Presented at
DEF CON 33 (2025),
Aug. 9, 2025, 5 p.m.
(45 minutes).
Tanker trailers? Turns out those aren't just big, dumb hunks of metal. They have a powerline network, PLC4TRUCKS, which is unintentionally accessible wirelessly (CVEs 2020-14514 and 2022-26131). We found new trailer brake controllers using diagnostic protocol KWP2000, secured with access control by seed-key (a challenge-response protocol). We'll show how to use Wireshark to analyze the diag. traffic. We'll discuss why randomness is critical for any challenge-response protocol.
We'll cover two ways to bypass this access control: using a SMT solver to crack the routine from a few request-response pairs (automated with AHK), and a classic reset attack that makes seeds entirely predictable. This second way allows for a blind, wireless attack, a finding now recognized as CVE-2024-12054. We'll detail how we ran timing search 'campaigns' with a custom sigrok decoder to PoC it.
The trailer brake controller is also at risk from trailer-installed telematics devices too. We'll show how to use Scapy Automotive's UDS scanner on a faked CAN bus for PLC4TRUCKS (plus modify that for a known seed-key routine) so we can get a picture of that attack surface.
This and the previous CVEs are a result of the heavy vehicle testing we do. We'll share some details of how we do onsite truck tests and how we do bench tests.
Presenters:
-
Ben Gardiner
Ben is a Senior Cybersecurity Research Engineer at the National Motor Freight Traffic Association, Inc. (NMFTA)™ specializing in hardware and low-level software security. He has held security assurance and reversing roles at a global corporation, as well as worked in embedded software and systems engineering roles at several organizations.
Ben has conducted workshops and presentations at numerous cybersecurity events globally, including the CyberTruck Challenge, GENIVI security sessions, Hack in Paris, HackFest, escar USA and DEF CON.
Ben holds a M.Sc. Eng. in Applied Math & Stats from Queen’s University. In addition to speaking on the main stage at DEF CON, Ben is a volunteer at the DEF CON Hardware Hacking Village (DC HHV) and Car Hacking Village (CHV). He is GIAC GPEN and GICSP certified, chair of the SAE TEVEES18A1 Cybersecurity Assurance Testing TF (published J3322), a contributor to several American Trucking Associations (ATA) Technology & Maintenance Council (TMC) task forces, ISO WG11 committees, and a voting member of the SAE Vehicle Electronic Systems Security Committee.
Similar Presentations: