Criminals could take control of your tractor-trailer by exploiting just one vulnerability — whether they are looking to immobilize a vehicle to steal freight or block vital supply chain routes.
And one truck that was wirelessly hacked on Oct. 24 showed that such threats are not limited to the movies.
A hacker attacked a tanker trailer’s roll stability system by constantly sending commands and resetting the electric control unit (ECU), forcing air to vent out of the air brake system. If enough air was forced out of the system, the vehicle wouldn’t be able to move.
Fortunately, it was a good guy doing the hacking during a demonstration at the National Motor Freight Traffic Association’s (NMFTA) Digital Solutions Conference in Houston, Texas.
Ben Gardiner conducts a wireless truck hacking demonstration during NMFTA’s Digital Solutions Conference in Houston, Texas. (Photo: Leo Barros)
Ben Gardiner, NMFTA’s senior cybersecurity research engineer, used technology worth US$300 and leveraged ham radio knowledge for the hack. “The risk of software exploitation on these trailers and tractor brake controller units is something we just can’t push to the side,” he told TruckNews.com.
Ben Gardiner (Photo: Leo Barros)
“If software is 100% perfect, then there is no risk to receive messages. The risk of malicious data of reaching a piece of software that wasn’t prepared for it is big in 2023. The purpose of this demonstration is to show you we can talk to these things,” the Arnprior, Ont.-based engineer said.
He added that in dry vans, especially equipment dating back to around 2001, trailers responded to almost any command. Their systems have no authentication, authorization or replay protection.
Such dry vans have larger and older valves, and the commands could also bleed the air faster than the compressor can generate it.
Road trains are particularly susceptible to such attacks because tractors have to work hard to maintain air supply through the braking system, he said.
How the hack was accomplished
Gardiner laid an antenna beside the tanker trailer, emitting signals identical to those on the power line communications network — a link over the vehicle’s power supply line. The tanker’s skin actually helped conduct the signal. And this could be done from 20 feet away, using a fixed location or driving a specially wired trailer past the target vehicle.
He then sent commands for an ECU reset and the system obeyed, blinking the anti-lock braking system (ABS) light on the trailer, clicking the solenoids as it reset.
While it didn’t bleed enough air to cause a problem, the blinking ABS light could lead a driver to pull over and inspect the trailer brakes.
Internet attacks can be traced through IP addresses, logs and servers, but Gardiner warned that radio attacks are almost impossible to track down. The radio attacks involve no login or location information, and since extremely low frequency radio waves are used, it would be hard to triangulate the threat’s source.
“Since messages can be sent, there is a possibility that you could put a worm, code control, or malware into a system,” he said. “Every piece of equipment that is on the blue auxiliary line on the trailer is receiving those messages.”
Mitigating the threat
The threat is real, but Gardiner also has ways to block these attacks. When NMFTA discovered this vulnerability and disclosed it to the Cybersecurity and Infrastructure Security Agency, it developed eight mitigation technologies to stop the threat.
Gardiner stopped his own attack by demonstrating keyhole mitigation — a signal that jammed powerline commands. “We cut little pieces out of the jamming signal that only the regulation-required messages will fill in,” he said.
An antenna is strung alongside a tanker trailer during the demonstration, but such signals could be sent from 20 feet away. (Photo: Leo Barros)
The ABS lamp lights up on the dash and trailer in case of a fault or attack. “We deny access to the powerline with [a] jamming signal, cut out holes so that the checks on them match,” he said. “If there is a lamp fault, that will show in the dash. But every other message gets denied.”
He added that all the information to mitigate this particular threat is in the public domain, so there are no licencing fees, and it should not be too expensive for OEMs to implement.
But Gardiner warned that carriers must be vigilant about threats. Newer trucks have more software that can be exploited. Even older equipment has been connected to the internet and may incorporate less security.
