Truck-To-Truck Worm Could Infect Entire US Fleet

Jessica Lyons reports via The Register: Vulnerabilities in common Electronic Logging Devices (ELDs) required in US commercial trucks could be present in over 14 million medium- and heavy-duty rigs, according to boffins at Colorado State University. In a paper presented at the 2024 Network and Distributed System Security Symposium, associate professor Jeremy Daily and systems engineering graduate students Jake Jepson and Rik Chatterjee demonstrated how ELDs can be accessed over Bluetooth or Wi-Fi connections to take control of a truck, manipulate data, and spread malware between vehicles. "These findings highlight an urgent need to improve the security posture in ELD systems," the trio wrote [PDF].

The authors did not specify brands or models of ELDs that are vulnerable to the security flaws they highlight in the paper. But they do note there's not too much diversity of products on the market. While there are some 880 devices registered, "only a few tens of distinct ELD models" have hit the road in commercial trucks. A federal mandate requires most heavy-duty trucks to be equipped with ELDs, which track driving hours. These systems also log data on engine operation, vehicle movement and distances driven -- but they aren't required to have tested safety controls built in. And according to the researchers, they can be wirelessly manipulated by another car on the road to, for example, force a truck to pull over.

The academics pointed out three vulnerabilities in ELDs. They used bench level testing systems for the demo, as well as additional testing on a moving 2014 Kenworth T270 Class 6 research truck equipped with a vulnerable ELD. [...] For one of the attacks, the boffins showed how anyone within wireless range could use the device's Wi-Fi and Bluetooth radios to send an arbitrary CAN message that could disrupt of some of the vehicle's systems. A second attack scenario, which also required the attacker to be within wireless range, involved connecting to the device and uploading malicious firmware to manipulate data and vehicle operations. Finally, in what the authors described as the "most concerning" scenario, they uploaded a truck-to-truck worm. The worm uses the compromised device's Wi-Fi capabilities to search for other vulnerable ELDs nearby. After finding the right ELDs, the worm uses default credentials to establish a connection, drops its malicious code on the next ELD, overwrites existing firmware, and then starts the process over again, scanning for additional devices. "Such an attack could lead to widespread disruptions in commercial fleets, with severe safety and operational implications," the researchers warned.

Hybrid warfare indeed

[bumblebees]

So if majority of the trucks gets bricked on the same time we pretty much starve after a few days. These manufacturers don't really like patching any firmware but they should start to be held responsible for neglect.

Re:

[quonset]

These manufacturers don't really like patching any firmware but they should start to be held responsible for neglect.

Like programmers who created the software?

Re:Hybrid warfare indeed

[Calydor]

There is a big difference between making a mistake and refusing to fix your mistake.

Default Stupidity. Again.

[geekmux]

These manufacturers don't really like patching any firmware but they should start to be held responsible for neglect.

Like programmers who created the software?

..uses default credentials to establish a connection..

If you’re going to call yourself a “programmer”, then maybe learn why you program a forced password reset before the odometer reaches 10 miles.

Damn this gets old. It’s like we’re asking for it at this point.

Re:

[drinkypoo]

If youâ(TM)re going to call yourself a âoeprogrammerâ, then maybe learn why you program a forced password reset before the odometer reaches 10 miles.

A programmer is [now] just someone who writes code, just as a developer is just someone who writes programs. An engineer ought to be the person you're looking for, although in the USA (where a lot of the programming happens, or at least used to happen) there's no requirement to have an engineering degree before calling yourself a software engineer like there is for other kinds of engineering.

Re:

[geekmux]

If youâ(TM)re going to call yourself a âoeprogrammerâ, then maybe learn why you program a forced password reset before the odometer reaches 10 miles.

A programmer is [now] just someone who writes code, just as a developer is just someone who writes programs. An engineer ought to be the person you're looking for...

Im looking AT all of them, since they all belong to the same group of tech civilians who have to live in a world hacked constantly by default passwords.

Really? We NEED the Engineer with a degree in order to tell us default passwords left unchanged are bad at this point? I mean, damn.

Re:

[drinkypoo]

Really? We NEED the Engineer with a degree in order to tell us default passwords left unchanged are bad at this point? I mean, damn.

No, the engineer is the one with the responsibility to do that. The rest are just there to punch keys as they are instructed. If there's zero engineers involved in a complex project then failure is the outcome we should expect.

Re:

[Local ID10T]

Modern programmers are builders -not engineers. They assemble code blocks into programs, sometimes writing some glue-code to hold it together.

Actual software engineers should be involved in designing and reviewing and -certifying- designs and overseeing testing of implementations. We do it for cars, buildings, etc. (to varying degrees) we can do it for software.

Not everything needs to be designed by an engineer. Much can be done just by a builder/handyman. But at some point you want an engineer taking c

If these guys know...

[Baron_Yam]

You can bet every foreign intelligence service that considers the US a rival already knows and has an exploit ready to launch.

A massive disruption of transport that might take weeks to set up, but would also take weeks to clean up... That's a significant tool in your kit if things get hot enough.

If only Toretto knew

[Unpopular Opinions]

They could stop a running truck by hacking instead of hitting with a harpoon and climb on it, all while driving in high speeds. That could had avoided many injuries, saved lives, and increased his family "profits" for the underground racing scene. Oh well.

Whyyyyyy???

[Luca01]

If those devices are used to log driving time, gps data and engine parameters (for regulatory purpose I suppose) why they can interfere with critical systems like braking, steering and fuel pumps?

Re: Whyyyyyy???

[raburton]

Because they connect to the CAN bus, and anything that does that basically has root access to the entire vehicle. Vehicle maker is as much to blame as the 3rd party vendor making these devices.

Re:

[stabiesoft]

To be fair, CAN was implemented way before a car was connected to anything. In many ways similar to microcomputer OS vs mainframe. Mainframe was always multiuser, and was networked for decades before micros. As a result, OS's from micros were not very hard to attack(and still probably not as resistant as UNIX based OS's even today) because of legacy design. Really the only solution I can see is for government to step in and force manufacturers to choose between connected vehicles with a completely new hard

Re:

[drinkypoo]

To be fair, CAN was implemented way before a car was connected to anything.

EDRs have existed since the mid nineties, and the trucks didn't go CAN until about 2000. They should have seen the need for security.

We still have not moved to 48V power bus.

That's likely to improve soonish, actually because of Elon's Cybertrap. Tesla went ahead and spent the money to go 48V. Whoever supplies their window motors and such will surely be trying to resell it to others. It's likely to take off in OTR trucks first, then trickle down to autos. Since they have the biggest and most power-hungry starter motors, they have the most motivatio

Re:

[sjames]

The whole thing could be solved with a few Diffie-Hellman exchanges over the existing CAN bus. Including the "problem" of granting the owner full access to everything without letting bad actors in.

Re:

[codebase7]

Including the "problem" of granting the bad actor that bought it full access.

FTFY. /s

In all seriousness, that's only a "problem" if the manufacturer is actively hostile towards it's paying customers who bought their products. In my opinion, such manufacturers should be banned from selling products in our country that pose a national security risk when compromised.

Re:

[belmolis]

But why do these devices accept wireless input at all? If their job is logging, they just need to record data and have some means of off-loading it. That could be via a physical connection, but even if for some reason a wireless readout is required, there should be no need for it to accept wireless input.

Re:

[iNaya]

Typically, heavy transport drivers (and other types, varying from state-to-state) have an "hours of service" app on a phone or tablet, where they set whether they are on/off duty. This app needs to know whether or not the vehicle has been driving, for how long, and for how far. So it talks with the ELD via bluetooth to request this information. The app needs this information because it is required by the federal government (DOT), as well as things required, or superceded by state law. DOT inspectors exist,

Re:

[iNaya]

I think this "specific time frame" mentioned above is about 10 seconds

Re:

[iNaya]

Also, if mobile coverage is lost, the 10 second rule cannot work; so we're back to needing a connection between the ELD and the driver's status input device.

I'm curious

[argStyopa]

...How a compromised logging device can "force a truck to pull over" which they seem to not explain.

TFA describes "...sending malicious messages causing the truck to slow down..." wtf does that mean, exactly. "Your truck is on fire" or what? The eld is a LOGGING device, never afaik actually linked to operating systems like brakes or engine at all. Iirc one of the early conditions of elds was that they distinctly NOT be linked to controlling subsystems.

Yes, corrupting it might cause it to bug, but if your

Re: I'm curious

[frdmfghtr]

As has been stated before, being connected to the CAN bus allows any connected device to send out commands to the engine controller (ECU). Sure, an electronic log may not be initially programmed to do so but uploading malicious code can change that.

For example, there is a message called Torque and Speed Control (TSC) where you can command the engine to run at a particular speed. There is also a message (can't recall what it is at the moment) that can command the ECU to start or shut down the engine. These

Re: I'm curious

[frdmfghtr]

Sorry missed one final detail. This published standard is SAE J1939. There are others but this is the one I'm familiar with as I've used it many times in programming machine controllers that interface with the engine.

Re:

[_merlin]

The attack can send arbitrary messages on the main CAN bus. It can make the ECUs believe there's a major failure and put it into "limp home" mode, or possibly disable power steering and other systems.

Control?

[JoeRobe]

I drive a commercial vehicle with an ELD. Incredibly useful replacement for paper-based logging. Their job is to log location, hours driven, and fuel use. I'm shocked that there are ones that have the ability to control a vehicle.

There are two mechanisms that I can think of to slow down a truck against the driver's wishes. One is if they are running low on diesel exhaust fluid (DEF), the engine drops its RPM and forces you to basically crawl along until you find a gas station. This is mandatory on commercial diesel vehicles. The second is a remote shutoff system to stop the vehicle if it's been stolen (not mandatory). I suppose those systems could be linked up to the ELD. I'm not aware of any ELDs that do that, but maybe mine is just old. I certainly wouldn't be comfortable with my ELD being able to control the truck.

Re: Control?

[jaymemaurice]

Often all those switches on the dash switches are CAN controlled. Things like the fuel shutoff relay, windows, cruise control, jake brake, diff lock, air ride can be controlled by CAN. Many trucks allow you to dump the air from the rear air bladders - doing that repetitively will probably eventually force the brakes to be applied due to lack of air supply. Engine operating parameters like RPM/vmax can usually be set by CAN and sometimes software updates to control modules⦠at which point you migh

Re:

[FudRucker]

You forgot if you lose air pressure and the brakes lock up

Re:

[drinkypoo]

There are two mechanisms that I can think of to slow down a truck against the driver's wishes.

You had good examples, but the underlying truth is that every truck since roughly 1999 (and for gasoline vehicles, long before that) needs the computer to run, so anything you do to disrupt its function will cause misoperation or failure. The last OTR engines with mechanical fuel delivery were sold, as far as I'm aware, in 1998.

I certainly wouldn't be comfortable with my ELD being able to control the truck.

They all have to be able to talk to the truck, because they all have to be able to request information from it. You have to send messages to the PCM to get back messages with the dat

Re:

[Woeful Countenance]

I certainly wouldn't be comfortable with my ELD being able to control the truck.

They all have to be able to talk to the truck, because they all have to be able to request information from it. You have to send messages to the PCM to get back messages with the data you want to log. If they can send at least two kinds of message then they can send any kind, and all the modern vehicles ... have a CAN bus, and if you can send any kind of message you can send every kind.

Ah. So it's not possible to have a logging device with read-only access to the bus. That's a key point.

Re:

[drinkypoo]

Ah. So it's not possible to have a logging device with read-only access to the bus. That's a key point.

Not one which logs the things they want to log. You could log things with only read access, you just wouldn't be able to select what. Sniffers do this now. Most messages are unencrypted, though encryption is becoming more common. The PCM might also have two CAN buses, one which is used only for the DLC and one which connects to other modules. In a heavy truck you will have at least the PCM, accelerator pedal, and the ABS module. If it's an automatic you will also have a TCM and a shifter module. Looking aro

Re:

[Local ID10T]

Control is a weasel word in this situation.

It could be actually taking over the steering, acceleration, breaking, etc. Full-on singularity shit..
OR it could be simply giving mis-information to the onboard diagnostics systems thus causing warning lights on the dash to illuminate.

I am more inclined to believe the latter. This would still be debilitating as no driver is risking it and driving onward.

Boffins?

[ratbag]

The 50s are calling, they want their lazy journalism back.

Re:

[Brett Buck]

It's anglophilia. There is apparently some subset of largely-left-wing "journalists" that go around using or changing things to British idioms, presumably to show their contempt for the USA. It happens a lot on slashdot, but the real home of it is Wikipedia, where people go through and systematically change spelling and grammar to use the foreign forms instead of the conventional words. Makes them feel more sophisticated, or something like that.

Same thing with reverting or removing reference

Re:

[clawsoon]

It's anglophilia. There is apparently some subset of largely-left-wing "journalists" that go around using or changing things to British idioms

Lol. You know that The Register is British, right?

Re:

[Brett Buck]

I don't care.

Er

[cascadingstylesheet]

Vulnerabilities in common Electronic Logging Devices (ELDs) required in US commercial trucks {...}

I think I just spotted where the vulnerability may have crept in ...

I just had this bad AI cover sail through my head

[wierd_w]

https://www.youtube.com/watch?... [youtube.com]

Vehicular STDs.

That is all. I am sorry everyone.

(Clearly, they didn't do any ... .penetration testing... Before rolling out these requirements. Phhhtt!)

They should stick to low or no tech

[FudRucker]

I would rather drive a 1950s era Mac or Peterbilt, high tech has a trend or turning everything it touches to shit like Google went to shit and Apple is following right being, hello John Deere are you listening,?

Re:

[AmiMoJo]

I wouldn't. Older cars are not nearly as safe as newer ones. Even though I'm a god level driver who never makes mistakes, I can't say the same of other road users.

Re:

[sinkskinkshrieks]

Unless it's a Volvo from the 80's.

Re:

[noshellswill]

Older cars are quite safe ... given a prudent driver. I've driven everything from the 1953 Plymouth, 1966 Tr-6 to a Chrysler and Chevy convertible. Did not cause one (1) accident in 65 years of driving, and only twice did I miss other drivers running red-lights. I indeed can document NEVER making a serious ( true Scottsman ) mistake driving ; I can't say the same of-course for other drivers ... or posters. Some damned-fool in a new Caddy cut me off yesterday while I was test-driving a new

Re:

[clawsoon]

That sounds good except for the doubling (or thereabouts [truckinginfo.com]) of your fuel costs.

Whenever you park at a truck stop...

[sinkskinkshrieks]

ALWAYS use a condom and your modem should should use a condom too.

Maximum Overdrive!

[SendBot]

Apparently Stephen King is a prophet - https://youtu.be/20BeizHnW3s [youtu.be]