Hi, DEF CON. We're going to make this fast. This is a short talk, so I'm going to just, uh,
get them rolling. Please come in, find a seat, um, and, uh, enjoy your talk. Uh, without
further ado, this is Haystack and 6Volts. Uh, let's give them a round of applause. Alright,
go guys. Hi there, I'm 6Volts. And I'm Haystack. I'm Haystack. And we're going to be
talking about cheap tools for heavy trucks. So, there's a lot of differences between cars and
heavy trucks, and we're going to be talking about some of those. We're also going to be
talking about the R&D problems we face and how we got around them. And, uh, we're also going to
do some very preliminary stuff about, uh, networking protocols and standards. Uh, there's a
lot to go over, so we're just going to dump it all in a white paper for you to read if you
really care that much. Uh, we're also going to go over a new hardware tool that we built, uh,
that should save you some money if you want to start getting in, into truck hacking. And
also go over some, some light truck hacking adventures, uh, that we've had. Some quick, some
quick notes. We're going to assume you're familiar with basic vehicle networking. If you're
not, Google it. Um, we assume you're familiar with the idea that if you get on the CAN bus, you
can do bad things. We are leaving out lots of details that are going to be in the white paper.
Um, check the GitHub by the end of the week. Um, and a safety disclaimer, if you hook up to a
truck and start, uh, you're going to be in trouble. Uh, you're going to be in trouble. Uh,
if you're buzzing it while it's moving, bad things could happen. Don't do that. We're not
responsible if you do. We have done that. Do as we say, not as we do. So, uh, trucks, as we talk
about them, are really any big, anything with a big diesel engine in it. Uh, the thing that most
people are familiar with are semi-trucks, uh, class eight, over the road vehicles. But also
dump trucks, wreckers, uh, marine engines, generator, uh, big generators, uh, agricultural
equipment. Anything like that is all going to work largely the same way, and it's going to be, it's
going to be made by the same people. Um, an exception, uh, diesel pickup trucks. So, if you
see Bubba in his, uh, Cummins Dodge Ram, uh, that's just going to act like a regular, a
regular passenger vehicle. So, many of the components that are in trucks, uh, have to be
interchangeable. So, you can get a Peterbilt truck with, uh, a Paccar engine or with a Cummins
engine, and you used to be able to get one with a cat engine. Um, so that all of those parts have
to work interoperably, like the, the brake controllers from different vendors, the engines,
the transmissions. So, they, they've had to agree to this standard so that all the electronics
can speak to each other and the truck can actually work. So, one of the major differences with
heavy trucks is, uh, if you do anything with passenger vehicles, a big part of your job is
reverse engineering the protocol, because every manufacturer has their own thing. Uh, with
heavy trucks, with big diesels, uh, that's all been decided upon by the Society of Automotive
Engineers beforehand, and it saves you a lot of time. Uh, so, you may have read something in Wired
recently. Those guys just took a standard and injected traffic, and sure enough, they were able
to cause unintended braking and acceleration. So, we're going to talk a little bit about the
telematics attack surface. Most heavy trucks that are out on the road in a fleet have a dash
mounted touchscreen that controls the driver's logs, navigation, gives them a, a way to
communicate with the fleet, um, kind of like e-mail. And, and, uh, it's, it's, it's, it's, it's, it's
in, in emergencies, contacts the fleet and allows the, the truck driver to talk back to them.
Um, they use the cellular network to connect to the, uh, telematics provider and the fleet, and
these devices connect directly to the CAN and J1939 bus. Um, also the, the Legacy 1708. Many
of them run embedded versions of Windows, like Windows CE or XP embedded. Um, that's kind of
scary to me. Uh, yeah, we've, we've had some luck with routing them by doing things like popping
an SD card out of the back.
Uh, so a big problem that we had when we started getting into this is, uh, trucks are
expensive. A, uh, so like a Freightliner Cascadia, something like that, can cost over a
hundred grand. Um, ouch, I do not have that kind of money. Uh, for the expi- and for the
aspiring hacker, even if you are rich, they are big, hard to store, hard to drive. Uh, I can
drive a five speed, a six speed, a one down, four up speed. Uh, but I can't drive a 14 speed.
Um, and, uh, they're also expensive to operate. Uh, so we, we, we, we, we, we, we, we, we, we, we, we,
we didn't have one and we still don't. We're trying to get one. Uh, so how do we experiment?
Uh, we built this thing. We call this the truck in the box. So this is a bunch of
components out of a heavy truck. Um, the engine control module, the instrument cluster,
there's a couple other things hiding in the back there. A power distribution unit and, uh,
national instruments, CRIO. We quit using that, but, and then the knobs are a bunch of, uh,
potentiometers for si- for sensors. Um, the first one took about six hours. Uh, it took about
six months to build and cost about $10,000, but that's still. Thanks DARPA.
But that's still a lot cheaper than the cost of a truck. Um, since then we've built over a
dozen of those full size ones for different, uh, trucks and engines. Um, we later compressed
the concept into the size of a circuit board, but that's not pretty, so we're not gonna show
it off. Uh, so the concepts of the truck in a box, um, we wanted to recreate the vehicle
networks, including, uh, J1939 and J1708. J1939 is built on cable. Uh, it's, it's, it's, it's, it's,
it, it's reallyレ
can. J1708 is kind of RS485. It's similar to J1850. Um, it, it also fakes passive, uh, sensor
signals. So, uh, usually oil pressure sensors and temperature sensors and things are just, uh,
they just measure voltage or resistance. And ECMs, uh, the engine control module tends to freak
out if those things aren't pres- aren't present. So we're just trying to keep it from freaking
out. Some of the more complicated signals are things like the accelerator pedal and
and the way the vehicle measures its road speed.
This is a tone ring that's on the back of the tail shaft
underneath the truck.
On the left here we've got the actual sensor
and that tone ring spins past that sensor
generating a magnetic field.
So we hooked one up in a vice
and put the sensor next to it
and then you get this kind of signal.
So we can RE that signal, figure out, characterize it
and then play it back to the ECM
and we can actually put miles in the truck on a bench.
So I already talked a little bit
about the two main networking protocols
and the J1708, like I said, it's RS485-ish, 9600 baud.
There's some slight transceiver differences
and then there's also another SAE standard called J1587
that specifies everything all the way up
to the application layer.
J1939 is similar, but it's built on 250K CAN.
If you're into this, you know the passenger cars are 500K.
We also see ISO 15765,
but only for diagnostic comms.
Details in white paper,
like all the different protocol details if you wanted
to write your own implementation,
we should be able to give you enough information to do that.
So for J1708, the older protocol,
messages are time delimited
and you've got these things called MIDs and PIDs.
The MID is analogous to the CAN ID.
It's the first byte and it tells you who
on the network is talking and the PID, per ex.
uh, is, comes right before any data, uh, on the, in, in a message. And it comes, so
PIDs and data come after the MID. And unpacking those PIDs and the data is how you figure
out what messages say. Um, mostly older trucks, uh, will have only J1708. Uh, there was a
period where they, they would have the, both networks J1587 and J1939 at the same time.
Uh, some newer ones will have components that use it. Uh, and then also there are these
things called gliders. Uh, if, if you're a hot rod builder, you'd know it as a rolling
chassis. People will, will order, um, a truck with no motor in it. And the reason is, is
because, uh, emissions regulations go by the date of manufacture of the motor and not the
date of the truck. So they will have everything but the motor made. And these things will
last for 2 million miles pretty easily. So they'll put the older motor in it. So you may
see new trucks with old networks and old engines in them. So J1939 is the newer protocol.
And it's based on 250K CAN. It's got extended IDs that are 29 bits long instead of 11 bit long
IDs like, like other cars. Um, sometimes they, they have some basic specs for source and
destination, but those aren't enforced. Um, there's address management, there's a transport
layer, message fragmentation. There's about a dozen different documents that are, you can
read through that are published by SAE, but they're all kind of thick. There's a couple of,
uh, parameter group numbers that are just like a, a message type that are reserved for
proprietary communications. And those are the fun ones.
And then also, um, there's the vehicle diagnostic link connector which is called a DLC or a DLA.
Uh, this industry is terrible at acronyms, so there's always like 5 acronyms for the same
thing. Uh, it's similar to an OBD2 scan tool in a passenger car. Also, it's OBD, onboard
diagnostics, like O, not ODB, who is a founding member of the Wu-Tang Clan. People mess that
up constantly and it drives me a little nuts. Um, it's basically a, it's a, it's basically a
USB slash serial slash, slash ethernet, uh, to J1939 to J1708 bridge. These things are
incredibly overpriced. They come at like $700 or $800 and it's seriously just like I converted
one thing into another thing and it's two chips that they bought from someone else and
soldered them onto a board. Um, the, uh, the RP1210 is a standard that governs functions
exposed by their drivers. So, observing those driver calls is an excellent strategy for dynamic
analysis of OEM software because they're always the same name and they always have the same
arguments in the same format. So, you can sort of get a running analysis of what the different
software packages are doing at, at various stages of, uh, ECM interaction.
So, we're releasing a new tool called the truck duck. It's a cape for the beagle bone. It gives
you two CAN channels and two J1708 channels. So, you can do things like message filtering,
uh, we've also got, uh, a custom OS image with the J1939 kernel extensions built in, uh, and
then he, Haystack wrote some stuff for, uh, using it in Python. He's also written, uh, a J1708
implementation in the beagle bones PRU, which is amazing. They're like little built-in
microcontrollers on the thing and, uh, this is what it looks like. Um, over on the, the right
hand side I've got the diagnostic link connector. That's the, the big DB15. I can't see the
link. Um, two screw terminals. Those are the green guys. And then, uh, it, it's got the
power circuitry so that you can power it from the bus. So, a, uh, another thing that, that we
released is, uh, an RP1210 tracer. So, for a while, uh, when we would reverse engineer what
the, what, uh, these software packages were doing and when we were trying to reverse engineer the
proprietary, uh, protocols, the best option was to buy a diagnostic link connector whose driver
has debug logging capabilities. So, you would flip a little switch in the, in the driver
software and it would say, you know, I sent this, received this, received this, sent this. Um,
the only known, the only one we know of costs $700. It's like the Cadillac of DLCs. Uh, that
can be a lot of money for some people, especially if you're just doing bench testing on an ECM that
you got at a junkyard someplace like us. Um, and then I rolled a, uh, an RP1210 API tracer
that logs results of RP1210 function calls, so you're not dependent on the Cadillac of DLCs
anymore. And, uh, it works with any of them, including the cheap eBay clones, uh, for all two
weeks that they work. And, uh, it allows you to decrypt and translate on the fly and when we get
kind of into the, uh, what we did with this stuff section, uh, you'll see that a little bit.
Um, but what is it good for? Like all that stuff I just went through, uh, all that stuff that I
got in a buck will get you a cup of coffee, uh, like 10 years ago. So, you know, what, what can
you actually do with this? Um, we wanted, so we, we, we wanted an attack and we wanted to have a
viable attack that could actually have some conceivable impact in the real world. Uh, but we
didn't have a truck. So this, this presents an issue. If you're not driving something, it's very
difficult to tell when brakes are applied when you have no actual brakes. Uh, so we needed
something that we could do.
And, uh, the solution was malicious ECM misconfiguration. So reverse engineer the
protocol, um, yeah, reverse engineer the protocol and then model, send messages using that
protocol to, uh, to misconfigure the ECM. Okay. Um, so most of the parameter configuration
is done over proprietary protocol extensions. Um, we promise not to give too many specific
out, um, so that you can't do very bad things to trucks that are on the road, because that would
be pretty dangerous. Um, we're going to give a demonstration of what is possible with the, the
truck duck and the APTRAI tracing. So this is some proprietary traffic. You can see the, the
messages here. I'll point you, Tom. So we can see the, the, the FE there in the middle. That,
that indicates that this is a proprietary message. And that, that's what you really want to look
for. And the message down at the bottom is just, uh, something regular flowing across the bus.
So initial notes from analysis of this protocol. Um, the same process, clicking the same buttons
in the software yield, yielded, uh, different network traffic every time. So this stuff was
actually obfuscated slash encrypted. Um, which, which is kind of unusual. A lot of the different
manufacturers, including, uh, newer ECMs. This was a very old one. Uh, they're not, uh, they're
encrypted or disguised in any way. Messages that appear to do the same thing or the same
length so it's not too obfuscated. No one's like padding to a block length and then doing
stuff. It's simpler. And this is where I yada, yada, yada passed a bunch of static analysis
I did with .peak and IDA because this is DEF CON and I don't want to try to teach pros
how to use .peak and IDA. So after, um, after doing static analysis I figured out what the
bytes after the first three are. The first three are specified by SAE. Uh, the first byte,
first byte is the source, the second byte says hey this is proprietary and it's interesting,
the third byte says this is the destination. In this case this is the DLC talking to the
engine. This next code is proprietary and it's the destination. So this is the destination.
That's the security setup. And then that, this low nibble over here, uh, on both ends,
these are kind of degenerate keys. There, there's obviously not a whole lot of entropy in a
four bit key but that's what they got. And, uh, that, so they, they pre-share that, uh, in
order to carry out the, the rest of the protocol. So then, there are, uh, I found other command
codes. So this high nibble, uh, F was the security setup. Uh, F was the security setup. So
that, uh, D is an encrypted write, C is an encrypted read, and then E is an encrypted read
write response. So no matter if it's responding to a write or a read, it's going to be, uh,
that, that, that's going to be the format of the reply. The low nibble is the message code and
then there's this little formula where you take the pre-shared four bit super high entropy key,
add it to the code in the message mod four and it indexes into a character array, uh, that's
buried in a DLL some place.
And then you just XOR it with everything. So it's XOR encryption made slightly less
bad. So then, uh, after we decrypted, I modified the RP 1210 API tracer to decrypt all this on the
fly and then the, uh, the pattern became a lot more, uh, a lot more comprehensible. You can see
that it's just a very standard call and response type protocol where you have a PID and then it
says, Hey, you know, six, zero, I want to see that. And then you get a bunch of ASCII characters.
I'd have to look up what that is honestly. And so, uh, what could we do with this? So now that, now
that we have this, this degenerate encryption algorithm and we, we know the PIDs and we can
trace this stuff. Um, if we get on the bus, we can set parameters in the ECM. So, uh, the one
that we chose was, uh, hard vehicle speed limit. So, uh, the governors and heavy trucks are
just a, a byte that you, that you write. And so we thought, Hey, wouldn't it be cool if you
just like froze a, a semi-truck at only being able to go 30 miles an hour. But that's, that's
still kind of boring because if you can get on the bus physically, if you can get physical
access, you can just cut the brake lines. Um, you, you could compromise a telematics unit and
then have it send these, uh, these messages during a key on engine off condition. But we
wanted, we wanted to do a little bit more. So, uh, we, we, we, we, we, we, we, we, we, we, we, we, we, we,
we want to do more. So then, uh, hijacking OEM software, uh, software's used in day to day
operations of the fleet. Um, all that, we've talked about fleet's being data hungry before.
Uh, and as a result, they are pulling data off these ECMs after every trip in, in many cases
and, uh, that data, uh, or when, so they're always pulling this data.
And so unlike we were a passenger call, were, unless you're throwing a check engine light and
the dealer is seen and handled, uh, in that case, but, uh, there's, there's manyterior
ships putting it on a scanner. Um these things are interacting with software all the time and
so there are a lot of uh opportunities for things to change. So I repurposed the API tracer
um so instead of just decrypting and logging things on the fly, uh modifying, re-encrypting
and writing. So let's see what that looks like. Um this is a screencast because showing the
full ECM would give away the brand and I'm really bad at video editing. Also I'm very sorry
about the free version trademark. This stuff is expensive and this is on my own dime. Okay so
at the beginning I started the kind of degenerate truck root kit. I very artfully blacked out the
manufacturer uh logo. This protocol is very slow so I'm going to try to patter a little bit
while it's getting set up.
So here you can see that the uh the vehicle speed was at 55 miles an hour. Our hypothetical
technician knows his drivers can't drive 55 so he decides to bump it up to 70. And as far as
anyone can tell uh that that went fine. It was set to 70 miles an hour. And then after
re-connecting we go and check and make sure that uh that the truck mangler program is dead and
then so we actually see what happened. And again we wait for the slowest vehicle protocol in the
world.
Linh.
For those who didn't hear the joke he made Linh is in fact very slow but. There. So you know we can see that in fact it was actually set to 30 miles an hour and that
this guy would have gotten about a mile down the road and uh and then would have had to
realize that he had to turn back and if you if you manage to keep this running and get
persistence um there would be no way to tell. So they would be checking mechanical issues
over and over so I think this is a very viable uh attack with real impact. So for future work
we're going to work on writing an RP-1210 driver for the truck duck to allow easier traffic
modification. It's even cheaper than some of the ebay adapter clones that you can get. Um we
also want to work on making the PC side attack a little more interesting so the technician
doesn't have to actually modify a parameter it can just do it once they connect to the truck.
Um we would really love to do some deeper firmware analysis on ECMs you know pull some chips
read some data and do some static analysis. Um we'll be in the hardware hacking village.
And car hacking village if you have any questions. Um we'll also have an ECM
and a bunch of live demos of this stuff so it's not just a stupid screen cast with a watermark
on it you can actually play with with uh with this technology. Thank you very much.