Security Vulnerabilities in CAN, CANopen, and J1939 Networks: Risks and Mitigation Strategies

Posted by Wilfried Voss on Mar 29th 2025

Security Vulnerabilities in CAN, CANopen, and J1939 Networks: Risks and Mitigation Strategies The following is an excerpt from https://jcom1939.com/security-concerns-in-can-canopen-and-j1939-networks/.

The Controller Area Network (CAN) protocol, developed in the 1980s for real-time communication among microcontrollers, has become a foundational standard in various industries, including automotive, industrial automation, and medical equipment. Higher-layer protocols such as CANopen and SAE J1939 build upon CAN to define standardized message formats and application-level functions for specific domains. However, despite their widespread adoption, these protocols inherit significant security vulnerabilities from the core CAN architecture, primarily due to its lack of built-in security features.

Inherent Security Vulnerabilities of CAN-Based Systems

The CAN protocol's design emphasizes efficiency and real-time performance but omits critical security mechanisms such as authentication, encryption, and access control. This omission leads to several key vulnerabilities:

Message Injection and Spoofing: Any device connected to the CAN bus can transmit messages without authentication, allowing malicious actors to inject counterfeit frames. This can result in unauthorized control over vehicle functions or industrial processes. For instance, an attacker could send false commands to unlock vehicle doors or manipulate engine parameters.
Eavesdropping: Since CAN communications are unencrypted and broadcast to all nodes, any node with access to the bus can intercept and read all transmitted messages. This lack of confidentiality exposes sensitive information, such as vehicle diagnostics or proprietary industrial data, to potential interception.
Denial-of-Service (DoS) Attacks: The CAN protocol resolves message collisions through a priority-based arbitration mechanism. An attacker can exploit this by sending high-priority messages continuously, monopolizing the bus and preventing legitimate communication. This can disrupt critical operations, leading to safety hazards in automotive or industrial environments.

Real-World Exploits Demonstrating CAN Vulnerabilities

The theoretical vulnerabilities of the CAN protocol have been substantiated by real-world exploits:

2015 Jeep Cherokee Hack: Security researchers Charlie Miller and Chris Valasek demonstrated a remote attack on a Jeep Cherokee, gaining control over critical functions such as steering, braking, and acceleration. They accessed the vehicle's CAN bus through its telematics unit, highlighting the potential for remote exploitation of CAN vulnerabilities.
Vehicle Thefts via CAN Injection: Attackers have employed CAN injection techniques to steal vehicles equipped with push-to-start systems. By accessing the CAN bus through exposed wiring, such as headlights or diagnostic ports, they can spoof key fob signals and start the engine without physical keys.

Security Implications for CANopen and SAE J1939

Higher-layer protocols like CANopen and SAE J1939, while adding domain-specific functionalities, do not inherently address the security shortcomings of the underlying CAN protocol:

CANopen: Widely used in industrial automation and medical devices, CANopen facilitates communication between devices such as sensors and actuators. However, its reliance on the insecure CAN protocol makes CANopen networks susceptible to the same attacks, posing risks of unauthorized control over industrial processes or medical equipment.
SAE J1939: Utilized in heavy-duty vehicles and diesel engines, SAE J1939 standardizes communication between electronic control units (ECUs). The absence of security measures allows attackers to exploit vulnerabilities for unauthorized access or control, potentially leading to safety-critical situations in commercial vehicles.

Mitigation Strategies and the Path Forward

Addressing the security challenges inherent in CAN-based networks requires a multifaceted approach:

Implementing Higher-Layer Security Measures: Integrating cryptographic techniques such as message authentication codes (MACs) and digital signatures can enhance message integrity and authenticity. However, these measures must be carefully designed to accommodate the real-time constraints and limited bandwidth of CAN networks.
Network Segmentation and Access Controls: Dividing the CAN network into isolated segments and implementing strict access controls can limit the potential impact of a compromised node. Secure gateways or firewalls can regulate communication between segments, preventing unauthorized access to critical systems.
Intrusion Detection Systems (IDS): Deploying IDS tailored for CAN networks can help monitor and detect anomalous activities indicative of attacks. These systems can provide early warnings, enabling timely responses to potential security breaches.
Transition to Secure Protocols: Exploring and adopting newer protocols that incorporate security features by design, such as CAN FD (Flexible Data-rate) with added security layers, can provide long-term solutions to the inherent vulnerabilities of traditional CAN networks.

In conclusion, while the CAN protocol and its derivatives, like CANopen and SAE J1939, have been instrumental in facilitating efficient communication across various industries, their lack of inherent security features poses significant risks in today's interconnected landscape. Proactive measures, including the integration of security mechanisms, vigilant monitoring, and a shift towards inherently secure communication protocols, are essential to safeguard these critical networks against evolving cyber threats. More information...