Consumer vehicles have been proven to be insecure; the addition of electronics to monitor and control vehicle functions have added complexity resulting in safety critical vulnerabilities. Heavy commercial vehicles have also begun adding electronic control systems similar to consumer vehicles. We show how the openness of the SAE J1939 standard used across all US heavy vehicle industries gives easy access for safety-critical attacks and that these attacks aren't limited to one specific make, model, or industry.I saw a comment somewhere (link lost) that the hacking described above currently requires entry into the vehicle, but that it should be possible to accomplish the same effect externally unless improved security features are incorporated into vehicles.
We test our attacks on a 2006 Class-8 semi tractor and 2001 school bus. With these two vehicles, we demonstrate how simple it is to replicate the kinds of attacks used on consumer vehicles and that it is possible to use the same attack on other vehicles that use the SAE J1939 standard. We show safety critical attacks that include the ability to accelerate a truck in motion, disable the driver's ability to accelerate, and disable the vehicle's engine brake. We conclude with a discussion for possibilities of additional attacks and potential remote attack vectors.
08 September 2016
The potential nightmare of "truck hacking"
The terrorist incident in France shows the devastation that can be created with a large truck. Now imagine someone being able to "hack" an autonomous, driverless truck.
Internet security is a MESS because it was invented with the assumption that everyone on the network was trustworthy. Hopefully we've learned enough from that to get it right on autonomous vehicles.
ReplyDelete(Also, this is not entirely a new thing. The vast majority of vehicles already have onboard computers. There is some proof-of-concept of attacks on some of them, but it has not proved to be a real-life problem. That may change when completely hijacking a vehicle becomes possible, though.)