process sets up hardware security modules to be able to exchange secrets over the CAN bus using the elliptic-curve Diffie-Hellman protocol (ECDH). Once secrets are exchanged, ephemeral session keys are shared with the Secure Gateway, which keeps track of the CMACs from each CAN Conditioner. If a CMAC fails to match, the Secure Gateway informs the network using the J1939 Diagnostic Message #1 and a message using the J1939 defined Impostor PG Alert parameter group. Results show the IDS can detect alteration of a message or an impersonated message.