Demonstrating Practical Denial-of-Service Attacks in Embedded Networks of Commercial Vehicles

The Controller Area Network (CAN) protocol has become the primary choice for in-vehicle communications for passenger cars and commercial vehicles. However, it is possible for malicious dversaries to cause major damage by exploiting flaws in the CAN protocol design or implementation. Researchers have shown that an attacker can remotely inject malicious messages into the CAN network in order to disrupt or alter normal vehicle behavior. Some of these attacks can lead to catastrophic consequences for both the vehicle and the driver. Although there are several defense techniques against CAN based attacks, attack surfaces like physically and remotely controllable Electronic Control Units (ECUs) can be used to launch attacks on protocols running on top of the CAN network, such as the SAE 1939 protocol. Commercial vehicles adhere to the SAE J1939 standards that make use of the CAN protocol for physical communication and that are modeled in a manner similar
to that of the ISO/OSI 7 layer protocol stack. We posit that the J1939 standards can be subjected to attacks similar to those that have been launched successfully on the OSI layer protocols. Towards this end, we demonstrate how such attacks can be performed on a test-bed having 3 J1939 speaking ECUs connected via a single high-speed CAN bus. Our main goal is to show that the regular operations performed by the J1939 speaking ECUs can be disrupted by manipulating the packet exchange protocols and specifications made by J1939 data-link layer standards. The list of attacks documented in this paper is not comprehensive but given the homogeneous and ubiquitous usage of J1939 standards in commercial vehicles we believe these attacks, along with newer attacks introduced in the future, can cause widespread damage in the heavy vehicle industry, if not mitigated pro-actively.