US truck hacking report due for release

By: Rob McKay


Researchers say test showed ease of attack on American truck and bus

US truck hacking report due for release
Truck IT vulnerabilities will be explored in a report.

 

US researchers are due to report on the potential for hacking an articulated truck’s computers in that country.

Current affairs website Wired has looked into the issue a year after it made headlines on the remote hacking of two passenger vehicles, where computer assisted controls were taken over as they were driving.

Now University of Michigan Transportation Research Institute (UMITRI) researchers plan to unveil their findings on the remote interference of a semi-trailer’s braking and acceleration, at the Usenix Workshop on Offensive Technologies conference next week.

In their abstract for the workshop, UMITRI researchers Yelizaveta Burakova, Bill Hass, Leif Millar, and André Weimerskirch highlight the vulnerability of the Society of Automotive Engineers’ SAE J1939 standard used for large vehicle communications and diagnostics.

All trucks on the Australian market use the J1939 code. It is a universal language for electronic systems, though it is understood messages can be and are coded and therefore not be prone to hacking.

"Consumer vehicles have been proven to be insecure; the addition of electronics to monitor and control vehicle functions have added complexity resulting in safety critical vulnerabilities," the UMITRI abstract says.

"Heavy commercial vehicles have also begun adding electronic control systems similar to consumer vehicles.

"We show how the openness of the SAE J1939 standard used across all US heavy vehicle industries gives easy access for safety-critical attacks and that these attacks aren't limited to one specific make, model, or industry.

"We test our attacks on a 2006 Class-8 semi tractor and 2001 school bus.

"With these two vehicles, we demonstrate how simple it is to replicate the kinds of attacks used on consumer vehicles and that it is possible to use the same attack on other vehicles that use the SAE J1939 standard.

"We show safety critical attacks that include the ability to accelerate a truck in motion, disable the driver's ability to accelerate, and disable the vehicle's engine brake.

"We conclude with a discussion for possibilities of additional attacks and potential remote attack vectors."

The full paper is to be made available after the workshop.

The news comes after US industry technology publication trucks.com reported in mid-May that the National Highway Traffic Safety Administration (NHTSA) had sought out UMITRI last year for an examination of cybersecurity and long-haul trucks, with Weimerskirch leading the project.

The workshop will be held on Monday, two weeks after US president Barack Obama signed Presidential Policy Directive – United States Cyber IncidentCoordination that outlines his government’s roles and approach for responding to significant cyber incidents.

US national industry body American Trucking Associations is to hold an August 24 webinar on ‘vehicle-to-everything’ (V2X) vulnerabilities in trucks.

"The trucking industry needs to outline whose role will it be to look after their best interests as well.

"With 100 per cent uncertainty as to how safe V2X will be; how secure a truck’s communications currently are; and what everyone else is doing about it, trucks could become criminal pawns with minimal effort by cyber adversaries."

In Australia, when the US car hacking report surfaced last year, the Truck Industry Council (TIC) was firm that local truck cybersecurity defences were in line with those in Europe and more stringent than in the US.

TIC is drawing together a considered response to the issue.

"TIC has referred the issues raised in the US article to its members, who supply a range of European, Japanese and USA trucks in the Australian market and requested their comment and feedback," chief technical officer Mark Hammond says.

"Based on the information received TIC will respond in due course."

The NHTSA and UMITRI have all been contacted for further comment and details.

It is understood that truck makers here are confident of their own systems but less so where third-party systems are wired directly into a vehicle’s controller area network (CAN) rather than through the vehicle’s secured CAN interface.

 

Get daily updates on the industry by subscribing to the Fullyloaded newsletter, joining our LinkedIn group or liking us on Facebook