![Page 1: Leif Millar & Andre Weimerskirch Truck Hacking: Liza ... · 9/8/2016 · I. Motivation II. Prior Work III. Technical Background IV. Targets V. Attacks A. Instrument Cluster B. Powertrain](https://reader036.vdocument.in/reader036/viewer/2022071117/600295f8ffd1e136cd6000e1/html5/thumbnails/1.jpg)
Truck Hacking:An Experimental Analysis of the SAE J1939 Standard
10th USENIX Workshop On Offensive Technologies(WOOT’16)
Liza Burakova, Bill Hass, Leif Millar & Andre Weimerskirch
8/9/2016
![Page 2: Leif Millar & Andre Weimerskirch Truck Hacking: Liza ... · 9/8/2016 · I. Motivation II. Prior Work III. Technical Background IV. Targets V. Attacks A. Instrument Cluster B. Powertrain](https://reader036.vdocument.in/reader036/viewer/2022071117/600295f8ffd1e136cd6000e1/html5/thumbnails/2.jpg)
Are trucks more secure than cars?
![Page 3: Leif Millar & Andre Weimerskirch Truck Hacking: Liza ... · 9/8/2016 · I. Motivation II. Prior Work III. Technical Background IV. Targets V. Attacks A. Instrument Cluster B. Powertrain](https://reader036.vdocument.in/reader036/viewer/2022071117/600295f8ffd1e136cd6000e1/html5/thumbnails/3.jpg)
OutlineI. Motivation
II. Prior Work
III. Technical Background
IV. Targets
V. Attacks
A. Instrument Cluster
B. Powertrain
VI. Tools & Test Environment
VII. Future Work
VIII. Defenses
8/9/2016
![Page 4: Leif Millar & Andre Weimerskirch Truck Hacking: Liza ... · 9/8/2016 · I. Motivation II. Prior Work III. Technical Background IV. Targets V. Attacks A. Instrument Cluster B. Powertrain](https://reader036.vdocument.in/reader036/viewer/2022071117/600295f8ffd1e136cd6000e1/html5/thumbnails/4.jpg)
Why Heavy Vehicles?● Disconnect between consumer automotive and heavy
vehicle industries
● Higher impact than consumer vehicles○ Heavy vehicles physically massive○ Expensive & hazardous cargo○ More susceptible to bad driving conditions○ Backbone of economy○ And...
8/9/2016
![Page 5: Leif Millar & Andre Weimerskirch Truck Hacking: Liza ... · 9/8/2016 · I. Motivation II. Prior Work III. Technical Background IV. Targets V. Attacks A. Instrument Cluster B. Powertrain](https://reader036.vdocument.in/reader036/viewer/2022071117/600295f8ffd1e136cd6000e1/html5/thumbnails/5.jpg)
… there are a couple potentially affected industries…
8/9/2016
![Page 6: Leif Millar & Andre Weimerskirch Truck Hacking: Liza ... · 9/8/2016 · I. Motivation II. Prior Work III. Technical Background IV. Targets V. Attacks A. Instrument Cluster B. Powertrain](https://reader036.vdocument.in/reader036/viewer/2022071117/600295f8ffd1e136cd6000e1/html5/thumbnails/6.jpg)
Heavy Trucks
8/9/2016
![Page 7: Leif Millar & Andre Weimerskirch Truck Hacking: Liza ... · 9/8/2016 · I. Motivation II. Prior Work III. Technical Background IV. Targets V. Attacks A. Instrument Cluster B. Powertrain](https://reader036.vdocument.in/reader036/viewer/2022071117/600295f8ffd1e136cd6000e1/html5/thumbnails/7.jpg)
Buses
8/9/2016
![Page 8: Leif Millar & Andre Weimerskirch Truck Hacking: Liza ... · 9/8/2016 · I. Motivation II. Prior Work III. Technical Background IV. Targets V. Attacks A. Instrument Cluster B. Powertrain](https://reader036.vdocument.in/reader036/viewer/2022071117/600295f8ffd1e136cd6000e1/html5/thumbnails/8.jpg)
Recreational Vehicles (RVs)
8/9/2016
![Page 9: Leif Millar & Andre Weimerskirch Truck Hacking: Liza ... · 9/8/2016 · I. Motivation II. Prior Work III. Technical Background IV. Targets V. Attacks A. Instrument Cluster B. Powertrain](https://reader036.vdocument.in/reader036/viewer/2022071117/600295f8ffd1e136cd6000e1/html5/thumbnails/9.jpg)
Agriculture Machinery
8/9/2016
![Page 10: Leif Millar & Andre Weimerskirch Truck Hacking: Liza ... · 9/8/2016 · I. Motivation II. Prior Work III. Technical Background IV. Targets V. Attacks A. Instrument Cluster B. Powertrain](https://reader036.vdocument.in/reader036/viewer/2022071117/600295f8ffd1e136cd6000e1/html5/thumbnails/10.jpg)
Forestry Machinery
8/9/2016
![Page 11: Leif Millar & Andre Weimerskirch Truck Hacking: Liza ... · 9/8/2016 · I. Motivation II. Prior Work III. Technical Background IV. Targets V. Attacks A. Instrument Cluster B. Powertrain](https://reader036.vdocument.in/reader036/viewer/2022071117/600295f8ffd1e136cd6000e1/html5/thumbnails/11.jpg)
Construction Vehicles
8/9/2016
![Page 12: Leif Millar & Andre Weimerskirch Truck Hacking: Liza ... · 9/8/2016 · I. Motivation II. Prior Work III. Technical Background IV. Targets V. Attacks A. Instrument Cluster B. Powertrain](https://reader036.vdocument.in/reader036/viewer/2022071117/600295f8ffd1e136cd6000e1/html5/thumbnails/12.jpg)
Heavy Haul & Passenger Locomotives
8/9/2016
![Page 13: Leif Millar & Andre Weimerskirch Truck Hacking: Liza ... · 9/8/2016 · I. Motivation II. Prior Work III. Technical Background IV. Targets V. Attacks A. Instrument Cluster B. Powertrain](https://reader036.vdocument.in/reader036/viewer/2022071117/600295f8ffd1e136cd6000e1/html5/thumbnails/13.jpg)
Military Vehicles (MiLCAN)
8/9/2016
![Page 14: Leif Millar & Andre Weimerskirch Truck Hacking: Liza ... · 9/8/2016 · I. Motivation II. Prior Work III. Technical Background IV. Targets V. Attacks A. Instrument Cluster B. Powertrain](https://reader036.vdocument.in/reader036/viewer/2022071117/600295f8ffd1e136cd6000e1/html5/thumbnails/14.jpg)
Marine Navigation Systems (NMEA2000)
8/9/2016
![Page 15: Leif Millar & Andre Weimerskirch Truck Hacking: Liza ... · 9/8/2016 · I. Motivation II. Prior Work III. Technical Background IV. Targets V. Attacks A. Instrument Cluster B. Powertrain](https://reader036.vdocument.in/reader036/viewer/2022071117/600295f8ffd1e136cd6000e1/html5/thumbnails/15.jpg)
Prior Work - CAN Exploits● Consumer automobile segment scrutinized after public hacks in
2015● Pattern of physical exploit ---> remote exploit
Unknown MakePhysical Exploits
Karl Koscher, et al2010
2011 Unknown MakeRemote Exploits
Karl Koscher, et al
Toyota Prius & Ford EscapePhysical ExploitsMiller, Valasek
2014
2015 Jeep Cherokee1
Remote ExploitsMiller, Valasek
Tesla Model S2
Physical Exploits
2016 Heavy Truck
Physical Exploits
11.4M Recall2Over-the-air Update
8/9/2016
![Page 16: Leif Millar & Andre Weimerskirch Truck Hacking: Liza ... · 9/8/2016 · I. Motivation II. Prior Work III. Technical Background IV. Targets V. Attacks A. Instrument Cluster B. Powertrain](https://reader036.vdocument.in/reader036/viewer/2022071117/600295f8ffd1e136cd6000e1/html5/thumbnails/16.jpg)
So what is CAN?
8/9/2016
![Page 17: Leif Millar & Andre Weimerskirch Truck Hacking: Liza ... · 9/8/2016 · I. Motivation II. Prior Work III. Technical Background IV. Targets V. Attacks A. Instrument Cluster B. Powertrain](https://reader036.vdocument.in/reader036/viewer/2022071117/600295f8ffd1e136cd6000e1/html5/thumbnails/17.jpg)
● Broadcast transceiver● Allows microcontrollers to
communicate with each other● Nodes see everything on the
network
CAN Overview
8/9/2016
CAN_HCAN_L
![Page 18: Leif Millar & Andre Weimerskirch Truck Hacking: Liza ... · 9/8/2016 · I. Motivation II. Prior Work III. Technical Background IV. Targets V. Attacks A. Instrument Cluster B. Powertrain](https://reader036.vdocument.in/reader036/viewer/2022071117/600295f8ffd1e136cd6000e1/html5/thumbnails/18.jpg)
Extended CAN Frames
8/9/2016
![Page 19: Leif Millar & Andre Weimerskirch Truck Hacking: Liza ... · 9/8/2016 · I. Motivation II. Prior Work III. Technical Background IV. Targets V. Attacks A. Instrument Cluster B. Powertrain](https://reader036.vdocument.in/reader036/viewer/2022071117/600295f8ffd1e136cd6000e1/html5/thumbnails/19.jpg)
But what is J1939
8/9/2016
![Page 20: Leif Millar & Andre Weimerskirch Truck Hacking: Liza ... · 9/8/2016 · I. Motivation II. Prior Work III. Technical Background IV. Targets V. Attacks A. Instrument Cluster B. Powertrain](https://reader036.vdocument.in/reader036/viewer/2022071117/600295f8ffd1e136cd6000e1/html5/thumbnails/20.jpg)
What is J1939?● Not CAN
○ Built on top of it○ Physical & link layer == CAN
● Defines network -> application layers
● Detailed documentation publicly available through Society of Automotive Engineers (SAE)
8/9/2016
Physical
Link
Network
Application
![Page 21: Leif Millar & Andre Weimerskirch Truck Hacking: Liza ... · 9/8/2016 · I. Motivation II. Prior Work III. Technical Background IV. Targets V. Attacks A. Instrument Cluster B. Powertrain](https://reader036.vdocument.in/reader036/viewer/2022071117/600295f8ffd1e136cd6000e1/html5/thumbnails/21.jpg)
SAE J1939 Overview● Successor to SAE J1708/J1587
○ J1708 == physical & link○ J1587 == transport & application
● Inside the CAN ID:○ PGN○ SRC & DST
8/9/2016
![Page 22: Leif Millar & Andre Weimerskirch Truck Hacking: Liza ... · 9/8/2016 · I. Motivation II. Prior Work III. Technical Background IV. Targets V. Attacks A. Instrument Cluster B. Powertrain](https://reader036.vdocument.in/reader036/viewer/2022071117/600295f8ffd1e136cd6000e1/html5/thumbnails/22.jpg)
J1939 Overview Continued
8/9/2016
![Page 23: Leif Millar & Andre Weimerskirch Truck Hacking: Liza ... · 9/8/2016 · I. Motivation II. Prior Work III. Technical Background IV. Targets V. Attacks A. Instrument Cluster B. Powertrain](https://reader036.vdocument.in/reader036/viewer/2022071117/600295f8ffd1e136cd6000e1/html5/thumbnails/23.jpg)
Is security built on top?
IP/TCP + HTTP (no security) → IP/TCP + HTTPS (yay security!)
:D
CAN + Car app. layer (no security) → CAN + J1939 (security???)
¯\_(ツ)_/¯
![Page 24: Leif Millar & Andre Weimerskirch Truck Hacking: Liza ... · 9/8/2016 · I. Motivation II. Prior Work III. Technical Background IV. Targets V. Attacks A. Instrument Cluster B. Powertrain](https://reader036.vdocument.in/reader036/viewer/2022071117/600295f8ffd1e136cd6000e1/html5/thumbnails/24.jpg)
Our Targets 2001 Model School Bus
2006 Model Semi Tractor
8/9/2016
![Page 25: Leif Millar & Andre Weimerskirch Truck Hacking: Liza ... · 9/8/2016 · I. Motivation II. Prior Work III. Technical Background IV. Targets V. Attacks A. Instrument Cluster B. Powertrain](https://reader036.vdocument.in/reader036/viewer/2022071117/600295f8ffd1e136cd6000e1/html5/thumbnails/25.jpg)
Typical Heavy Truck Network
![Page 26: Leif Millar & Andre Weimerskirch Truck Hacking: Liza ... · 9/8/2016 · I. Motivation II. Prior Work III. Technical Background IV. Targets V. Attacks A. Instrument Cluster B. Powertrain](https://reader036.vdocument.in/reader036/viewer/2022071117/600295f8ffd1e136cd6000e1/html5/thumbnails/26.jpg)
Instrument Cluster Attack
8/9/2016
Experiment Progression:
Packet snooping & packet injection
Heavily relied on by vehicle operators
![Page 28: Leif Millar & Andre Weimerskirch Truck Hacking: Liza ... · 9/8/2016 · I. Motivation II. Prior Work III. Technical Background IV. Targets V. Attacks A. Instrument Cluster B. Powertrain](https://reader036.vdocument.in/reader036/viewer/2022071117/600295f8ffd1e136cd6000e1/html5/thumbnails/28.jpg)
Hydraulic & Pneumatic Brakes
8/9/2016
![Page 30: Leif Millar & Andre Weimerskirch Truck Hacking: Liza ... · 9/8/2016 · I. Motivation II. Prior Work III. Technical Background IV. Targets V. Attacks A. Instrument Cluster B. Powertrain](https://reader036.vdocument.in/reader036/viewer/2022071117/600295f8ffd1e136cd6000e1/html5/thumbnails/30.jpg)
Powertrain AttackExperiment progression:
Packet recording, replay attack, packet injection script
8/9/2016
![Page 33: Leif Millar & Andre Weimerskirch Truck Hacking: Liza ... · 9/8/2016 · I. Motivation II. Prior Work III. Technical Background IV. Targets V. Attacks A. Instrument Cluster B. Powertrain](https://reader036.vdocument.in/reader036/viewer/2022071117/600295f8ffd1e136cd6000e1/html5/thumbnails/33.jpg)
Powertrain AttackPart 2: Electric Boogaloo
Unmodified attack from 2006 model year truck on 2001 model year school bus
8/9/2016
![Page 35: Leif Millar & Andre Weimerskirch Truck Hacking: Liza ... · 9/8/2016 · I. Motivation II. Prior Work III. Technical Background IV. Targets V. Attacks A. Instrument Cluster B. Powertrain](https://reader036.vdocument.in/reader036/viewer/2022071117/600295f8ffd1e136cd6000e1/html5/thumbnails/35.jpg)
A very powerful message
● Single PGN for all these attacks○ Remove driver’s ability to input via accel. pedal○ Disable engine brake○ Command high and low RPM values
● Largest hurdle: implementing checksum○ No RE required... checksum is public as well!
8/9/2016
![Page 36: Leif Millar & Andre Weimerskirch Truck Hacking: Liza ... · 9/8/2016 · I. Motivation II. Prior Work III. Technical Background IV. Targets V. Attacks A. Instrument Cluster B. Powertrain](https://reader036.vdocument.in/reader036/viewer/2022071117/600295f8ffd1e136cd6000e1/html5/thumbnails/36.jpg)
Making It Happen
![Page 37: Leif Millar & Andre Weimerskirch Truck Hacking: Liza ... · 9/8/2016 · I. Motivation II. Prior Work III. Technical Background IV. Targets V. Attacks A. Instrument Cluster B. Powertrain](https://reader036.vdocument.in/reader036/viewer/2022071117/600295f8ffd1e136cd6000e1/html5/thumbnails/37.jpg)
Tools● PEAK USB-PCAN
○ Data Collection○ Packet Injection○ Python APIs
■ Fuzzing Script
● Vector CANoe ○ Data Collection○ Packet Injection○ CAPL Scripting language
8/9/2016
● Diagnostic Tool○ ABS valve modulation○ Engine cylinder cutoff
![Page 38: Leif Millar & Andre Weimerskirch Truck Hacking: Liza ... · 9/8/2016 · I. Motivation II. Prior Work III. Technical Background IV. Targets V. Attacks A. Instrument Cluster B. Powertrain](https://reader036.vdocument.in/reader036/viewer/2022071117/600295f8ffd1e136cd6000e1/html5/thumbnails/38.jpg)
Test Environment
1. Idle Truck○ Initial data gathering○ Attack development
8/9/2016
2. Public Roads○ Data gathering in motion
3. MCity○ Attacks while in motion
![Page 39: Leif Millar & Andre Weimerskirch Truck Hacking: Liza ... · 9/8/2016 · I. Motivation II. Prior Work III. Technical Background IV. Targets V. Attacks A. Instrument Cluster B. Powertrain](https://reader036.vdocument.in/reader036/viewer/2022071117/600295f8ffd1e136cd6000e1/html5/thumbnails/39.jpg)
Looking towards the future...
8/9/2016
![Page 40: Leif Millar & Andre Weimerskirch Truck Hacking: Liza ... · 9/8/2016 · I. Motivation II. Prior Work III. Technical Background IV. Targets V. Attacks A. Instrument Cluster B. Powertrain](https://reader036.vdocument.in/reader036/viewer/2022071117/600295f8ffd1e136cd6000e1/html5/thumbnails/40.jpg)
Remote Compromises?
C4MAX units on public IP space
8/9/2016
● Fleet Management Systems ○ Ubiquitous in several industries
○ GPS data, CAN bus access
● Telematic Gateway Unit (TGU)○ Cellular, Bluetooth, CAN (J1939) interfaces
○ C4MAX - Telnet port open by default
![Page 41: Leif Millar & Andre Weimerskirch Truck Hacking: Liza ... · 9/8/2016 · I. Motivation II. Prior Work III. Technical Background IV. Targets V. Attacks A. Instrument Cluster B. Powertrain](https://reader036.vdocument.in/reader036/viewer/2022071117/600295f8ffd1e136cd6000e1/html5/thumbnails/41.jpg)
Further Areas of Interest
● Diagnostics tool emulation
● More safety critical attacks
● Malicious trailers
8/9/2016
![Page 42: Leif Millar & Andre Weimerskirch Truck Hacking: Liza ... · 9/8/2016 · I. Motivation II. Prior Work III. Technical Background IV. Targets V. Attacks A. Instrument Cluster B. Powertrain](https://reader036.vdocument.in/reader036/viewer/2022071117/600295f8ffd1e136cd6000e1/html5/thumbnails/42.jpg)
So Many Activities...
● Autonomous Semi Trucks
● Connected Vehicles○ V2V / V2I
● Cargo Ships
● Aircraft
![Page 43: Leif Millar & Andre Weimerskirch Truck Hacking: Liza ... · 9/8/2016 · I. Motivation II. Prior Work III. Technical Background IV. Targets V. Attacks A. Instrument Cluster B. Powertrain](https://reader036.vdocument.in/reader036/viewer/2022071117/600295f8ffd1e136cd6000e1/html5/thumbnails/43.jpg)
Vulnerability Mitigation Techniques
● Securing the Vehicle Bus:○ Network Segregation & Isolation
○ Intrusion Detection Systems
○ Message Ownership Verification
○ Message Authentication
○ Strict Message Timing Detection
8/9/2016
● Best Practices from ‘traditional’ security domain:○ Passwords on externally facing devices
○ Vendor Review
![Page 44: Leif Millar & Andre Weimerskirch Truck Hacking: Liza ... · 9/8/2016 · I. Motivation II. Prior Work III. Technical Background IV. Targets V. Attacks A. Instrument Cluster B. Powertrain](https://reader036.vdocument.in/reader036/viewer/2022071117/600295f8ffd1e136cd6000e1/html5/thumbnails/44.jpg)
Travel to this workshop and future research is sponsored by National Motor Freight Traffic Association, Inc. (NMFTA). Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of NMFTA.
8/9/2016
![Page 45: Leif Millar & Andre Weimerskirch Truck Hacking: Liza ... · 9/8/2016 · I. Motivation II. Prior Work III. Technical Background IV. Targets V. Attacks A. Instrument Cluster B. Powertrain](https://reader036.vdocument.in/reader036/viewer/2022071117/600295f8ffd1e136cd6000e1/html5/thumbnails/45.jpg)
Truck Hacking:An Experimental Analysis of the SAE J1939 Standard
10th USENIX Workshop On Offensive Technologies(WOOT’16)
ybura, billhass, ltmillar @umich.edu
8/9/2016