Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
SAE J3005-2: Securing Permanently Installed Diagnostic Communication Devices
The widespread use of OBD connectors for diagnostics has led to a new class of devices: permanently or semi-permanently installed diagnostic communication devices, often called dongles. These devices, while enabling valuable services like usage-based insurance, fleet management, and remote diagnostics, also introduce significant cybersecurity and privacy risks if not designed with security in mind. The SAE J3005-2 standard provides crucial guidelines for manufacturers to minimize these risks.
Security Challenges and Recommendations
The OBD connector was originally intended for temporary workshop use, but modern vehicles often have a direct connection to the control bus, making it a potential entry point for attackers. As the standard’s foreword highlights, this “can open up the car to hacking.” To address this, SAE J3005-2 outlines a series of technical recommendations covering in-vehicle security, diagnostic protocol weaknesses, and system design principles. Below is a summary of key recommendations from the standard:
| Area | Recommendation |
|---|---|
| In-Vehicle Security | Implement hardware read-protection for code; assume code is public. |
| Firmware Updates | Use authenticated updates with integrity checks; ensure secure update process. |
| Device Identity | Individualize each device with unique keys and roles to prevent mass compromise. |
| Separation of Duties | Separate security-critical parameters from the rest of the system. |
| Risk Assessment | Use a methodology like TARA (Threat Analysis and Risk Assessment). |
⚠️ Important: Relying on the secrecy of your code is not enough. Assume the attacker knows your code and design your security around robust cryptographic keys and hardware protection.
Engineering Design Principles
The standard emphasizes several design insights that are vital for building secure dongles. One of the core principles is that “security is not about secrecy, but about protecting the keys.” Key design principles include:
- Device Individualization: Each device should have unique cryptographic credentials and identifiers. This prevents a single compromised device from revealing secrets that affect all other devices.
- Separation of Duties: Security-critical parameters (e.g., private keys, device-specific IDs) should be managed by separate secure modules or processes to limit the scope of any breach.
- Secure Firmware Updates: Updates must be verified with strong authentication and integrity checks (e.g., digital signatures) to prevent malicious code from being installed.
- Assume the Code is Public: This principle forces reliance on cryptographic keys rather than obscurity. Coupled with hardware read-protection, it raises the bar significantly for attackers.
🛠️ Engineering Insight: By using a Threat Analysis and Risk Assessment (TARA) methodology like HEAVENS, you can systematically identify and mitigate potential threats throughout the device lifecycle.
Privacy and Secure Operations
Beyond security, the standard addresses privacy concerns related to data collected by dongles. In-vehicle privacy recommendations focus on limiting data access to what is necessary and ensuring that data is transmitted securely off-board. Remote privacy recommendations stress the importance of encrypting data in transit and respecting user consent. These guidelines help ensure that the convenience of connected diagnostics does not come at the expense of user privacy.
🔍 Privacy First: Design your device to collect only the data needed for its function, and always transmit it over encrypted channels with proper authentication.
Frequently Asked Questions
How can OBD dongles be secured against unauthorized access?
Implement hardware read-protection for the microcontroller’s code memory, use unique device identities with cryptographic keys, and ensure that firmware updates are authenticated and integrity-checked. Additionally, adhere to the principle of separation of duties to isolate security-critical functions.
Why is device individualization important?
If all devices share the same cryptographic keys, compromising one device allows an attacker to control or impersonate all others. Individualization ensures that each device has unique keys, limiting the damage of a single breach.
What methodology should be used for risk assessment?
The standard recommends using a structured Threat Analysis and Risk Assessment (TARA) methodology, such as HEAVENS, to systematically identify vulnerabilities and determine appropriate mitigations.
Does SAE J3005-2 apply to both aftermarket and OEM devices?
Yes, the guidelines are intended for any manufacturer of diagnostic communication devices that are permanently or semi-permanently installed. The focus is on the device design, regardless of whether it is an aftermarket or original equipment (OEM) device.
