Securing J1939 Systems through Minimal System Modifications
Lead Research Organisation:
University of Oxford
Department Name: Computer Science
Abstract
Since the early 2000s millions of industrial systems have taken their existing Controller Area Network (CAN) Bus infrastructure and added a software standard, J1939, to simplify communication between the different electronic control units (ECUs) controlling the vehicle. The standard was initially designed for ground vehicles, but is now common place across agriculture and forestry equipment, military vehicles, marine vessels, power generators, and much more. While this is useful for industrial systems, the underlying infrastructure is still CAN, a serial data data bus protocol with no authentication, or effective security mechanisms. For the last decade academia and enthusiasts continually showed hacking an automobile is possible with access to the CAN Bus, even going as far as remotely gaining access. The J1939 standard only simplifies the hacking process by removing the need for reverse engineering the proprietary CAN messages of consumer automobiles. Not only does this simplify hacking single vehicles, it makes attacks agnostic to installed ECUs, enabling non-targeted attacks across fleets of heterogeneous vehicles.
We propose using the J1939 standard for defensive purposes. Instead of relying purely on header and timing data we can analyze the data field, making sense of the 8 bytes of data previously left untouched for practicality's sake. We begin this research with 2 premises: we can only add a single device to the J1939 Bus without modifying any existing ECUs, and we cannot have any false positives. Modifying every installed ECU is expensive, and discourages future firmware upgrades, effectively discouraging security. False positives generally risk alert fatigue, causing true positives to go unnoticed. The safety critical systems typically found running J1939 are too valuable for any level of false positives to be acceptable. To test for false positives we run our IDS against real truck data.
For this research we built a state-based rules framework which compares arbitrary J1939 data fields, adjusted to their real values. In doing so we created over 40,000 rules, 10,000 of which require some level of training to maintain system knowledge across system reboots. With these rules we are able to detect an attacker transmitting fixed-rate messages (e.g., every 100ms) across the bus if a legitimate ECU is already transmitting it. We apply this same timing based security guarantee to non-fixed-rate messages by ensuring the conditions for that message, such as a diagnostic trouble code message, being sent are met. These conditions come from fixed-rate messages, and so provide the same security guarantee. Additionally we ensure the attacker is unable to prevent an existing ECU from speaking short of physically removing it from the CAN Bus, an action that requires far more advanced physical access than traditionally seen in automotive hacking. This work falls within the EPSRC engineering research area, and was done in collaboration with Shift5 Inc. Future work will being the areas of Incident Response using the J1939 standard, using side-channel mechanisms for defensive purposes, and using a hueristics approach on the J1939 data field.
We propose using the J1939 standard for defensive purposes. Instead of relying purely on header and timing data we can analyze the data field, making sense of the 8 bytes of data previously left untouched for practicality's sake. We begin this research with 2 premises: we can only add a single device to the J1939 Bus without modifying any existing ECUs, and we cannot have any false positives. Modifying every installed ECU is expensive, and discourages future firmware upgrades, effectively discouraging security. False positives generally risk alert fatigue, causing true positives to go unnoticed. The safety critical systems typically found running J1939 are too valuable for any level of false positives to be acceptable. To test for false positives we run our IDS against real truck data.
For this research we built a state-based rules framework which compares arbitrary J1939 data fields, adjusted to their real values. In doing so we created over 40,000 rules, 10,000 of which require some level of training to maintain system knowledge across system reboots. With these rules we are able to detect an attacker transmitting fixed-rate messages (e.g., every 100ms) across the bus if a legitimate ECU is already transmitting it. We apply this same timing based security guarantee to non-fixed-rate messages by ensuring the conditions for that message, such as a diagnostic trouble code message, being sent are met. These conditions come from fixed-rate messages, and so provide the same security guarantee. Additionally we ensure the attacker is unable to prevent an existing ECU from speaking short of physically removing it from the CAN Bus, an action that requires far more advanced physical access than traditionally seen in automotive hacking. This work falls within the EPSRC engineering research area, and was done in collaboration with Shift5 Inc. Future work will being the areas of Incident Response using the J1939 standard, using side-channel mechanisms for defensive purposes, and using a hueristics approach on the J1939 data field.
Planned Impact
It is part of the nature of Cyber Security - and a key reason for the urgency in developing new research approaches - that it now is a concern of every section of society, and so the successful CDT will have a very broad impact indeed. We will ensure impact for:
* The IT industry; vendors of hardware and software, and within this the IT Security industry;
* High value/high assurance sectors such as banking, bio-medical domains, and critical infrastructure, and more generally the CISO community across many industries;
* The mobile systems community, mobile service providers, handset and platform manufacturers, those developing the technologies of the internet of things, and smart cities;
* Defence sector, MoD/DSTL in particular, defence contractors, and the intelligence community;
* The public sector more generally, in its own activities and in increasingly important electronic engagement with the citizen;
* The not-for-profit sector, education, charities, and NGOs - many of whom work in highly contended contexts, but do not always have access to high-grade cyber defensive skills.
Impact in each of these will be achieved in fresh elaborations of threat and risk models; by developing new fundamental design approaches; through new methods of evaluation, incorporating usability criteria, privacy, and other societal concerns; and by developing prototype and proof-of-concept solutions exhibiting these characteristics. These impacts will retain focus through the way that the educational and research programme is structured - so that the academic and theoretical components are directed towards practical and anticipated problems motivated by the sectors listed here.
* The IT industry; vendors of hardware and software, and within this the IT Security industry;
* High value/high assurance sectors such as banking, bio-medical domains, and critical infrastructure, and more generally the CISO community across many industries;
* The mobile systems community, mobile service providers, handset and platform manufacturers, those developing the technologies of the internet of things, and smart cities;
* Defence sector, MoD/DSTL in particular, defence contractors, and the intelligence community;
* The public sector more generally, in its own activities and in increasingly important electronic engagement with the citizen;
* The not-for-profit sector, education, charities, and NGOs - many of whom work in highly contended contexts, but do not always have access to high-grade cyber defensive skills.
Impact in each of these will be achieved in fresh elaborations of threat and risk models; by developing new fundamental design approaches; through new methods of evaluation, incorporating usability criteria, privacy, and other societal concerns; and by developing prototype and proof-of-concept solutions exhibiting these characteristics. These impacts will retain focus through the way that the educational and research programme is structured - so that the academic and theoretical components are directed towards practical and anticipated problems motivated by the sectors listed here.
Organisations
Studentship Projects
| Project Reference | Relationship | Related To | Start | End | Student Name |
|---|---|---|---|---|---|
| EP/P00881X/1 | 01/10/2016 | 31/03/2023 | |||
| 2068422 | Studentship | EP/P00881X/1 | 01/10/2018 | 30/09/2022 | Matthew Rogers |