What are the Important Security Aspects of DoIP based In-Vehicle Network and Related Best Practices

What are the Important Security Aspects of DoIP based In-Vehicle Network and Related Best Practices

Let’s consider a scenario where a driver experiences a technical snag while driving in an inclement weather. Let’s say this happens in a remote area where road-side vehicle assistance is not accessible.

Diagnostics over Internet Protocol (DoIP), a vehicle diagnostics software protocol, can come in very handy in such scenarios! DoIP will be able to diagnose the fault in the vehicle remotely. And if the issue stems from an outdated software, the software update patch can be sent over DoIP to rectify the fault.

Intriguing, right? Let us try to understand how this magic is played out by DoIP, under the hood?

• The cloud server, typically managed by an OEM, is interfaced with the vehicle ECU over the internet.
• Via this interface, the cloud server is able to retrieve the Diagnostics Trouble Code (DTC) from the ECU.
• Based on the DTC data, the admin of the cloud backend is able to identify the issue and suggest corrective actions

Quite incredible, right? However, there is one major concern associated with any DoIP solution!

As the communication takes place over the internet, there are fair chances that an ECU system can get hacked.

In this blog, we will analyze the DoIP software stack, from a security stand-point.We will also talk about the possible solutions and ongoing research in this area.

But before delving further into the topic, let’s spend some time in understanding remote vehicle diagnostics.

A Brief Background of Remote Automotive Diagnostics

Vehicle Diagnostics in Automotive Industry refers to examination of the car to resolve the fault (if any) and ensure seamless operations of all the software, hardware and mechanical systems.

Similar to how a pathologist tests the human body, by examining some parameters, to know about its health, automotive engineers and mechanics also examine certain vehicle parameters.

Usually, a manual vehicle diagnosis is performed by plugging in a tester device into an OBD port of the vehicle. This port provides access to the vehicle network, over which the diagnostics messages are sent and received.

However such on-site vehicle diagnostics is not always a feasible option.

To counter this, OEMs started to equip some high-end vehicles with capabilities to be diagnosed over-the-air. What started with brands-specific feature soon became standardization that we now know as DoIP!

This Standardization of technology has brought about cost reduction and ease of operations for all the stakeholders.

DoIP architecture

Analysis of DoIP Software Services from security view-point

In this section, we will analyze some software services and technologies which are critical from the point-of-view of system security. These services facilitate in setting up the communication between entities in DoIP.

1. Dynamic Host Configuration Protocol (DHCP):

What does this software service facilitate? – It provides the IP address and other configuration details to the IP host that wishes to connect to the network.

Why is it sensitive from security point-of-view? – It is possible for hackers to exhaust all the available IP addresses by spoofing messages to the network. Due to this when a genuine host seeks connection, there are no IP addresses available and the service is denied to it. This is very common attack called the starvation attack.

In a different kind of attack, the hacker can present itself as the default gateway and answer to the DHCP requests from legitimate users. This can enable the hacker to send wrong diagnostics information about your vehicle.

2. Internet Protocol (IP):

What does this software service facilitate? – This service is responsible for relaying the data packets to the receiver. The sender and receiver are identified by the IP address. It is essentially the method or the protocol using which the datagrams are sent over the network.

Why is it sensitive from security point-of-view? – Automobile Hackers can take control of the network and fill the IP data fields with undesirable and wrong data. This can lead to serious issues in the functioning of the vehicle diagnostics system.

3. Transmission Control Protocol (TCP):

What does this software service facilitate? – The Internet Protocol delivers the data packets to the host but TCP is responsible for putting the packets in correct order. TCP is a correction-oriented protocol and therefore, it keeps track of the sequence of the packets.

Why is it sensitive from security point-of-view? – Hackers can execute a session hijacking attack with the objective of service denial and stealing of information. It is done by taking over a TCP stream or by inserting a RESET segment. Doing so forces a shutdown and hence, denial of service.

In a different kind of attack, the hacker can present itself as the default gateway and answer to the DHCP requests from legitimate users. This can enable the hacker to send wrong diagnostics information about your vehicle.

Having discussed about the possible vulnerabilities regarding the DoIP stack, we will now focus on the necessary preventive measures.

There are certain very critical best-practices, that as an embedded automotive engineer, one should aim to integrate seamlessly with the software design & development processes.

The security related best-practices ensure that one is able to deliver a robust DoIP Software Solution for an Automotive Project.
Best Practices to ensure security of a DoIP network

In order to secure the DoIP network, there are two important aspects to be taken care of: Communication security and Environment security.

• The communication network over which the DoIP messages transmit can be secured by deploying tunneling technologies. In addition, clarity on how the system should be designed to manage the identity of the host and the nodes is required.
• Securing the environment is achieved when the network endpoints are safeguarded against unauthorized entry. The research work in this area is quite over whelming however, the findings need to be aligned to DoIP requirements.

List of critical best-practices:

• Physical security of servers, routers and switches should be ensured to prevent any unauthorized access.
• User access profiles should be maintained with properly defined rights to restrict any illicit wireless access.
• Audit logging needs to be enabled for the DHCP servers. In case of unusually high number of requests to DHCP, the logs can be monitored to prevent unauthorized access.
• Set of TCP/IP protocols like SSL (Secure Socket Layer), TLS (Transport Layer Security), and IP Security can be put in place to prevent attack through TCP/IP.

DoIP is undoubtedly a protocol poised to change how automotive diagnostics work. Since DoIP runs over the Internet Protocol, one needs to be extra cautious about the safety of the system.

However, with necessary security measures discussed above, these vulnerabilities can be taken care of. The DoIP protocol specification in itself has several security measures in place to keep the vehicle and the underlying network safe.

This entry was posted in Embedded Blog, Blog by Embitel. Bookmark the permalink