US truck hacking report due for release

[kscarbel2]

Australasian Transport News (ATN)  /  August 4, 2016

Researchers say test showed ease of attack on American trucks and buses

US researchers are due to report on the potential for hacking an articulated truck’s computers in that country.

Current affairs website Wired has looked into the issue a year after it made headlines on the remote hacking of two passenger vehicles, where computer assisted controls were taken over as they were driving.

Now University of Michigan Transportation Research Institute (UMITRI) researchers plan to unveil their findings on the remote interference of a semi-trailer’s braking and acceleration, at the Usenix Workshop on Offensive Technologies conference next week.

In their abstract for the workshop, UMITRI researchers Yelizaveta Burakova, Bill Hass, Leif Millar, and André Weimerskirch highlight the vulnerability of the Society of Automotive Engineers’ SAE J1939 standard used for large vehicle communications and diagnostics.

All trucks on the Australian market use the J1939 code. It is a universal language for electronic systems, though it is understood messages can be and are coded and therefore not be prone to hacking.

"Consumer vehicles have been proven to be insecure; the addition of electronics to monitor and control vehicle functions have added complexity resulting in safety critical vulnerabilities," the UMITRI abstract says.

"Heavy commercial vehicles have also begun adding electronic control systems similar to consumer vehicles.

"We show how the openness of the SAE J1939 standard used across all US heavy vehicle industries gives easy access for safety-critical attacks and that these attacks aren't limited to one specific make, model, or industry.

"We test our attacks on a 2006 Class-8 semi tractor and 2001 school bus.

"With these two vehicles, we demonstrate how simple it is to replicate the kinds of attacks used on consumer vehicles and that it is possible to use the same attack on other vehicles that use the SAE J1939 standard.

"We show safety critical attacks that include the ability to accelerate a truck in motion, disable the driver's ability to accelerate, and disable the vehicle's engine brake.

"We conclude with a discussion for possibilities of additional attacks and potential remote attack vectors."

The full paper is to be made available after the workshop.

The news comes after US industry technology publication trucks.com reported in mid-May that the National Highway Traffic Safety Administration (NHTSA) had sought out UMITRI last year for an examination of cybersecurity and long-haul trucks, with Weimerskirch leading the project.

The workshop will be held on Monday, two weeks after US president Barack Obama signed Presidential Policy Directive – United States Cyber IncidentCoordination that outlines his government’s roles and approach for responding to significant cyber incidents.

US national industry body American Trucking Associations is to hold an August 24 webinar on ‘vehicle-to-everything’ (V2X) vulnerabilities in trucks.

"The trucking industry needs to outline whose role will it be to look after their best interests as well.

"With 100 per cent uncertainty as to how safe V2X will be; how secure a truck’s communications currently are; and what everyone else is doing about it, trucks could become criminal pawns with minimal effort by cyber adversaries."

In Australia, when the US car hacking report surfaced last year, the Truck Industry Council (TIC) was firm that local truck cybersecurity defences were in line with those in Europe and more stringent than in the US.

TIC is drawing together a considered response to the issue.

"TIC has referred the issues raised in the US article to its members, who supply a range of European, Japanese and USA trucks in the Australian market and requested their comment and feedback," chief technical officer Mark Hammond says.

"Based on the information received TIC will respond in due course."

The NHTSA and UMITRI have all been contacted for further comment and details.

It is understood that truck makers here are confident of their own systems but less so where third-party systems are wired directly into a vehicle’s controller area network (CAN) rather than through the vehicle’s secured CAN interface.

[kscarbel2]

Can Big Trucks be Hacked?

Heavy Duty Trucking  /  August 8, 2016

If you have read any of the headline stories about the trio of researchers from the University of Michigan who successfully hacked into the J1939 databus of a 2006-model-year truck, you might now believe that it's discouragingly easy. While the researchers did manage to seize control of the truck's throttle and engine brake controls, they used a laptop computer connected directly to the truck's dataport (OBD port) to pull off their experiment.

A YouTube video accompanied several of the online reports about the hacking attempt showing the vehicle lurching along a test track, the would-be hacker in the back seat of the club-cab truck with his laptop, while the driver and a passenger (presumably the trio or researchers) comment on the performance of the truck.

It's one thing to hack into the J1939 databus from onboard the vehicle. But the question the U of M researchers were keen to delve into is the likelihood of carrying out the same type of hack, or perhaps a more serious disruption of the vehicle controls, remotely via the telematics links now emerging as a popular maintenance management option.

The research paper is titled "Truck Hacking: An Experimental Analysis of the SAE J1939 Standard," published by Yelizaveta Burakova, Bill Hass, Leif Millar, and Andre Weimerskirch of the The University of Michigan. The paper was presented Monday in Austin, Texas at 10th Usenix Workshop on Offensive Technologies. It's available to download here.

It focuses on what an adversary could accomplish while physically connected to the truck's internal network, and analyzes the impact of insecure electronic control units in heavy vehicles by exploiting the inherent openness of the J1939 architecture -- which is something common to all heavy trucks in North America and a great deal more diesel-powered equipment as well.           

According to the report, the motivation for J1939 stems primarily from a desire to electronically control drivetrain components of a vehicle. Because so many different organizations are involved in the building of heavy vehicles, a standard was needed to minimize engineering effort and the complications of integrating systems. While standardizing these communications has proven crucial in allowing various suppliers and manufacturers to work together and cut costs, it also means that all heavy vehicles currently on the road from tractor-trailers to garbage trucks and cement mixers to buses, utilize the same communication protocol on their internal networks.

By contrast, the authors say communications networks on consumer vehicles tend to be proprietary to the OEM that designed that particular vehicle and kept secret. For that reason, the authors note, "deciphering consumer vehicle network traffic involves the tedious process of reverse engineering any messages observed on the bus to determine their function."

Not so with J1939, and that's part of the vulnerability at least partially exposed by the report.

The SAE J1939 standard used across all U.S. heavy vehicle industries gives easy access for safety-critical attacks and these attacks aren't limited to one specific make, model, or industry," the authors point out.

The report also provides example of the sort of attack they were able to accomplish:

INSTRUMENT CLUSTER: By spoofing the status messages that originate in various ECUs of the truck, researchers were able to control all gauges on the instrument cluster, including oil temperature, oil pressure, coolant temperature, engine RPM, speed, fuel level, battery voltage, and air pressure.

Researchers indicated that it would be "possible" to spoof the air pressure indicator to read a normal operating pressure when in fact the pressure could be physically reduced initiating a spring parking-brake application while traveling at highway speed.

POWERTRAIN: Researchers were able to override the driver's input to the accelerator pedal and simultaneously cause either direct acceleration or remove the ability to provide torque to the wheels while the truck was in motion.

ENGINE BRAKE: Certain message could be configured to disable the truck's ability to use engine braking at speeds below 30 mph. Researchers acknowledged that the driver retained control of the service brakes, but noted that if they had been able to control the engine brake above 30 mph, it would could have implications for trucks operating on long downhill grades.

The story appeared on several technology publication websites whose authors are more familiar with pure technology that the current state of the trucking industry. They envisioned the potential for autonomously controlled trucks running pell-mell across the country leaving trails of destruction in their wake.

Insiders, on the other hand, would recognize the "attacks" described by the authors of the study as potentially risky, but generally not life threatening in every circumstance. But we should not be lulled into a false sense of security because this particular exercise didn't come up with a crash 'n burn scenario.

Foremost on the authors' minds was the potential for remote access to the vehicle's internal electronic controls via some telematic interface wi-fi, cellular or satellite connectivity.

The paper makes for some interesting reading, as do a couple of other stories that appeared online following its release -- if you can forgive the doomsday scenarios.

Forbes.com: There's A Windows PC Helping Control Fleet Trucks -- Any Idiot Can Start Hacking It In 30 Seconds

Wired.com: Hackers Hijack a Big Rig Truck’s Accelerator and Brakes

Salon.com: As era of autonomous trucking arrives, Michigan researchers prove how easy it is to hack trucks

 

[kscarbel2]

There's A Windows PC Helping Control Fleet Trucks -- Any Idiot Can Start Hacking It In 30 Seconds

Forbes  /  August 5, 2016

Got access to a freight truck? In case you do, have a look at the telematics system on board. That’s the computer-looking thing attached to the dash. It’ll be running a special version of Microsoft MSFT +0.23% Windows.

Now, poke around the side and see if you can peel away a plastic panel to reveal an SD card slot.

Plug in your own SD card, maybe running some malware. Turn on the system and watch as it runs whatever programs you have on there without even questioning what you’re doing.

Ta-da! You just started hacking a truck in 30 seconds.

This is just one of many security problems found in America’s freight fleets in recent months by DARPA-funded researchers Andrew and James (they preferred to keep their family names private). As part of their work, they’ve created what they believe is the first ever rootkit (a kind of malware that has almost complete control of the victim system) designed for trucks. During a demo, in a somewhat messy hotel room, they showed how they could cut a truck’s maximum speed to 30mph and hide what it’s doing from the driver; heavy-lifting automobiles are, fortunately, smart enough to not allow any setting below that.

That’s not as dramatic as, say, hacking and killing the brakes, but imagine wiping out a whole business’ fleet. If so inclined, you could download the rootkit to that telematics system via the SD card – a hack they called the Evil Lot Lizard, named after ladies of the night who sell services at truck stops  – and have the malware uploaded to computers controlling the trucks. That could then disseminate the malicious software to every other fleet vehicle, crippling them all. “Imagine shutting down Walmart,” said Andrew. “There’s very little security on trucks and it’s terrifying.”

They were able to show me the attacks from a hotel room with equipment that simulates a heavy vehicle. That technology is built on top of their “Truck-in-a-Box ” designs, which mimic the real electric internals of a freight vehicle. They were produced for the defense department’s research arm DARPA after a $100,000 grant, which was on top of a $150,000 award for their truck hacking research. They haven’t been able to get access to a real truck to test their hacks yet, but see no reason why their experiments wouldn’t work on actual vehicles.

And their malicious designs could be put to use from anywhere on the planet. Those telematics systems have been exposed before. Earlier this year at least 733 of those telematics units were left open on the internet. None required a username or password to access, making the possibility of remote attacks on trucks all too real.