Hacking Trucks

Another hijack attack against vehicles, this time trucks and buses.

Posted on August 5, 2016 at 12:00 PM • 13 Comments

Comments

tzAugust 5, 2016 12:31 PM

Another that requires physical access.
Is your laptop secure enough if I can access it for 10 minutes?

Ergo SumAugust 5, 2016 12:36 PM

I am not certain that I buy in to this, even if some of the findings are true...

About the brakes on big rigs...

They have air-brakes and they work differently from hydraulic brakes that the cars have. In air-brakes the actual air pressure holds the brakes disengaged. The driver is actually releasing air from the brake lines, when he/she applies the brake. The parking brake is a mechanical valve that prevents air pressure entering the brake lines and releases all of the air pressure from the lines once it's applied. That effectively locks all brakes.

The same applies, when air pressure is lost even if it does not show up on the gauge and/or alert. Lose the air pressure, the brakes will lock up. It's been awhile I've drove big rigs, but if my memory serves me right, the air pressure needs to be about 60psi in the brake lines. If it falls under that pressure, all pressure released by a mechanical pressure valve. They've might've digitized the alert, but I have some doubts that they've changed the mechanical valve for either the parking brake or the pressure sensor for the locking up the brakes.

tzAugust 5, 2016 12:37 PM

Or for that matter, I can put a cell-enabled board with a servo under the hood or on the wheels to do something mechanical. Or contaminate the fuel. Damage the tires. Inelegant but as effective.

TedAugust 5, 2016 12:47 PM

Looking Before They Leap: U.S. Insurers Dip Their Toes In The Cyber-Risk Pool,” published Tuesday [June 2015], said that while there are about 50 insurers that are writing some cyber coverage, the market is dominated by five underwriters: Ace Ltd., American International Group Inc., Beazley P.L.C., Chubb Corp. and Zurich Insurance Group Ltd.

[..] “Although this market is immature at the moment, there is still value to be found if insurers properly underwrite risk,” the report said.

[..] Cyber coverage represents a huge area of opportunity for underwriters, with some analysts predicting that the size of the cyber insurance market will grow to $10 billion in the next five to 10 years, the report said.

[..] S&P said that cyber risk presents a “unique challenge” for underwriters because neither frequency nor severity is predictable.

[..] “Reliable actuarial data are also not available,” the report said.

[..] Stand-alone cyber policies likely will place more emphasis on risk-mitigation consulting and services than on indemnity protection in coming years, S&P said. [full article]

unbobAugust 5, 2016 1:01 PM

@Ergo Sum "In air-brakes the actual air pressure holds the brakes disengaged."

The one truck I drove did not work in this fashion. It was being too tentative and repeatedly hitting the brakes that caused me to loose air pressure, and consequently all braking power. After hitting a loading dock pretty hard, I learned to be more decisive with the brake.

The only application I've heard of where air disengages is in releasing the parking brake.

PiperAugust 5, 2016 1:07 PM

This doesn't seem either surprising or concerning to me. Once you've got a connection to the diagnostic port, none of this is surprising or unexpected.

It's like bragging that you can completely take over any computer, and all you need to do is plug in a PCI board. DMA is so insecure...

When they can do this over Bluetooth, THEN they've got something.

albertAugust 5, 2016 3:08 PM

Modern trucks (the kind used to haul trailers) have two brake systems. The regular running brakes operate on air pressure applied to the brake shoes (or disks). Spring brakes operate by releasing the shoe. When there's no air pressure, powerful springs hold the shoes applied. It's a safety feature. Actual systems are mechanical and non-electric, again for safety. I left out the 'engine' brake.

. .. . .. --- ....

A Nonny BunnyAugust 6, 2016 2:31 PM

@tz

Another that requires physical access.
Is your laptop secure enough if I can access it for 10 minutes?

Do you often leave your laptop "parked" unsupervised in public spaces for hours at a time?

ianfAugust 6, 2016 4:44 PM


@ tz, A Nonny Bunny

Is your laptop secure enough if I can access it for 10 minutes?

There's a social interaction counter-corollary to that: asked to fix some obvious problem on someone close's laptop, I now only help with diagnosis, do not touch it. Standard recommendation: get a Mac, they're much less icky once you're past the initial learning curve (the horror of only having one mouse button, and the entire trackpad acting as that mouse button!)

That's because experience has taught me that once I fix something, I'll be expected to fix it again and again, in effect a version of "YOU FIX IT, YOU OWN IT." And even worse were any such by me once fixed Windows unit to break down further on.

AdrianAugust 8, 2016 11:16 AM

Yet another Wired article I can't read because their anti-ad-blocker gets a false positive for generic Chrome (stable) running on Windows 7. Anybody care to summarize it?

rAugust 9, 2016 8:09 PM

The men signing off on these equipment 'upgrades' are stupid, look at ford's bluetooth hack or the recent jeep/chrystler attacks.

And you want to enable that with HAZMAT?

Things will get real real fast if they don't wake up.

rAugust 9, 2016 8:11 PM

That's like hacking trains, look at how amtrack derailed 2? years ago now... go ahead, seek automation and unaccountability.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.