Ben Gardiner - Trailer Shouting: Talking PLC4TRUCKS Remotely with an SDR
Presentation Title: Trailer Shouting: Talking PLC4TRUCKS Remotely with an SDR
Ben Gardiner, Senior Cybersecurity Research Engineer, National Motor Freight Traffic Association Inc., He/Him
Chris Poore, Senior Reverse Engineer, Assured Information Security, He/Him
Length of presentation: 45 Minutes
Demo, Tool, Exploit
Ben Gardiner, Chris Poore and other security researchers have been analyzing signals and performing research against trailers and Power Line Communication for multiple years. This year the team was able to disclose two vulnerabilities focused on the ability to remotely inject RF messages onto the powerline and in turn send un-authenticated messages to the brake controller over the link. The team will discuss the details of PLC4TRUCKS, identify what led to this research and the discovery of the vulnerabilities, and then highlight the details of the SDR and software used to perform the attack. The talk will conclude with the demonstration of a remotely induced brake controller solenoid test using an FL2K and the release of the GNU radio block used to perform the test to the community to promote further research in the area.
## SPEAKER BIO(S)
Ben Gardiner is a Senior Cybersecurity Research Engineer contractor at the National Motor Freight Traffic Association, Inc. (NMFTA) specializing in hardware and low-level software security. Prior to joining the NMFTA team in 2019, Gardiner held security assurance and reversing roles at a global corporation, as well as worked in embedded software and systems engineering roles at several organizations. He is a DEF CON Hardware Hacking Village and Car Hacking Village volunteer. He also participates in and contributes to working groups in SAE and ATA TMC.
Chris Poore is a Senior Reverse Engineer at Assured Information Security in Rome, NY. He has expertise discovering vulnerabilities in wireless systems, gaining access to systems via RF, reverse engineering RF protocols, forensically testing cybersecurity systems, and administering RF collection events. He has experience writing code for software-defined radios and GNU Radio to reverse-engineer RF communication protocols and perform sophisticated attacks. Chris is excitable when working with the community to draw out ideas and takes advantage of networking opportunities with both humans and computers.
## REFERENCES:
Haystack & Sixvolts, Cheap Tools For Hacking Heavy Trucks, DEF CON 24 CHV https://media.defcon.org/DEF%20CON%2...avy-Trucks.pdf
Haystack & Sixvolts, TruckDuck (tool), https://truckhacking.github.io/
Haystack, Python Heavy Vehicle Interface https://truckhacking.github.io/
SAE J2497 https://www.sae.org/standards/content/j2497_201207/
SAE J1708 https://www.sae.org/standards/content/j1708_200408/
SAE J1587 https://www.sae.org/standards/content/j1587_201301/
ATA TMC (S.1) Next Generation Tractor/Trailer Electrical Interface -- https://tmcconnect.trucking.org/comm...Url=%2fcommuni ties%2fcommunity-home%2fdigestviewer%3ftab%3ddigestviewer%26Communi tyKey%3d782c741b-674d-4af4-b962-9019b3e7d056%26ssopc%3d1&ssopc=1
ATA TMC (S.1) Next Generation Tractor/Trailer Electrical Interface New TMC Webinar Series Alert: Next Generation Trailer Electrical/Electronic Architecture -- https://tmcconnect.trucking.org/comm...Url=%2fcommuni ties%2fcommunity-home%2fdigestviewer%3fcommunitykey%3d782c741b-674d-4af4-b962-9019b3e7d056%26tab%3ddigestviewer
ICS Advisory (ICSA-20-219-01) Trailer Power Line Communications https://www.cisa.gov/uscert/ics/advi...icsa-20-219-01 https://nvd.nist.gov/vuln/detail/CVE-2020-14514
ICS Advisory (ICSA-22-063-01) Trailer Power Line Communications (PLC) J2497 https://www.cisa.gov/uscert/ics/advi...icsa-22-063-01 https://nvd.nist.gov/vuln/detail/CVE-2022-25922 https://nvd.nist.gov/vuln/detail/CVE-2022-26131
49 CFR § 571.121 - Standard No. 121; Air brake systems.
49 CFR § 393.55 - Antilock brake systems.
Wheel Monitor Inc. *About Us* https://www.wheelmonitor.ca/about-us.html
Tom Berg, Tests shedding light on ABS warning systems Trucknews.com https://www.trucknews.com/features/t...rning-systems/
Bruce Sauer, New Power for Trailers https://www.bulktransporter.com/arch...r-for-trailers
Jim Mele, PLC4TRUCKS Hits a Snag https://www.fleetowner.com/news/arti...ks-hits-a-snag
DOT Task Order 7 of the Commercial Motor Vehicle Technology Diagnostics and Performance Enhancement Program https://rosap.ntl.bts.gov/view/dot/155/dot_155_DS1.pdf
Opendous Inc. Hamitup https://web.archive.org/web/20190514...converter.wiki
Nooelec Hamitup nano https://www.nooelec.com/store/downlo...revision_1.pdf
Airspy Spyverter https://www.itead.cc/spyverter-r2.html
Hozumi et. al. Low cost development of HF receiver prototype for HF-START field campaign http://www.ursi.org/proceedings/proc...PID5209275.pdf
Balun One Nine https://www.nooelec.com/store/balun-one-nine.html
Yapo, Ted. FL2K AM LPF May 2018 https://oshpark.com/shared_projects/OOkzY6K6 Accessed 20220407
Texas Instruments Beaglebone and PRU SDKs http://downloads.ti.com/codegen/esd/...x_installer.sh http://downloads.ti.com/sitara_linux...86-Install.bin http://software-dl.ti.com/sitara_lin...86-Install.bin https://git.ti.com/cgit/pru-software...pport-package/
Poore, Chris, and Gardiner, Ben. “Power Line Truck Hacking: 2TOOLS4PLC4TRUCKS.” DEF CON 30 Car Hacking Village 2019. http://www.nmfta.org/documents/ctsrp...TRUCKS.pdf?v=1
Eduard Kovacs, Tractor-Trailer Brake Controllers Vulnerable to Remote Hacker Attacks, SecurityWeek https://www.securityweek.com/tractor...hacker-attacks 2022
Baker, R. and Martinovic, I., 2019. Losing the Car Keys: Wireless PHY-Layer Insecurity in EV Charging. In 28th USENIX Security Symposium (USENIX Security 19) (pp. 407-424). https://www.usenix.org/system/files/sec19-baker.pdf
Michael Ossman’s H2HC 2017 keynote https://github.com/h2hconference/201...20Notes.txt#L1
Sebastian Köhler and Richard Baker and Martin Strohmeier and Ivan Martinovic, “Brokenwire : Wireless Disruption of CCS Electric Vehicle Charging” 2022 https://arxiv.org/pdf/2202.02104.pdf Accessed 20220428
[]
Presentation Title: Trailer Shouting: Talking PLC4TRUCKS Remotely with an SDR
Ben Gardiner, Senior Cybersecurity Research Engineer, National Motor Freight Traffic Association Inc., He/Him
Chris Poore, Senior Reverse Engineer, Assured Information Security, He/Him
Length of presentation: 45 Minutes
Demo, Tool, Exploit
Ben Gardiner, Chris Poore and other security researchers have been analyzing signals and performing research against trailers and Power Line Communication for multiple years. This year the team was able to disclose two vulnerabilities focused on the ability to remotely inject RF messages onto the powerline and in turn send un-authenticated messages to the brake controller over the link. The team will discuss the details of PLC4TRUCKS, identify what led to this research and the discovery of the vulnerabilities, and then highlight the details of the SDR and software used to perform the attack. The talk will conclude with the demonstration of a remotely induced brake controller solenoid test using an FL2K and the release of the GNU radio block used to perform the test to the community to promote further research in the area.
## SPEAKER BIO(S)
Ben Gardiner is a Senior Cybersecurity Research Engineer contractor at the National Motor Freight Traffic Association, Inc. (NMFTA) specializing in hardware and low-level software security. Prior to joining the NMFTA team in 2019, Gardiner held security assurance and reversing roles at a global corporation, as well as worked in embedded software and systems engineering roles at several organizations. He is a DEF CON Hardware Hacking Village and Car Hacking Village volunteer. He also participates in and contributes to working groups in SAE and ATA TMC.
Chris Poore is a Senior Reverse Engineer at Assured Information Security in Rome, NY. He has expertise discovering vulnerabilities in wireless systems, gaining access to systems via RF, reverse engineering RF protocols, forensically testing cybersecurity systems, and administering RF collection events. He has experience writing code for software-defined radios and GNU Radio to reverse-engineer RF communication protocols and perform sophisticated attacks. Chris is excitable when working with the community to draw out ideas and takes advantage of networking opportunities with both humans and computers.
## REFERENCES:
Haystack & Sixvolts, Cheap Tools For Hacking Heavy Trucks, DEF CON 24 CHV https://media.defcon.org/DEF%20CON%2...avy-Trucks.pdf
Haystack & Sixvolts, TruckDuck (tool), https://truckhacking.github.io/
Haystack, Python Heavy Vehicle Interface https://truckhacking.github.io/
SAE J2497 https://www.sae.org/standards/content/j2497_201207/
SAE J1708 https://www.sae.org/standards/content/j1708_200408/
SAE J1587 https://www.sae.org/standards/content/j1587_201301/
ATA TMC (S.1) Next Generation Tractor/Trailer Electrical Interface -- https://tmcconnect.trucking.org/comm...Url=%2fcommuni ties%2fcommunity-home%2fdigestviewer%3ftab%3ddigestviewer%26Communi tyKey%3d782c741b-674d-4af4-b962-9019b3e7d056%26ssopc%3d1&ssopc=1
ATA TMC (S.1) Next Generation Tractor/Trailer Electrical Interface New TMC Webinar Series Alert: Next Generation Trailer Electrical/Electronic Architecture -- https://tmcconnect.trucking.org/comm...Url=%2fcommuni ties%2fcommunity-home%2fdigestviewer%3fcommunitykey%3d782c741b-674d-4af4-b962-9019b3e7d056%26tab%3ddigestviewer
ICS Advisory (ICSA-20-219-01) Trailer Power Line Communications https://www.cisa.gov/uscert/ics/advi...icsa-20-219-01 https://nvd.nist.gov/vuln/detail/CVE-2020-14514
ICS Advisory (ICSA-22-063-01) Trailer Power Line Communications (PLC) J2497 https://www.cisa.gov/uscert/ics/advi...icsa-22-063-01 https://nvd.nist.gov/vuln/detail/CVE-2022-25922 https://nvd.nist.gov/vuln/detail/CVE-2022-26131
49 CFR § 571.121 - Standard No. 121; Air brake systems.
49 CFR § 393.55 - Antilock brake systems.
Wheel Monitor Inc. *About Us* https://www.wheelmonitor.ca/about-us.html
Tom Berg, Tests shedding light on ABS warning systems Trucknews.com https://www.trucknews.com/features/t...rning-systems/
Bruce Sauer, New Power for Trailers https://www.bulktransporter.com/arch...r-for-trailers
Jim Mele, PLC4TRUCKS Hits a Snag https://www.fleetowner.com/news/arti...ks-hits-a-snag
DOT Task Order 7 of the Commercial Motor Vehicle Technology Diagnostics and Performance Enhancement Program https://rosap.ntl.bts.gov/view/dot/155/dot_155_DS1.pdf
Opendous Inc. Hamitup https://web.archive.org/web/20190514...converter.wiki
Nooelec Hamitup nano https://www.nooelec.com/store/downlo...revision_1.pdf
Airspy Spyverter https://www.itead.cc/spyverter-r2.html
Hozumi et. al. Low cost development of HF receiver prototype for HF-START field campaign http://www.ursi.org/proceedings/proc...PID5209275.pdf
Balun One Nine https://www.nooelec.com/store/balun-one-nine.html
Yapo, Ted. FL2K AM LPF May 2018 https://oshpark.com/shared_projects/OOkzY6K6 Accessed 20220407
Texas Instruments Beaglebone and PRU SDKs http://downloads.ti.com/codegen/esd/...x_installer.sh http://downloads.ti.com/sitara_linux...86-Install.bin http://software-dl.ti.com/sitara_lin...86-Install.bin https://git.ti.com/cgit/pru-software...pport-package/
Poore, Chris, and Gardiner, Ben. “Power Line Truck Hacking: 2TOOLS4PLC4TRUCKS.” DEF CON 30 Car Hacking Village 2019. http://www.nmfta.org/documents/ctsrp...TRUCKS.pdf?v=1
Eduard Kovacs, Tractor-Trailer Brake Controllers Vulnerable to Remote Hacker Attacks, SecurityWeek https://www.securityweek.com/tractor...hacker-attacks 2022
Baker, R. and Martinovic, I., 2019. Losing the Car Keys: Wireless PHY-Layer Insecurity in EV Charging. In 28th USENIX Security Symposium (USENIX Security 19) (pp. 407-424). https://www.usenix.org/system/files/sec19-baker.pdf
Michael Ossman’s H2HC 2017 keynote https://github.com/h2hconference/201...20Notes.txt#L1
Sebastian Köhler and Richard Baker and Martin Strohmeier and Ivan Martinovic, “Brokenwire : Wireless Disruption of CCS Electric Vehicle Charging” 2022 https://arxiv.org/pdf/2202.02104.pdf Accessed 20220428
[]