Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Diagnostic Link Connector Security: SAE J3138-2022
The SAE J3138-2022 standard addresses a critical challenge in modern vehicle diagnostics: ensuring safe operation when an external device connected to the diagnostic link connector (DLC) may be compromised. This recommended practice provides a framework for allowing legitimate diagnostic and maintenance functions while blocking potentially harmful intrusive actions. 🛠️
Scope and Rationale of SAE J3138-2022
The standard applies to passenger cars and light-, medium-, and heavy-duty trucks that provide a diagnostic connector conforming to SAE J1962 and J1979. Its primary goal is to improve security without significantly impacting the ability of franchised dealer or independent aftermarket external test tools to perform legitimate diagnosis and maintenance.
⚠️ Note: The 2022 revision adds non-standardized CAN Diagnostics Channels including CAN FD and DoIP Channel(s), reflecting the evolving landscape of vehicle communication protocols.
Core Security Mechanisms: Safe State and Protocol Categorization
A central concept in J3138 is the vehicle safe state. The vehicle must determine a safe condition (e.g., parked, engine off, low speed) before allowing intrusive diagnostic services. Diagnostic services themselves are categorized based on risk:
| Service Type | Examples | Allowed Only in Safe State? |
|---|---|---|
| Non-Intrusive | Read DTCs, monitor live data | Yes, always permitted |
| Intrusive | ECU programming, actuator tests | Only when vehicle is in safe state |
This categorization ensures that even if an external tool is compromised, the vehicle is not put at risk.
Engineering Design Insight: When designing diagnostic systems, engineers should implement a clear model for determining the vehicle safe state based on parameters such as speed, ignition, and parking brake status. Services should be classified as intrusive or non-intrusive early in the design phase, and only non-intrusive services should be allowed when the vehicle is not in a safe state.
Gateway Architectures and Security Implementation
J3138 provides tailored recommendations for three network architectures: no gateway, partial function gateway, and full gateway or multiple gateways. The security policies must be enforced consistently across all connected networks.
- No Gateway: Each ECU is responsible for enforcing security locally.
- Partial Function Gateway: The gateway controls some diagnostic communication but not all.
- Full Gateway: The gateway can enforce security policies across all networks, providing centralized control.
🔍 Key Consideration: For vehicles with a full gateway, ensure that security policies are applied to all incoming diagnostic requests, including those from CAN FD and DoIP channels, to prevent unauthorized access.
Frequently Asked Questions
- What is the primary goal of SAE J3138-2022?
To increase the likelihood of safe vehicle operation when a compromised external device is connected to the diagnostic system, by only allowing intrusive services when the vehicle is in a safe state. - How does the standard define ‘vehicle safe state’?
It is determined by parameters like vehicle speed, ignition state, park brake status, and other conditions ensuring that intrusive diagnostic actions do not lead to unsafe situations. - What are the key differences in approach for vehicles with no gateway versus full gateway?
For no gateway, each ECU must implement security individually. For full gateway, the gateway provides centralized control, making policy enforcement more manageable. - How have CAN FD and DoIP been addressed in the 2022 revision?
The revision added non-standardized CAN Diagnostics Channels including CAN FD and DoIP Channel(s), recognizing their increasing use and requiring appropriate security adaptations.
