 Hi, my name's Corey, I'm going to be talking about the title of the talk for this was Insecure by Law, but we're going to be talking about hacking heavy trucks and the dongles and whatnot that are associated with each. I work as a senior security researcher at Iowa Active and prior to this I did some auto dongle work under a company called Digital Bond doing the progressive dongle research. Basically for me what gets me hot about cars is when we start connecting third party after market stuff and expanding the tax surface and making it more interesting because cars by themselves are sort of insecure by design in my opinion and we're not really going to fix that. We'll get into that in just a minute. So basic overview what we're going to talk about is we're going to go through a real quick can primer. We're going to talk about heavy trucking because that's important to this particular research understanding the context of why this matters. Because heavy trucking even though a lot of the technologies are the same, fundamentally and culturally and its impact on the world is a little bit different. And then we'll go into the analysis of some of the logging devices that we got. Talk about this cool little event that happened about three weeks ago called the Cyber Truck Challenge and then we'll go through the summary of what came up. So back to sort of what I had jumped in earlier when it comes to car hacking if you haven't spent time sitting down in the village out there or looking at different stuff sending some can bus messages and that kind of thing I encourage you to do so. But when we talk about car hacking in my opinion it's a little bit interesting and kind of boring at the same time because when you're talking about can bus and then vehicle messages you're really talking about an eight byte payload maximum and then an arbitration ID. So you've got an address and a payload and there's no authentication. There's no anything on there. It's just a basic bus. So when you talk about car hacking and you're looking for controlling a vehicle with these types of messages with different auto manufacturers they use different IDs to mean the same thing. So for a GM for example the ID that shows you what the RPM is on the bus that transmits what the current RPM of the engine is might be different than another one. And then it might be a different offset within that payload too. So the address might be 310 and then the RPMs might be the last two bytes. First two bytes are some kind of flag set up for an example. And when it comes to car hacking these are the kinds of messages that people are usually talking about when you're doing reverse engineering of vehicles. So when Charlie and Chris were doing stuff when other people have gone through and published car hacking things mostly the hard problem when it comes to car hacking is figuring out what messages do what. But when I look at it I mean that's very interesting and that is a hard problem but it's kind of boring because you're not going to ever fix this. And it's insecure by design is the term that I'm borrowing from industrial control systems which is where I came from before getting into auto. And the realization that this is a broken protocol and we're not going to be able to put really security on top of it. So when it comes to that I get interested when we add on a different attack surface. So when we're putting a dongle in between this insecure bus and the internet that's when I'm really like okay well we should take this seriously because yes this is insecure by itself but it's not until you start connecting it. Same thing with power plants which is where I was before. When we started connecting those and people want to control and monitor their plants from their living room on a Saturday nobody wants to drive 40 miles out to a substation in the middle of nowhere to do something when you can use remote connectivity to do it. So the advantages are there same thing with auto we want to get as much telematics off of an engine as we can so we can do things like predictive failure analysis like really cool shit but that also means that we're taking these broken fundamentally broken things and then connecting them to the internet. And so that's where the attack surface increases and where it gets pretty interesting just from my perspective. So we're going to depart all that basically what I said was more on the passenger vehicle side and now we're going to talk about trucks because trucks they do use canvas underneath them but it works quite a bit differently. So the United States for one thing because that's what I have statistics on heavily heavily depends on the trucking industry. The idiom in the trucking industry is if you bought it a truck brought it. And if the trucking industry goes down there are three days at one day before you can no longer get fuel at gas stations. Three days before you can no longer get food and items off of your grocery store department store Walmart shelves. So this is critical infrastructure to the United States of America. The trucking industry is significantly important when it comes to just keeping our lives operating. There are the other things to note about the trucking industry is there are regulations that prevent drivers from over exerting themselves driving too long. And all that is recorded in logbooks. So a driver has to record how long they were driving when they took a lunch that kind of a thing. And so you're limited to make sure that everybody's safe. Right. There's there's a good reason that we have those regulations in place. But the problem is that checking logbooks is fairly tedious and people can lie. We don't want we don't want those truckers lying to us in our logbooks. We want to make sure that they're obeying all the rules because naturally you're incentivized to move as much product as possible. Maximize your profits that kind of thing or sometimes you just want to get home earlier than than before. And so so when people are going around our regulation the natural solution is to add more regulation. It's like brute force right. If brute force isn't working you're not using enough. If if regulation isn't working we're just going to add more. And that's how we're going to solve this problem. So that's what they did. And there are other reasons for it not just solving the the logbook fraud or or mis misuse problem. But the government mandated these electronic logging devices. So there was a there was a law pass that said by December 2017 all trucks have to have this electronic logging device and that's what we're going to use to monitor and make sure that everybody's obeying the regulations and and get some extra gravy on top in terms of what kind of analytics we can do on that data. And it is 444 pages long which is awesome. And that's the kind of thing that somebody who's going to manufacture these dongles or use the dongles or whatnot they have to go through sort through that and make sure that they're compliant. So uh in looking through the 444 pages I'm just going to highlight a couple awesome gems for you. So uh I went to the table contest I'm like uh quality assurance alright that's probably where security lives. Uh and it's uh it's right here the entirety of it it says insert quality assurance section here. And this is the finalized uh out these are the guidelines uh in those 444 pages. So the quality assurance section is is uh non-existent uh and that's where I mean that's uh security is sort of glorified QA really. Um making sure that the system does what it's supposed to do and that it doesn't do anything else that's what security is all about. So uh to have these sections empty is uh a little concerning. Uh but there is some good in the 444 pages um if anybody's ever worked in the government or uh known anybody putting these documents together can be uh a process um but uh this particular section uh I think someone was in charge of writing this particular section and they maybe knew a thing or two. Um but under so this section is under certain circumstances like if there's an officer at the vehicle and uh and there's Wi-Fi on but there's not cellular and not Bluetooth and it's the Mars is in the 4th quadrant of the universe then you apply this section and this is the only mention of uh TLS uh or an SSL uh any kind of secure communications. So in this like this one section then we're talking about it. So it's but it's in the document so it's it's it's there somewhere um but then when it comes to actually figuring out how uh whether a device implements this is is trouble. So let's say you're a donger manufacturer and you want to get in on this sweet cheddar that's coming out the government's mandating something so there's going to be guaranteed money there so let's uh let's go ahead and even though we're uh we make macaroni and cheese for our business I think we can probably get in on this get some of that awesome awesome money coming out. So you say 444 pages man how are we going to make a dongle that uh meets all the requirements in there but it's okay you don't have to worry uh because the only requirement is that you have self-certification. So if you self-certify that you meet all the requirements then you're good uh then everything's great uh you're awesome you're going to start making some money you're going to get on the list of all the approved dongles uh and be good to go. And the list is maintained um by the FMCSA uh it is uh they don't make any uh obviously the government doesn't make any charge that uh that you actually meet the requirements um this is the reason for self-certification. If you if you've ever been in that government uh then you totally understand why they did that because that takes the liability off of you and puts it on uh the people who make the dongle uh but there are over 70 uh at the time of the screenshot I'm sure it's increased uh probably uh lately uh but there's a lot of them and so you can just go and uh and get any of these and that will do your electronic logging for you. Um what they end up tend what they tend to look like is something like this um so this one is uh is uh available at Walmart. So as a sort of consequence to this mandate um you've got guaranteed money there uh so you've got a bunch of people entering the market with stuff and as consequence then the uh the barrier goes real low in terms of how commoditized the hardware is how commoditized the solution is. And this particular one is available at Walmart uh there are also some that are in if you go to a truck stop you can probably walk the shelves in in the trucking area and you'll find uh ELDs uh prepackaged on the shelf ready to pull up and then you just plug it in and then now you're compliant. So it's heavily heavily commoditized uh there's a lot of players in the space and the only requirement is that they're self certified. Um but as we go forward it is actually still under contention there are people who have uh some altruistic reasons uh but um this bill was just put into I had to just add the slide because it was just added uh two weeks ago I think um uh representative from Texas put this bill forward to try and kick back the adoption uh another two years so they want to extend it. Um they cited uh cybersecurity vulnerabilities or cybersecurity security concerns as one of the reasons so that's significant um at least we're being used as a scapegoat even if even if it's not actually true but hey either way uh somebody's gonna care about cybersecurity hopefully as we go forward or maybe nothing will change and then it's just gonna be two years before they're required to adopt it. I don't know uh depending on how cynical you are you may fall on one side or another uh but the other reason is there's logistical concerns uh because there are some uh like livestock uh get exemptions to the uh driving rules and that kind of a thing so they're trying to make sure that their business is protected by this ELD thing and uh I suspect it's actually less about the cybersecurity but so uh after we saw all this and we get excited like alright there's a bunch from let's go shopping so we did and we picked up uh so uh as a caveat this research if you are a POC or GTFO person then you can probably GTFO because uh this I'm not I'm not dropping a full uh payload uh weaponized ODAY or anything right now the whole point of this research was a uh breadth first not depth first and uh to try and figure out uh how to hack a particular dongle and come up with an exploit with uh metasploit module that's not what the point was the point was to get a few of these things and see what the general security uh setup was with these commoditized dongles uh because especially when there's 70 of them I didn't want to get in the position where we got one of them and that happened to be the bad one but the rest of them were good you know what I'm saying so we did a breadth first search of the dongles to figure out what's going on so we got uh ELDs from three different manufacturers again these are consumer off the shelf you just go pick them up or you order them directly from them uh the suppliers were chosen at random so uh but again being a breadth first like this was more to get a sense of the industry and so I'm not trying to pick on any given supplier uh in any of this so please as another caveat do not take this to say if I have a supplier's name or I'm holding one right here that does not mean that these guys are the only bad guys um but I will give you a particular tip about this one because it's cool uh so going forward um we got them we ordered them uh and we started off great uh with a with an awesome start uh so we got some emails to sign up because almost all of these have companion apps or back end stuff um and so it's like uh here you know uh address and they put the password in a get parameter like that's a small vulnerability it's not really big deal people do it all the time but that was the first experience with any of these so uh so it was sort of like alright um the uh the bar for the for the average in terms of what I've grown to expect out of hardware stuff is pretty low uh and so far it looks like we're par for the course uh just starting out so we got them and then we we began to do some hardware analysis uh so that's this this one taken apart um and it's actually just a very simple one board with the daughter uh cellular board but it comes down to an arm processor a uh some spy flash and a can transceiver and that's it basically we're talking very simple very minimal how cheap can we make this thing how fast can we get it out to market this is what we're gonna do and and that's what it comes down to and this one also is equipped with Bluetooth and then has a cellular daughter board as well and you can see uh if anybody does any hardware hacking there's some interesting pads there uh that were fun to play with um the connector which is not exposed you'll see that that connector over the top not exposed uh here um but if you take the top of this thing off which is kind of what I was hoping somebody had a pin for but that's alright uh and then this is uh another example of one similar type thing you've got your processor you've got your spy flash you've got your can transceiver and then a bunch of power regulation and that kind of a thing and usually with some kind of communications uh chip uh on top that they speak with over uh over serial line in order to do the communications uh and then another one uh looks like this this one is interesting because this one has a screen uh so it's a little bit more complicated so there's uh some other cool stuff uh playing with it uh this one's also interesting because this one doesn't plug into the truck so uh spoiler alert this one's the most secure um as in terms of in terms of whether you're affecting the truck or not but uh unfortunately you can't legally use this one because legally uh as the document says it's required to plug into the truck to get information out of the truck so um unfortunately uh but they're self certified so maybe it's fine uh and this is similar so this underneath there's a lot more components in here because we've got a screen and a printer on it uh which was cool so this one you if you want the full logbook out then you go and it prints it um and then you can hand that to your regulation uh officer this is another one uh another screen the same one ribbon cable that goes out and that kind of thing and the uh sim there for cellular back end uh communications but again this one uh this one isn't hitting the truck uh directly whereas this one plugs in uh the other one that we looked at had a cable that you then plug in and then you feed the cable to to the unit so after doing some harbor analysis uh pulling flash uh grabbing uh seeing if we could get the debug going that kind of thing then you jump into the software and of course the first thing that you do is the best hacker tool ever strings is uh the first step that I always do whenever uh whenever I'm gonna look at new firmware or anything because interesting things pop out of there um so like here we've got this is sort of purposely uh obtuse or difficult to read um but uh you've got full path to somebody's uh uh directory structure for uh how they were building out the project. His name is Jenkins uh which is an awesome name um so I imagine like they're sitting around and the team's like God Jenkins we need to get this pushed out right away and so okay. Oh okay. Alright. Dammit you ruined my awesome story. I was unfamiliar with that. I was unfamiliar with that. You foil it. Sorry. Can I choose to disbelieve the truth and uh imagine that I'm just kidding no I appreciate that I didn't know that actually. Oh okay okay. Okay cool. So this might be some of that same no this one was from a different unit so this is not uh this is not the one that was built out of Jenkins I don't believe but uh but then we're looking at the bluetooth uh pairing stack for uh for this other unit just doing some basic reverse engineering um but what it comes down to is you're seeing like again this was a breadth research so it was mostly like how are they using like stir copy uh insecure band functions that we shouldn't be using anymore. Let's use memory safe versions instead that kind of a thing. So basic software analysis we weren't again we weren't trying to get POC uh or anything like that on there. So um you don't have to just take my word for it either uh when it comes to what the uh security opinion of these devices are um so like I mentioned about three maybe it was four weeks ago now since we've been in Vegas for a week uh the they had a cyber security challenge out in Detroit uh where the uh Army Tardoc uh sponsored um this event uh where they brought students from 12 different universities 12 is the correct number I believe universities and community colleges uh so there was uh two days of class and then two days of hands on. So we had a couple trucks that were there the students actually got to plug in and so it was kind of like the car hacking village except uh in a more controlled environment um and and with a little bit of hands on uh class learning and that kind of a thing as well. And none of these uh well I won't say none but most of the students had never done any hardware hacking had never had any exposure or anything like that uh any other stuff and so they got to come in and play with things they had a bunch of they had like multi meters uh soldering irons um uh chip readers that kind of thing they're available for them to use and it was a really cool event uh but if you know anything about the trucking industry uh it's an interesting culture and they didn't want to talk about this event in the public very much which I think is unfortunate because it's really cool and and they're sort of going forward in terms of cyber security thinking about it trying to encourage people to look at stuff uh but they they didn't want to talk about it too much but I found this article I don't know if it was authorized or not uh but there was this article in the Detroit Free Press about it um and it was a really cool event but the so the students uh tore apart this particular one that I'm talking about here um extracted the so this is in one day actually so for only one day that they were that they spent down looking at it and I'll give a shout out to Grim Mitch from Grim was one of the instructors who sort of walked them through and uh encouraged them as they were learning about this uh so shout out to them um but this is what they did they extract the firmware over single wire debug uh because the debug interface is wide open on this as it chips out from the factory um there's lack of encryption in any of the firmware or communications uh they were able to do basic dynamic analysis uh using GDB um but ultimately the student opinion of the device security is low to nonexistent unfortunately but uh so the reason that I said I was gonna tell you something cool about this sort of ties into here because this is uh between I think it's around 150 bucks for this thing um but there are other like toolkits to help you do to get into truck hacking or interfaces to communicate on the bus of the truck um and some of those go for thousands of dollars um but if you just buy one of these uh then you've got bluetooth access to the truck uh to the truck bus for pretty cheap uh really I when I when I'm working on it I prefer a beagle bone with a canvas cape and then manually controlling stuff that way but uh this is really a great alternative because it's open you can flash your own firmware to it it's really really straightforward to get your own thing on there so if you buy one of these it can become your truck hacking interface instead of buying some expensive thing uh otherwise or if you don't want to mess with wires and and getting connectors and stuff like that if you're doing a beagle bone then this is a great compact package uh for all of that so uh I'm not sure that I would recommend it as an ELD but as a car hacking device is pretty good um so the the conclusions uh security overview uh again the bar is fairly low um and uh everything was basically par for the course uh devices were shipping with debug enabled uh with the firmware was easily accessible uh you can just grab it straight off the chip um there's lots of use of banned functions within the firmware uh general insecure coding practices uh that kind of a thing which is uh unfortunately expected at this point um and I think anybody in harbor hacking or IOT or anybody who does any embedded security sort of that that's a pretty common thing but it's a little bit um unfortunate uh when we talk about cause there are well I'll talk about it but there are companies who who uh were sort of in this business before the ELD mandate came out and then uh and then like everybody entered the thing and then they kind of get lost in the noise even though they're making significant effort and spending money on cyber security we'll talk about that when we when we get to impact impact at the end uh but what what is the potential impact uh if we've got a vulnerable device here uh we know that it uses insecure coding practices uh and if we can access this uh from the internet or from bluetooth uh whether you consider bluetooth remote attack or physical attack uh given the short ranges is up to you uh I think some people on either side of that but uh if you've got a remotely exploitable device and you're plugging it directly into the truck uh that that does matter and for the the truck in companies uh are doing work to try and isolate this threat uh because one of the things that you can do on the buses is uh oh I meant to mention this at the beginning but if if you've ever done any OEM uh car hacking you know how the the IDs are different with uh a GM versus a Ford versus whatever uh in trucking it's all standardized so you don't have to do any of the reverse engineering or very little of the reverse engineering to figure out what ID does what so there's a straight up document that'll tell you if you want to request torque this is the message that you send so that makes it easier when uh when crafting payloads to potentially exploit it and so when you're talking about the if you're a heavy truck manufacturer you want to probably isolate that if possible not allow a device that's plugged into the diagnostics port to be able to send that message but the problem is that there are uh things that plug in that that legitimately need to send that message uh that are interesting so and this isn't just uh the trucking industry when you talk about like emergency response vehicles I used to work as a volunteer firefighter and uh we would be on the in the city department with the engines and you're going to be sending those request torque messages when you need to use your pump and spray uh spray your hose to fight a fire you get a torque up the engine so it's some of that same kind of thing uh as we're getting into more sophisticated uh trucks and we're getting more drive by wire autonomous that kind of a thing it's going to be more significant and we need to make sure that we're isolating these out uh but critical uh heavy trucking is critical infrastructure so uh it in my opinion it's a little bit more significant and you approach the problem slightly differently than your average passenger vehicle even though passenger vehicles are also super cool because you're talking about uh multi-thousand pound robots uh that are under control of an attacker which is significant because when we start to get to the physical side where cyber security meets uh physical and you do the cyber physical if anybody's got bingo cards I can just ramble through them right now and we'll uh and we'll make sure that you get your blackout things or whatever because you can win your prize uh but the cyber physical aspect to it is significant and important and that's that's what makes this uh this hacking a little bit different than um than some of the others so the uh the the impact is potentially significant uh as an example if there is a slowdown in the mountain pass in Denver uh that gets felt by the carriers all the way back to the east coast so you've got delays all the way all the way back across half the United States uh because of how tight um everything is and how significant that can be so um if anybody has anybody read The Damon by Daniel Suarez oh man nobody that's an awesome book you should read that book uh it was written uh probably like ten years ago or so I think uh but one of the uh it's really great because it starts talking about autonomous cars uh and if they're if they're under control and they become part of a fleet uh then it is a cyber physical sort of where where the uh that can be controlled in the physical world plus like he's uh like any good cyberpunk um like there's also autonomous motorcycles and then they put katanas on the motorcycles so they drive around it's totally awesome uh I recommend that book it's great there's also a sequel um but uh but yeah as as mentioned a problem in Denver can affect it and then um the other thing that I think is interesting is you know these are uh in my opinion easier to spoof than a logbook maybe it's just because of of my own morality but if I'm looking at a person I have trouble lying to you because I like people uh I feel like I'm a generally a good guy and I don't want to lie to your face so if an officer says hey how much did you drive I'm gonna probably tell him the truth but I'll lie to a computer all day long because computers are evil uh and Skynet's gonna take us over and kill us all uh and Elon Musk and I agree on that point um not exactly but it's much easier to lie to a computer uh than it is to a person and when you're talking about insurance fraud or or fraud related to this um when I started getting into the progressive I was able to piggyback off of a lot of research done by the community for the insurance fraud purposes uh they were saying you know we plugged our dongle in and oh we only drive uh to church on Sunday and back and we never go over 25 miles an hour and that was what they were doing with the insurance goggles and so they they had identified how that some of the components have worked and I think that same thing sort of applies to this uh if you're talking about trying to actually solve the problem uh with regulation I'm not sure I'm not sure that this does it it's but because like non-repudiation is a is a hard problem it's a problem that we can solve uh but that's sort of related to security and this doesn't have any of that stuff so how do you actually solve that problem it's uh it's difficult so in summary uh the flash card I guess for the insecure by law talk is we've got electronic logging devices that replace driver logbooks mandated by the United States government the devices are heavily commoditized and fail to follow cybersecurity best practices in general uh and the impact to US critical infrastructure is real we have to care about this massive increase in attack surface uh with commoditized hardware uh and what like I mentioned before it's sort of unfortunate because there are companies who are spending effort to uh to make this better telematics uh companies who have been maybe doing this for a while um but they they sort of get lost in the noise a little bit I mean there was seventy uh seventy things eight pages of different devices and if you're just trying to find one um that's what you're gonna you're just gonna grab the first one you see right uh so I I really don't ever do this in talks but I would like to I would like to do a brief exercise uh where we're gonna do a show of hands I apologize uh so when we're also thinking about the impact of this and it's where it's three days uh before uh let's let's use Walmart as an example where Walmart shelves are starting to get empty do you think I'd like a show of hands one or another uh first if you think that Walmart will be the one that the average consumer brand blames for the problem or even if in the news says like we've got a heavy trucking cyber vulnerability uh we don't have our goods aren't shipping appropriately whether it's just a DOS and they're they're not shipping um that's uh will will the average consumer blame Walmart or uh the trucking industry insecurity so for a show of hands on people who think that the average consumer won't make that abstract leap from the thing that they see in the face to the trucking who thinks that Walmart will be blamed instead of the trucks okay and who's on the uh people will blame the trucks instead alright so it very clearly uh very clearly the lot of you just uh think that uh if we have problem with the infrastructure the transportation infrastructure that is going to be the end unit that is the one who sort of catches the blame for it they definitely won't blame this you are yeah you are right I I think I agree does anybody think they'll blame this if this is what caused it yeah they'll bring yeah they'll blame Russia they'll blame whoever they're told to blame probably is what'll actually happen which is sort of an unfortunate thing and we can rant about that for a long time but when it comes to this yeah so that's an interesting yeah that's interesting is uh they're probably pretty much definitely not gonna blame this it's gonna be the the carriers OEMs uh possibly uh or more likely the end thing that's in somebody's face because the average person doesn't care um they're gonna they're gonna do what they first see and get the problem solved and out of their face do you have a yeah that's true that's true that's true yeah if you get if you get enough that says Walmart they're gonna blame Walmart if they get enough that goes into some kind of detail or it ends up on like one of the longer news programs like say 60 minutes and then they might be able to make that abstractly yeah I think that's an interesting discussion in terms of human uh psyche and how they approach problems and whatnot but I don't pretend to be a psychologist in any way uh I work with deterministic things like computers because they're easier um so uh yeah so uh thanks for coming very much and uh I appreciate it