Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Expanding the Attack Scenarios of SAE J1939: A Comprehensive Analysis of Established and Novel Vulnerabilities in Transport Protocol

Hwejae Lee, Hyosun Lee, Saehee Jun, Huy Kang Kim

TL;DR

SAE J1939-based commercial vehicle networks suffer security gaps that are not fully addressed by existing CAN-focused research. The authors present 14 attack scenarios—7 from prior work and 7 new vectors—validated on a real-time testbed using Au SAE J1939 Gen II simulators and MCS to demonstrate practical feasibility. Eleven attacks are shown to be executable, including memory-leak, DoS, and session-abort variants, with several able to operate under single-packet injections, underscoring detection challenges. The work motivates development of SAE J1939-specific defense mechanisms, notably network-based IDS, to improve safety-critical vehicle cybersecurity in practice.

Abstract

Following the enactment of the UN Regulation, substantial efforts have been directed toward implementing intrusion detection and prevention systems (IDPSs) and vulnerability analysis in Controller Area Network (CAN). However, Society of Automotive Engineers (SAE) J1939 protocol, despite its extensive application in camping cars and commercial vehicles, has seen limited vulnerability identification, which raises significant safety concerns in the event of security breaches. In this research, we explore and demonstrate attack techniques specific to SAE J1939 communication protocol. We introduce 14 attack scenarios, enhancing the discourse with seven scenarios recognized in the previous research and unveiling seven novel scenarios through our elaborate study. To verify the feasibility of these scenarios, we leverage a sophisticated testbed that facilitates real-time communication and the simulation of attacks. Our testing confirms the successful execution of 11 scenarios, underscoring their imminent threat to commercial vehicle operations. Some attacks will be difficult to detect because they only inject a single message. These results highlight unique vulnerabilities within SAE J1939 protocol, indicating the automotive cybersecurity community needs to address the identified risks.

Expanding the Attack Scenarios of SAE J1939: A Comprehensive Analysis of Established and Novel Vulnerabilities in Transport Protocol

TL;DR

SAE J1939-based commercial vehicle networks suffer security gaps that are not fully addressed by existing CAN-focused research. The authors present 14 attack scenarios—7 from prior work and 7 new vectors—validated on a real-time testbed using Au SAE J1939 Gen II simulators and MCS to demonstrate practical feasibility. Eleven attacks are shown to be executable, including memory-leak, DoS, and session-abort variants, with several able to operate under single-packet injections, underscoring detection challenges. The work motivates development of SAE J1939-specific defense mechanisms, notably network-based IDS, to improve safety-critical vehicle cybersecurity in practice.

Abstract

Following the enactment of the UN Regulation, substantial efforts have been directed toward implementing intrusion detection and prevention systems (IDPSs) and vulnerability analysis in Controller Area Network (CAN). However, Society of Automotive Engineers (SAE) J1939 protocol, despite its extensive application in camping cars and commercial vehicles, has seen limited vulnerability identification, which raises significant safety concerns in the event of security breaches. In this research, we explore and demonstrate attack techniques specific to SAE J1939 communication protocol. We introduce 14 attack scenarios, enhancing the discourse with seven scenarios recognized in the previous research and unveiling seven novel scenarios through our elaborate study. To verify the feasibility of these scenarios, we leverage a sophisticated testbed that facilitates real-time communication and the simulation of attacks. Our testing confirms the successful execution of 11 scenarios, underscoring their imminent threat to commercial vehicle operations. Some attacks will be difficult to detect because they only inject a single message. These results highlight unique vulnerabilities within SAE J1939 protocol, indicating the automotive cybersecurity community needs to address the identified risks.
Paper Structure (51 sections, 8 figures, 5 tables)

This paper contains 51 sections, 8 figures, 5 tables.

Table of Contents

  1. Introduction
  2. Background
  3. Related Work
  4. CAN protocol Attack Scenarios
  5. SAE J1939 Attack Scenarios
  6. Experiment Setup
  7. Experiment
  8. Request Overload Attack
  9. Attack Scenario and Testing
  10. Results
  11. Malicious Acknowledgment Attack
  12. Attack Scenario and Testing
  13. Results
  14. Malicious TP.CM_RTS Attack
  15. Attack Scenario and Testing
  16. ...and 36 more sections

Figures (8)

  • Figure 1: Data unit format of SAE J1939 protocol
  • Figure 2: SAE J1939 message transmission sequences
  • Figure 3: J1939 attack simulation testbed setup. Laptop 1 monitors the CAN bus and Laptop 2 acts as the attacker within the SAE J1939 network, comprising Au SAE J1939 simulators (Generation II) and Au SAE J1939 MCS.
  • Figure 4: Graphic user interface for SAE J1939 network. This screenshot shows the tool's interface used for monitoring.
  • Figure 5: Selected attack scenarios in SAE J1939. They are showcasing 3 of 14 scenarios with notable impact. Comprehensive details on all discovered attack scenarios are shown in the appendix.
  • ...and 3 more figures