Analysis of the DoIP Protocol for Security Vulnerabilities

TL;DR

This paper conducts a formal security analysis of the DoIP protocol, revealing vulnerabilities due to optional security features, and proposes minimal protocol redesigns to enhance vehicle diagnostic data security.

Contribution

It provides the first formal analysis of DoIP, identifying security flaws and suggesting practical countermeasures to improve protocol security.

Findings

DoIP protocol is insecure without mandatory TLS and client authentication.

Formal analysis confirms vulnerabilities and potential attack vectors.

Proposed minor protocol redesigns mitigate identified security issues.

Abstract

DoIP, which is defined in ISO 13400, is a transport protocol stack for diagnostic data. Diagnostic data is a potential attack vector at vehicles, so secure transmission must be guaranteed to protect sensitive data and the vehicle. Previous work analyzed a draft version and earlier versions of the DoIP protocol without Transport Layer Security (TLS). No formal analysis exists for the DoIP protocol. The goal of this work is to investigate the DoIP protocol for design flaws that may lead to security vulnerabilities and possible attacks to exploit them. For this purpose, we deductively analyze the DoIP protocol in a first step and subsequently confirm our conclusions formally. For the formal analysis, we use the prover Tamarin. Based on the results, we propose countermeasures to improve the DoIP's security.We showthat the DoIP protocol cannot be considered secure mainly because the security mechanisms TLS and client authentication in the DoIP protocol are not mandatory. We propose measures to mitigate the vulnerabilities thatwe confirm to remain after activating TLS. These require only a minor redesign of the protocol.