Security Attacks to the Name Management Protocol in Vehicular Networks

https://www.ndss-symposium.org/wp-content/uploads/vehiclesec2024-4-paper.pdf

 [cite_start]The article "Security Attacks to the Name Management Protocol in Vehicular Networks" identifies 19 new vulnerabilities in the Name Management Protocol (NMP) of SAE J1939 networks, which are broadly adopted in Medium and Heavy Duty (MHD) vehicle communications. [cite: 3] [cite_start]This protocol is crucial for associating and managing source addresses with the primary functions of controller applications in trucks, a vital part of the transportation system where disruptions can have major social impacts. [cite: 1, 2]

[cite_start]The paper details various logical attacks exploiting these vulnerabilities, validated through formal methods and demonstrations on real trucks and bench setups. [cite: 3, 11] These attacks can lead to:

* [cite_start]Stealthily denying vehicle start-up. [cite: 4]

* [cite_start]Restraining critical vehicular device participation, including "dead beef attacks" that cause reflash failure. [cite: 5]

* [cite_start]Stealthy address exhaustion, preventing address-capable controller applications from network engagement. [cite: 6]

* [cite_start]Poisoning the controller application's source address-function association table, which can disable features like radar and Anti-Brake System (ABS), and trigger dashboard warnings for retarder braking torque. [cite: 7, 35]

* [cite_start]Denial of Service (DoS) on claim messages, prohibiting devices from participating in the network. [cite: 8]

* [cite_start]Impersonating a working set master to alter controller application source addresses, leading to "Bot-Net" attacks. [cite: 9]

* [cite_start]Executing "birthday attacks" (brute-force collision attacks) to command an invalid or existing name, causing undesired vehicle behavior. [cite: 10]

[cite_start]The research highlights that the SAE J1939 protocol was designed without security as a primary consideration, and current authentication defenses are lacking or not widely adopted[cite: 23, 24, 78, 80]. [cite_start]The paper also discusses how these vulnerabilities can be exploited via direct access to the CAN bus through public OBD ports or remotely via wireless interfaces. [cite: 101, 104]

[cite_start]The authors used Linear Temporal Logic (LTL)-based formal model checking to systematically analyze and validate these attacks, creating formal models of different NMP forms. [cite: 31, 32, 98] [cite_start]The findings have been responsibly disclosed to the standardization body, and the models and research artifacts are open-sourced[cite: 38, 39]. [cite_start]Mitigation strategies include implementing inter-CA authentication mechanisms, key agreement schemes, and replacing inadequate checksums with more robust authentication codes like MAC, CMAC, or HMAC. [cite: 116, 117, 132, 141, 148, 156, 163, 168]