Early days in experiment and analysis but vulnerability exposed and remote access seen as next step
US university researchers have hacked a 2006 prime mover’s instrument cluster, power train and engine brake and they have every confidence a path into trailer controls is possible, their research paper shows.
But while vulnerabilities have been detected, it is early days in what they say is a unique initial experiment of the process involving heavy commercial vehicles.
The four University of Michigan Transportation Research Institute (UMITRI) researchers acknowledge that theirs was a physical test attack through the common SAE J1939 standard for internal vehicle communications and the control area network (CAN).
However, they believe a remote hack – for example, through fleet management systems (FMS) – is a logical next step.
“It’s reasonable to assume that given a physical exploit, a remote exploit will soon follow,” their paper to the Usenix Workshop on Offensive Technologies, held this week, states.
They also appear to note, as have industry sources, that original equipment manufacturers (OEMs) do have certain defences.
“The J1939 standard is open and used across many industries that employ diesel engine vehicles, such as bus and train transportation, construction, agriculture, forestry, mining, and the military,” the paper says.
“This is a very different model from OEM’s proprietary application level CAN protocols which change across make, model, and model year and are heavily guarded secrets within the OEMs.”
For their truck experiment, the researchers were able to control all gauges on the instrument cluster and push them to the point of tripping alarms.
“Our control was precise, we could make the gauges point to the value of our choosing – even while the truck was in motion,” they say, while noting that this could not be done to a second vehicle tested, a 2001-model bus.
Powertrain control was more difficult but doable.
While there were 11 unique parameter group numbers (PGN) related to acceleration, just one, the torque/speed control 1 (TSC1), enabled powertrain control.
“According to the specification, the TSC1 message is used for engine control and retarding by various ECUs, such as accelerator pedal, cruise control, or power take-off governor,” the paper says.
“It is received by the engine or retarder and commands a given RPM value if speed control mode is specified or percentage of torque output if torque control mode is specified.
“We ran further experiments while idle and found that by injecting the TSC1 message with a specified RPM in speed control mode we could physically command the engine’s RPM to that specific value.”
The TSC1 message can be configured to disable the truck’s ability to use engine braking at speeds under about 50 km/h (30 mph), a concerning risk for long and steep descents.
“It is imperative that the trucking industry begins to take software security more seriously,” the researchers conclude.
“Our attacks took us less than two months to implement and did not require any proprietary PGNs.
“It is reasonable to assume that with more time an adversary could create an even more sophisticated attack, one that could be implemented remotely.
“With Bluetooth, cellular, and WiFi, modern trucks are becoming much more connected to the outside world, which present new attack vectors.
“Our hope is the heavy vehicle industry begins to include the possibility of an active adversary in the design of their safety features.”