Hacking, forensics tools helping researchers determine schematics of how heavy-duty trucks are constructed to pinpoint cybersecurity vulnerabilities
Cybersecurity vulnerabilities, which can be exploited remotely and in large numbers, are an existing threat in heavy-duty commercial vehicles, according to a National Motor Freight Traffic Association (NMFTA) white paper on heavy vehicle cybersecurity. And given the potential for large-scale exploitation of heavy vehicle cyber vulnerabilities, the consequences for trucking companies could be catastrophic.
Jeremy Daily, an associate professor of systems engineering at Colorado State University (CSU), has been working with student researchers at the university via a program called the Student CyberTruck Experience, which originated through takeaways from an NMFTA meeting on heavy vehicle cybersecurity. The goal of CSU’s program is to fill a talent pipeline and create a next-generation workforce that could work on trucks and cybersecurity at the same time, explained Daily.
Daily spoke on truckload data security threats during a General Session of the Truckload Carriers Association (TCA) Safety and Security Conference. The 39th annual conference, held June 23-25, was offered virtually due to the COVID-19 pandemic.
One of the key features of the CSU program is that students work on real projects and develop ideas and strategies on how to secure heavy vehicle communications systems.
“The reason I think this is so important is because there is really not a discipline that does this yet,” Daily explained. “It’s a new merger of traditional electrical and mechanical engineering as well as computer science and cybersecurity. Very few areas have that overlap, so this is one of those unique positions to work on heavy vehicle cybersecurity.
“I think this is successful because our graduates have actually gotten jobs at places like Allison Transmission, Volvo Trucks and Blackberry, and they seem to be doing quite well in the marketplace.”
Through the program, student researchers use hacking and forensics tools and create heavy vehicle testbeds, where they parse through a pile of truck wires and learn the schematics of how trucks are put together. These testbeds help students discover that there are different security issues associated with commercial vehicles. For instance, researchers tested a truck’s brake system to see whether it could be hacked and then authorized to perform certain tasks. Researchers analyzed responses from the truck’s electronic control unit (ECU) vs a rogue node that they introduced.
Another test was done on a telematics system, where a student researcher was able to reveal the WiFi password from the telematics software. “It was subsequently determined that the WiFi password was out-rhythmically generated based off of some things that were easily discovered, which means there was no real WiFi password,” Daily said. “This speaks to the issue of confidentiality and that you should not store passwords in plain text.”
Daily pointed out that there are a lot of opportunities to improve the cybersecurity of heavy vehicles and prevent cyberattacks. Based on his experience over the years, Daily shared some of the following observations.
“Never roll your own cryptography; that’s the mathematics behind encryption. If anyone says they have a proprietary solution, I would be very suspicious of that,” he emphasized.
Daily also noted there are hackers who can go into a truck’s ECU and find vulnerabilities. He pointed to a challenge with air gap systems being penetrated by the internet and wireless connections. An air gap, air wall or air gapping is a network security measure employed on one or more computers to ensure that a secure computer network is physically isolated from unsecured networks, such as the public internet or an unsecured local area network.
“I’ve also noticed that the government might be prompting us to introduce these cybersecurity vulnerabilities through things like the ELD mandate, unwittingly of course,” Daily noted. “Cybersecurity is full of asymmetries, which means that the attacker has the advantage, and they only need to find one victory, whereas we have to defend against everything.”
Daily said another challenge is that cybersecurity is a hard sell because of the cost associated with implementation. He also has seen companies utilize what is called checkbox security, a strategy that focuses solely on compliance where companies check items off a list before they deem their systems secure.
“That’s usually insufficient because cybersecurity is evolving, and the attackers usually get smarter, so that means our defense has to get better as well,” he said. “Vehicles and transportation have relied on obscurity in the past where there are secret implementations, which are discovered with the right skill set, like reverse engineering. Then, they can be exploited because they weren’t actually secure to start with.”
Daily added that once a system or hardware is in an adversary’s possession, it can be hacked at any point.
“The challenge is to make it economically infeasible, so the result of the hack doesn’t provide any benefit or that it takes a long time and they don’t scale,” he concluded. “Those are some good strategies to keep up with it.”