Compromising an Electronic Logging Device and Creating a Truck2Truck Worm

Presented at DEF CON 32 (2024), Aug. 10, 2024, 4 p.m. (20 minutes).

Presented by Jake Jepson and Rik Chatterjee, two Systems Engineering Master's students at Colorado State University, this talk delves into the critical security implications within the trucking industry, particularly focusing on Electronic Logging Devices (ELDs). These devices, integral to compliance with Hours of Service regulations, present unique cyber-physical threats due to their networked nature and lack of standardized security protocols. The presentation will walk through examining potential remote exploits via wireless ELD compromise, leading to cyber physical control payloads and even wormable scenarios. Key vulnerabilities identified include insecure defaults and poor security practices shown on a commercially available ELD. These vulnerabilities not only expose truck networks to potential unauthorized control but also highlight systemic issues in device certification and security oversight. The talk will cover their journey from acquiring and reverse engineering ELDs, discovering their common architectures and weaknesses, to demonstrating proof of concept attacks that underline the urgent need for industry-wide security reforms. Notably, Jepson will discuss his first CVE, detailing the coordinated disclosure process and subsequent manufacturer response. This session is semi-technical, ideal for cybersecurity professionals and amateurs alike, interested in vehicle network protocols, and embedded systems security. Prior knowledge of network protocols such as CAN and J1939, along with an understanding of firmware reverse engineering, will enhance the learning experience, but is not required. Tools and techniques used include network scanners, reverse engineering platforms like Ghidra, and various wireless communication methods. By attending this presentation, participants will not only understand the specific security flaws affecting heavy vehicles but also appreciate the broader implications for embedded systems security in transportation. This talk is a call to action for improving security practices and regulatory standards in an increasingly interconnected world. 1. Bureau of Transportation Statistics, United States Department of Transportation. "National Transportation Statistics (NTS)." Accessed December 19, 2023. [link](https://tinyurl.com/rosapntlbtsNTS). doi:10.21949/1503663 2. “Economics and Industry Data.” American Trucking Associations. [Online]. Available: [link](https://www.trucking.org/economics-and-industry-data) 3. Technology, Syrma Sgs. “Automotive ECU: The Core Component for Connected Cars.” Electronic Manufacturing Services - Syrma SGS Technology, 15 July 2021, [link](https://www.syrma.com/ecu). Picture: “M156 ECU Upgrade.” DYNE Performance, [link](https://dyneperformance.com.au/product/m156-ecu-upgrade/?currency=AUD). Accessed 22 Apr. 2022. 4. “J1939-13.” SAE International. 5. “Moving Ahead for Progress in the 21st Century Act (MAP-21).” U.S. Department of Transportation. [Online]. Available: Moving Ahead for Progress in the 21st Century Act (MAP-21) 6. “ELD List.” FMCSA. [Online]. Available: [link](https://eld.fmcsa.dot.gov/List) 7. [link](https://us.amazon.com/EZ-ELD-Solution-Electronic-Logging-Device/dp/B071FN5RKN) 8. [link](https://www.overdriveonline.com/electronic-logging-devices/article/14888881/rule-to-require-speed-limiters-could-come-this-week-e-log-rule-expected-soon-too) 9. [link](https://www.garmin.com/en-US/p/592207) 10. [link](https://fccid.io/2ALBDPT30)

Presenters:

• Rik Chatterjee - Graduate Research Assistant, Department of Systems Engineering at Colorado State University
  Currently, Rik serves as a graduate research assistant in the Department of Systems Engineering at Colorado State University, working under Dr. Jeremy Daily. His role involves research on security of protocol implementations and cybersecurity in the domain of commercial heavy and medium duty vehicles. Driven by a passion for securing embedded systems, Rik's work emphasizes the importance of robust security measures in protecting critical transportation infrastructure against emerging cyber threats.
• Jake Jepson - Graduate Research Assistant, Department of Systems Engineering at Colorado State University
  Currently, Jake serves as a graduate research assistant in the Department of Systems Engineering, working under the guidance of Dr. Jeremy Daily. His role involves collaborating with a team of skilled professionals to conduct research on cybersecurity and digital forensics within the heavy vehicle industry. Jake's academic journey has emphasized the significance of pursuing a career he is passionate about, and this position has further solidified his love for collaborative problem-solving.

Similar Presentations:

• DEF CON 32 (2024) / Laundering Money
• DEF CON 32 (2024) / Android App Usage and Cell Tower Location: Private. Sensitive. Available to Anyone?
• DEF CON 32 (2024) / Defeating EDR Evading Malware with Memory Forensics