 Alright Defcon, we're gonna make this fast this is a short talk so I'm going to just uh get them rolling please come in and find a seat um and uh enjoy your talk without further ado this is haystack and six volts uh let's give them a round of applause. Alright go guys. Hi there I'm six volts. And I'm haystack. I'm haystack. And we're gonna be talking about cheap tools for heavy trucks. So there's a lot of differences between cars and heavy trucks and we're gonna be talking about some of those. We're also gonna be talking about the R&D problems we face and how we got around them. And uh we're also gonna do some very preliminary stuff about uh networking protocols and standards uh there's a lot to go over so we're just gonna dump it all in a white paper for you to read if you really care that much. Uh we're also gonna go over a new hardware tool that we built uh that should save you some money if you want to start getting in into truck hacking and also go over some some light truck hacking adventures uh that we've had. Some quick some quick notes we're going to assume you're familiar with basic vehicle networking if you're not Google it um we assume you're familiar with the idea that if you get on the can bus you can do bad things. We are leaving out lots of details that are gonna be in the white paper um check the get hub by the end of the week um and a safety disclaimer if you hook up to a truck and start fuzzing it while it's moving bad things could happen don't do that we're not responsible if you do. We have done that do as we say not as we do. So uh trucks as we talk about them are really any big anything with a big diesel engine in it uh the thing that most people are familiar with are semi trucks uh class 8 over the road vehicles but also dump trucks rackers um marine engines generator uh big generators uh agricultural equipment anything like that is all gonna work largely the same way and is gonna be made by the same people. Um an exception uh diesel pickup trucks so if you see Bubba in his uh Cummins Dodge Ram uh that's just gonna act like a regular a regular passenger vehicle. So many of the components that are in trucks uh have to be interchangeable so you can get a Peterbilt truck with uh a Pacar engine or with a Cummins engine and he used to be able to get one with a Cat engine um so that all of those parts have to work interoperably like the the brake controllers from different vendors the engines the transmissions. So they they've had to agree to this standard so that all the electronics can speak to each other and the truck can actually work. So one of the major differences with heavy trucks is uh if you do anything with passenger vehicles a big part of your job is reverse engineering the protocol because every manufacturer has their own thing uh with heavy trucks with big diesels uh that's all been decided upon by the Society of Automotive Engineers beforehand and it saves you a lot of time uh so you may have read something in Wired recently those guys just took a standard and injected traffic and sure enough they were able to cause unintended braking and acceleration. So we're gonna talk a little bit about the telematics attack surface. Most heavy trucks that are out on the road in a fleet have a dash mounted touchscreen that controls the driver's logs navigation gives them a way to communicate with the fleet uh kind of like email and in in emergencies contacts the fleet and allows the the truck driver to talk back to them. Um they use the cellular network to connect to the uh telematics provider and the fleet and these devices connect directly to the can in J 1939 bus um also the the legacy 1708 many of them run embedded versions of windows like Windows CE or XP embedded um that's kind of scary to me uh yeah we've we've had some luck with rooting them by doing things like popping an SD card out of the back uh so a big problem that we had when we started getting into this is uh trucks are expensive a uh so like a freight line or Cascadia something like that can cost over a hundred grand um ouch I do not have that kind of money uh for the expo and for the aspiring hacker even if you were rich they are big hard to store hard to drive uh I can drive a five speed a six speed a one down four up speed uh but I can't drive a 14 speed um and uh they're also expensive to operate uh so we we didn't have one and we still don't we're trying to get one uh so how do we experiment uh we built this thing we call this the truck in the box so this is a bunch of components out of a heavy truck um the engine control module the instrument cluster there's a couple other things hiding in the back there are a power distribution unit and uh national instrument C Rio we put using that but and then the knobs are a bunch of uh potentiometers for six for sensors um the first one took about six months to build and cost about ten thousand dollars but that's still thanks DARPA but that's still a lot cheaper than the cost of a truck um since then we've built over a dozen of those full sized ones for different uh trucks and engines um we later compressed the concept into the size of a circuit board but that's not pretty so we're not going to show it off uh so the concepts of the truck in a box um we wanted to recreate the vehicle networks including uh J 1939 and J 17 08 J 19 39 is built on can J 17 08 is kind of RS 485 it's similar to J 18 50 um it it also fakes passive uh sensor signals so uh usually oil pressure sensors and temperature sensors and things are just uh they just measure voltage or resistance and ECMs uh the engine control module tends to freak out if those things aren't present aren't present so we're just trying to keep it from freaking out some of the more complicated signals are things like the accelerator pedal and the uh the way the the vehicle measures its road speed this is the uh uh tone ring that's on the back of the tail shaft underneath the truck um on the left here we've got the actual sensor and that tone ring spins past that sensor generating a magnetic field so we we hooked one up in a in a vice and put the sensor next to it and then you get this kind of signal so we can re re that signal figure out characterize it and then play it back to the ECM and we can actually put miles in the truck on a bench so I already talked a little bit about the two main uh networking protocols and uh the J 17 08 like I said it's RS 485 ish 9600 BOD uh there's some slight transceiver differences and then there's also another SAE standard called J 15 87 that specifies everything all the way up to the application layer uh J 19 39 is similar but it's built on 250 K can uh if you're into this you know the passenger cars are 500 K uh we also see ISO 15 765 but only for diagnostic comms uh details in white paper like all the different protocol details if you wanted to write your own implementation uh we should be we should we should be able to give you enough information to do that so for J 17 08 the older protocol messages are timed to limited and you've got these things called mids and PIDs the mid is is uh analogous to the can ID it's the first byte and it tells you who on the network is talking and the PID uh is comes right before any data uh on the in in a message and it comes so PIDs and data come after the mid and unpacking those PIDs in the data is how you figure out what messages say uh mostly older trucks uh will have only J 17 08 uh there was a period where they they would have the both networks J 15 87 and J 19 39 at the same time uh some newer ones will have components that use it uh and then also there are these things called gliders uh if if you're a hot rod builder you know it is a rolling chassis people will will order um a truck with no motor in it and the reason is is because uh emissions regulations go by the date of manufacture of the motor and not the date of the truck so they will have everything but the motor made and these things will last for two million miles pretty easily so they'll put the older motor in it so you may see new trucks with old networks and old engines in them. So J 19 39 is the newer protocol and it's based on 250 K can it's got extended IDs that are 29 bits long instead of 11 bit long IDs like a like a run cars um sometimes they they have some basic specs for source and destination but those aren't enforced um there's address management there's a transport layer message for augmentation there's about a dozen different documents that are you can read through that are published by SAE but they're all kind of thick. There's a couple of uh parameter group numbers that's just like a message type that are reserved for proprietary communications and those are the fun ones. And then also um there's the vehicle diagnostic link connector which is called a DLC or a DLA uh this industry is tail terrible at acronyms so there's always like five acronyms for the same thing uh it's similar to an OBD two scan tool in a passenger car also it's OBD on board diagnostics like O not ODB who is a founding member of the Wu Tang clan people mess that up constantly and it drives me a little nuts um it's basically a USB uh slash serial slash slash ethernet uh to J 19 39 to J 17 await bridge these things are incredibly over priced they come at like seven or eight hundred dollars and it's seriously just like I converted one thing into another thing and it's two chips that they bought from someone else and soldered them onto a board um the uh the RP 1210 is a standard that governs functions exposed by their drivers so observing those driver calls is an excellent strategy for dynamic analysis of OEM software because they're always the same name and they always have the same arguments in the same format so you can sort of get a running analysis of what the different software packages are doing at various stages of ECM interaction so we're releasing a new tool called the truck duck it's a cape for the beagle bone it gives you two can channels and two J 17 await channels so you can do things like message filtering recording simulating an ECU uh we've also got a custom OS image with the J 19 39 kernel extensions built in uh and then he haystack wrote some stuff for uh using it in python he's also written a J 17 0 8 implementation in the beagle bones PRU which is amazing they're like little built in microcontrollers on the thing and uh this is what it looks like um over on the the right hand side I've got the diagnostic link connector that's the big DB 15 um two screw terminals as the green guys and then uh it's got the power circuitry so that you can power it from the bus so a uh another thing that that we released is uh an RP 12 10 tracer so for a while uh when we would reverse engineer with the what uh these software packages were doing and when we were trying to reverse engineer the proprietary protocols the best option was to buy a diagnostic link connector whose driver has debug logging capability so you would flip a little switch in the in the driver software and it would say you know I sent this received this received this sent this um the only no one the only one we know of cost seven hundred dollars it's like the Cadillac of DLCs uh that can be a lot of money for some people especially if you're just doing bench testing on an ECM that you've got at a junk yard someplace like us um and then I rolled a uh an RP 12 10 API tracer that logs results of RP 12 10 function calls so you're not dependent on the Cadillac of DLCs anymore and uh it works with any of them including the cheap eBay clones uh for all two weeks that they work and uh it allows you to decrypt and translate on the fly and when we get kind of into the uh what we did with this stuff section uh you'll see that a little bit um but what is it good for like all that stuff I just went through uh all that in a buck will get you a cup of coffee uh like 10 years ago so you know what what can you actually do with this um we wanted so we we wanted an attack and we wanted to have a viable attack that could actually have some conceivable impact in the real world uh but we didn't have a truck so this this presents an issue if you're not driving something it's very difficult to tell when breaks are applied when you have no actual breaks uh so we needed something that we could do in vitro and uh the solution was malicious ECM misconfiguration so reverse engineer the protocol um yeah reverse engineer the protocol and then model send messages using that protocol to uh to misconfigure the ECM um so most of the parameter configuration is done over proprietary protocol extensions um we promise not to give too many specifics out um so that you can't do very bad things to trucks that are on the road because that would be pretty dangerous um we're going to give a demonstration of what is possible with the the truck duck and the APTREI tracing so this is some proprietary traffic you can see the the messages here I'll point Utah so we can see the the the FE there in the middle that that indicates that this is a proprietary message and that that's what you really want to look for and the message down at the bottom is just uh something regular fooling across the bus so initial notes from analysis of this protocol um the same process clicking the same buttons in the software yield yielded uh different network traffic every time so this stuff was actually obfuscated slash encrypted um which which is kind of unusual a lot of the different manufacturers including uh newer ECMs this was a very old one uh they're not encrypted or or disguised in any way um messages that appear to do the same thing or the same length so it's not too obfuscated no one's like padding to a block length and then doing stuff it it's it's simpler and uh this is where I yada yada yada passed a bunch of static analysis I did with dot peak and Ida because this is Defcon and I don't want to try to teach pros how to use dot peak and Ida so after um after doing static analysis I figured out that uh what the bytes after the first three are the first three are specified by SAE uh the first byte first byte is the source the second byte says hey this is proprietary and it's interesting the third byte says this is the destination in this case this is the DLC talking to the engine this next code is proprietary and that's a security setup and then that this low nibble over here uh on both ends these are kind of degenerate keys there there's obviously not a whole lot of entropy in a four bit key but that's what they got and uh that so they they pre-share that uh in order to carry out the the rest of the protocol. So then there uh I found other command codes so this high nibble uh F was the security setup D is an encrypted write C is an encrypted read and then E is an encrypted read write response so no matter if it's responding to a write or a read it's going to be uh that that that's gonna be the format of the reply. The low nibble is the message code and then there's this little formula where you take the pre-shared four bit super high entropy key add it to the code in the message mod four and it indexes into a character array uh that's buried in a DLL someplace and then you just X sort with everything so it's X sort encryption made slightly less bad. So then uh after we decrypt it I modified the RP-1210 API tracer to decrypt all this on the fly and then the uh the pattern became a lot more uh a lot more comprehensible you can see that it's just a very standard call and response type protocol where you have a PID and then it says hey you know six zero I want to see that and then you get a bunch of ASCII characters I'd have to look up what that is honestly. And so uh what could we do with this? So now that now that we have this this degenerate encryption algorithm and we we know the PIDs and we can trace this stuff um if we get on the bus we can set parameters in the ECM. So uh the one that we chose was uh hard vehicle speed limit so uh the governors in heavy trucks are just a bite that you that you write and so we thought hey wouldn't it be cool if you just like froze a semi truck at only being able to go 30 miles an hour. But that's that's still kind of boring because if you can get on the bus physically if you can get physical access you can just cut the break lines. Um you you could compromise a telematics unit and then have it send these uh these messages during a key on engine off condition but we wanted we wanted to do a little bit more. So then uh hijacking OEM software uh software is used in day to day operations of the fleet um all that we've talked about fleets being data hungry before uh and as a result they are pulling data off these ECMs after every trip in in many cases and uh that data uh or when so they're always pulling this data and so unlike where your passenger car or unless you're throwing a check engine light and the dealerships putting it on a scanner um these things are interacting with software all the time and so there are a lot of uh opportunities for things to change. So I repurposed the API tracer um so instead of just decrypting and logging things on the fly uh modifying re-encrypting and writing so let's see what that looks like. Um this is a screencast because showing the full ECM would give away the brand and I'm really bad at video editing also I'm very sorry about the free version trademark this stuff is expensive and this is on my own dime. Okay so at the beginning I started the kind of degenerate truck root kit. I very artfully blacked out the manufacturer uh logo. This protocol is very slow so I'm gonna try to patter a little bit while while it's getting set up. So here you can see that the uh the vehicle speed was at fifty five miles an hour our hypothetical technician knows his drivers can't drive fifty five so he decides to bump it up to seventy and as far as anyone can tell uh that that went fine it was set to seventy miles an hour and then after disconnecting we go and check and make sure that uh that the truck mangler program is dead and then so we actually see what happened and again we wait for the slowest vehicle protocol in the world. For those who didn't hear the joke he made Lin is in fact very slow but there so you know we can see that in fact it was actually set to thirty miles an hour and this guy would have gotten about a mile down the road and uh and and then would have had to realize that he had to turn back and if you if you manage to keep this running and get persistence um there would be no way to tell so they would be checking mechanical issues over and over so I think this is a very viable uh attack with real impact. So for future work we're gonna work on writing an rp 1210 driver for the truck duck to allow easier traffic modification it's even cheaper than some of the ebay adapter clones that you can get um we also wanna work on making the PC side attack a little more interesting so that the technician doesn't have to actually modify a parameter it can just do it once they connect to the truck um we would really love to do some deeper firmware analysis on ECMs you know pull some chips read some data and do some static analysis um we'll be in the harbor hacking village and car hacking village if you have any questions um we'll also have an ECM and a bunch of live demos of this stuff so it's not just a stupid screen cast with a watermark on it you can actually play with with uh with this technology. Thank you very much.