Ben Gardiner - Commercial Transportation : Trucking Hacking
Show transcript [en]
hey and welcome back uh it's now my pleasure to introduce ben gardner ben is a research engineer with the national motor freight traffic association specializing in hardware and low-level software security his talk commercial transportation trucking hacking will provide a technical overview of hacking big rig trucks uh thanks a lot then it's all yours thanks drone so uh we got uh i know i'm up against lunch so i'll try to be pretty quick i'm pretty excited to be talking to you about truck hacking it's it's one of my favorite subjects so i'm going to introduce you into uh what commercial transportation really is and i'll try to convince you why it matters we're going to be talking about trucking
in particular so i'll uh i'll walk you through what are trucks and trailers you know how maintenance works distribution centers and terminals and things uh and then i'll give you the technical details of the three main networks that you'll find on modern trucks uh in the second half of the talk i'm gonna do a review of the public attacks on trucks and i'll highlight in particular what areas could use more hacking so there's definitely room for your own research and i'll give you some ways that you can get involved then we're going to wrap up the session by looking at some concrete examples of how to use tools to interact with the vehicle networks i'll even give
you a list of more tools so that you can go and play with yourself so let's get started matt uh introduced me and i don't need to say much i used to do embedded systems development and reverse engineering and uh i do a bunch of volunteering which i really enjoy and i get to hack on trucks so what is commercial transportation it's a very broad topic and generally speaking any movement of goods or people for business purposes is commercial transportation so you have probably interacted with it before with trucks and trains and ships and also air freight which is not uh pictured here but we're going to talk about trucking specifically and uh you know one of the reasons why trucking
and trucking security really matters is if you look around where you are right now wherever you are anything that you bought came to you on a truck uh truck problems are actually a big problem for society if you don't uh if you don't think that's apparent i encourage you to read the article right there it's a week without truck transport at iru.org the short version is that within about a week um all sorts of things start falling apart with our society there's even some communities that get their drinking water from trucks so they're a pretty important uh piece of the ecosystem and of course trucks are you know the lumbering giants on the road and uh
safety issues with trucks are kind of all of our safety issues and trucking is just a small piece of a much larger commercial transport ecosystem the global supply chain that kind of links us all so that's another reason why it and commercial transportation security in general matter um also all these modes share technologies j1939 is found in all of the modes we're going to talk about that in some detail and a good example is the uh the recent can bus hack d-rate disablement abuse is actually applicable across all the modes because it works on j1939 on any of those diesel engines we'll talk about that some more later the trucks themselves are pretty complicated devices especially
modern trucks uh for fun people call them the things that roll just you know the way to think about them they do have a lot of features uh tons of connectivity some of the trucks actually leave the factory with three different cellular modems installed uh the components and the specifications of a truck are actually built to order by the fleets from the oems and that's what leads to you know the high variability all these variations and remember primarily all these trucks they exist to make money and if they're not moving uh then the fleet is losing money which makes it hard sometimes to get research time on a truck but we do our best to uh
to realize all these features and integrate all these technologies the trucks actually use multiple different vehicle networks the picture you see at the bottom which we're going to zoom in on later shows six different can segments as well as a j2497 segment and in a lot of trucks will also be a j1708 which we're also going to talk about so the trucks in a lot of cases actually tow trailers the trailers are the other things that roll if you thought that getting research time on a truck was hard you wouldn't believe how much harder it is to get time on a trailer these things when they're not rolling or being repaired they're going to be
housing cargo and waiting for the next trip so what you see here is a picture of a bunch of the common features on trailers today that we collected by doing the survey of our membership it's interesting to note that there's its own telematics modem is a pretty common feature on some of these trailers this is what some people would think the trailer is going to explode into so we collected this by looking at some of the research by paul medic from the s7 section session in atatmc as well as combining that with some of our questionnaires so you can see this explosion of all kinds of technologies and features you have to take this with a little bit
of grain of salt because a lot of the things you see here were also reported as up-and-coming technologies in a tech report in 1998 so slow adoption but the possibility of exploding into all kinds of different buses at least in north america every single one of the trailers is going to have a j2497 which is also known as a plc for trucks bus and that's going to connect to a trailer abs unit and that's been true since 2001 because it's the only way to satisfy a regulation that requires display of trailer fault messages in the cab a lot of the trailers that have their own hvac system so like refrigerated trailers are going to have a telematics modem
that's integrated into that refrigeration controller in europe there's very common to have a j939 bus but here in north america having j-1939 buses is much more rare it's also important to note that trailers have an even longer service lifetime than trucks they'll uh they'll be in service for about 30 years before they enter their second life in the aftermarket another important part with trucking is maintenance these uh these trucks they exist as money makers the fleets like to protect their investment with preventative maintenance so the tractors actually spend much more time in a service center than any passenger car would and also the diagnostic software that interacts with these trucks is authorized to do all kinds of very
powerful things such as disabling engine cylinders and cycling abs pressure valves so remember that truck brakes are loaded with springs and when you it uses air pressure to actually release the spring pressure so if you don't have air pressure then you can't release the brakes and these are two things that diagnostic software can do from some research that bill haas and team did years ago which we're going to talk about in more detail and we think it's important to note that most of the software for diagnostics on these trucks is really just kind of low quality windows software with no protections and that that is thankfully changing but the status quo is that distribution centers also known as
terminals in the less than truckload segment so less than truckload is a very type a specific type of trucking that is what our membership at the nmfta does so these terminals house a lot of trucks and trailers they're either doctor parked the distribution centers themselves actually have a lot of their own technology and a lot of different attack surface but that's a whole other talk um suffice it to say that you'll find handhelds tablets iot and all kinds of embedded systems and wireless at the distribution center itself then a big part of how trucking interacts with the rest of the commercial transport is intermodal so i think everyone has seen containers shipping containers these are actually designed to go from
the deck of a ship to a train and vice versa some of the containers actually have their own networks some of the containers have their own telematics modems and some of the containers apparently um they'll inter interface with the networks and the vehicles that they're being transported on as well so these other modes i'm not an expert in the other modes but it's important to let you know that they do share a lot of things with trucking especially technology ships do use j1939 among other vehicle networks and they're in ships it's called nmea trains also use j19392 and that's mostly because they have diesel engines even though on a lot of the trains the diesel engines are set up
as generators there still is a j1939 network to run the diesel engine and all of the modes just like trucking are kind of accreting all of this iot stuff you know here's a picture of a shipping port and this is all wireless and handhelds iot just like a distribution center so now that you understand why commercial transportation is important let's switch and talk a little bit about how these modern trucks operate so we're gonna do an overview of three vehicle networks and i'm gonna go pretty quick um first up is actually gonna be j1939 i think a lot of people have probably encountered can buses in some kind of a talk or some kind of reference
and a lot of the material that's out there about can buses is about how it's used in passenger cars so let me try to explain to you what j1939 is in relation to a passenger car in the passenger cars the identifiers that uh that mark what kind of can frame you're talking about and the bit field locations that are encoding the time varying signals are proprietary right so the arbitration id and the bit field locations and what signals they mean are all specific to the oem and they're not necessarily published but the diagnostics are standardized and that's to to satisfy uh clean air regulations right in trucking it's actually the opposite in trucking the identifier which is
known as like the pgn for the most part uh and those bit field locations that put together how the signals are transported which are called the spns are actually standardized in j939 but the diagnostics become what's proprietary so commercial vehicles don't actually have universal diagnostics but they do sometimes use uds as the protocol and it actually has its own reserved pgn which we'll talk about later but it's da-00 i think a lot of people have seen the can frame breakdown this is what a can frame is broken down to when you're talking about 1939 the important part being this 29-bit identifier it's an extended identifier that's used for arbitration and if you haven't had any can exposure
try to remember that can frames are limited to eight data bytes in the payload and they include their own error checking that's the main main features g939 has a lot of features um it could be both unicast and broadcast so that means that 1939 does have source addresses as well as identifiers like pgns for messages that are longer than eight bytes there is a fragmentation and reassembly feature the addresses can be dynamically claimed if you have multiple devices that all have the same feature set they can negotiate who gets what address you can also request specific pgns in a broadcast fashion or unicast fashion and then not everything in pgn is 100 specified there's a lot of stuff that
goes on that the oems keep proprietary and there's four different ranges of reserved proprietary messages both destination specific two of those and broadcast another two of those and then the dump and reconfigure and reflash features that is you know kind of the fun stuff in trucks or in cars some of that is specified but it's also protected by an authorization challenge response mechanism that's called a seed key exchange j939 is found all over the truck and i'm going to walk you through a bunch of different places where you might find it so in the cab it's going to be on that obd port which uh pictured on the right circled in red just underneath the
driver's side there are two different kinds of ports there's a green obd and a black obd and they're actually configured to be backwards compatible so you can plug black into green sockets but you can't plug a green plug into a black socket that's because the baud rates won't work and then it's important to note that some truck oems actually use the passenger style obd2 port pictured below but we're going to just talk about this this deutsche 9 pin circular port so if you have access to one of these obd ports you're going to find j9039 in at least one place possibly two on the black socket uh pins dc and pins jh picture here uh on the black socket it'll be 250
kilowatt um on the green socket the the networks that are exposed are going to be 500 kbbs 500 kilobyte and on the green socket uh probably two j9039s still on dc but then that j1708 port will be replaced with probably g939 although it could still be seven to eight in some rare cases and then those oem specific pins that you see there the h and the j those are probably also a j1939 bus as well there's a connector that was introduced um called the aftermarket telematics connector rp1226 that's provided for permanently connecting devices to the vehicle the obd port is for diagnostics only and is never intended for permanent or semi-permanent connection so they introduce this one
this rp-1226 connector is probably found behind the dash or in in the berth behind the driver and you'll see that it has two can networks and uh there's also two sorry one pair of oem specific pins and those are probably a can network a j39 network as well so if you're crawling around in a truck maybe underneath the hood you're probably going to find j99 in other places here's a zoom in of that vehicle network architecture diagram that we had before and you can clearly see that there's at least six different separate can segments but only two of them are on the obd connector so you're going to find lots of different j1939 on the other parts of the wiring looms in a
truck lastly one of the most common pin outs for diagnostics cables or you know breakout kind of cables that you would have for camping the trucks is going to be the db15 so it's important to remember what your pin notes are on that db15 connector and uh it will allow you to connect to at least two different j1939 segments on pins 5 and 10 and 12 and 13. so that was 1939 let's talk about another vehicle network this time 1708 1587. so j1708 slash j1587 they operate together always it actually predates j1939 by many years uh you may still find it in a tractor it's very common to find it connected only for connection to abs
systems but it will always be on a trailer in the form of j2497 which is plc for trucks and we'll talk more about that later you can think about j1587 1708 in analogy to like dns and udp and this is a very loose analogy but 1708 is sort of like your physical layer uh and 1587 is kind of like your application layer so first uh some specifics about 1708 it has a very similar bus arbitration to canon so the lowest valued first byte is going to win uh 1708 is always at 9600 baud and it'll always have eight bits those stop bits one parity which is eight and one or sometimes they're called sane uh at the physical layer it's a lot like
a four eighty five an rs at 485 but there's real time constraints for framing so how you determine when the frame is over and also for determining who wins uh in a bus arbitration the first byte which is also for arbitration is uh is treated like a source address in 1708 and it's called the mid and there's a few noteworthy mids 10 and 11 are actually reserved for j2497 the range 128 to 255 is defined by 1587 and then there's this uh 111 mid which is used only for factory test uh and should never be used when the vehicle is in motion according to the spec which is good to know then some 1587 specifics so you'll recall there's a
range of mids reserved when you're using that range of mids you can actually specify what signals are going to be sent in that frame by putting a pid byte and then putting the data so a receiver looks for the pids and then kind of takes that as a tag and then what follows is going to be a value and the length is inferred by the value of the pid by doing lookups according to the 5087 specification so there's actually tools out there that have been written to download the pdf that the sae publishes and to convert those into a database and then do full decoding before j1587 so like j1930 it does have broadcast there is a unicast feature that's
available only in data link escapes which you'll see lower in the slide the frames are should be according to the spec less than 21 bytes if the vehicle is in motion if you try it practically you can send all sorts of different links for sure uh 1587 does include fragmentation and reassembly just like 1939 and then there is a proprietary message space in 1587 and that's via the datalink escape which is also how you do unicast so i'll give you an example this string down here the acfe80fo17 is actually a 1587 message from hex acm id to hex 80 mid and then the f017 would be interpreted by the hex 80 device that would be proprietary
so where are you going to find 1708 and 1587 it's going to be there on your deutsche 9 pin obd port on the black one f and g on the green socket it's optional on the rp-126 connector which once again is that aftermarket telematics connector j1708 is present on pin 613 and on your db15 breakout cables you're going to find it on pins 14 and 15. so let's talk about our third vehicle network and this is one that's present on all tractors and trailers since 2001 because it's the only way to satisfy the regulations that require display of trailer fault information in the cab so it's a power line network that connects tractor ecu's to trailer
ecu's it's called j2497 it's also known as plc for trucks you can think of it roughly as j1708 over power lines so again back to this loose analogy j2497 could kind of be thought of as an alternative to j1708 at the physical layer it's not quite um an alternative and it's not quite on top of j1708 either so it actually it works by by converting between 1708 and a bunch of spread spectrum chirps that's how the power line technology works that's uh almost exclusively implemented in the intellon sscp 485 chip but because the patent on that is expired there's actually implementations out there that don't use the chip and you'll see here in this diagram
that the p485 is actually adding uh things around the 1708 frame so it's kind of like encapsulation but there's duplication happening the uh that mid on the 1708 is duplicated in the j2497 frame in addition to adding the chirps and stop bits and sync bits so for the most part j2497 has all the features of 1708 and 1587. the main reason it was introduced is for two specific messages you'll remember pid 10 and 11. so it was introduced just for the messages uh hex oao and hex obff which are the lamp on and lamp off messages but because it's a fully functional j1708 1587 bus uh the trailer brake diagnostics functions and other features from those
uh suppliers were added so you can actually cycle abs air pressure valves just like they found uh on engines and you could do ecu reconfiguration with diagnostic software in fact some of the trailer brake ecu's have their scripting languages that are programmable over j2497 um and then we mentioned that that mid is duplicated because of that duplication it's possible to create j2497 frames that override bus arbitration so you can have a j1708 frame that has any prior any mid you like for example it could be the lowest priority of ff and you could encapsulate that in a j2497 frame that has the highest priority of zero um that 2497 frame would override everything on the bus but it would be
received by microcontrollers as having that arbitrary priority in this example ff we found doing some research last year combined with ais that when you have 2497 operating on a tractor trailer combination that it actually radiates energy away because it's a power line technology so it's radio technology i radiates it up to six feet away and can be received with an active antenna so where will you find j2497 uh it's on every truck since 2001 in north america it's going to always be on the power pin the aux pin of the j560 connector which is at the back of the truck or the front of the trailer at the top right you see picture here uh
with a little black circle around it the connector located at the back of the cab of the tractor so because it's always on the j560 connector there's a lot of useful uh adapters that have j560 you know plugs in them down here on the left you have one that breaks up to a db15 next from that there's actually these in-line adapters you have to be careful with inlines because some of them contain an intel on p485 so they're they are converting to j7208 for you the ones that do the conversion for you also have filtering in them so that you can't access the j2497 power line on its power pins you also can buy an umbilical j560 cable
and embed your own breakout it's fairly simple picture here you may also find j2497 on the power pins of the deutsche the deutsche 9 diagnostics connector or on your db15 breakout but on some trucks they actually install filters in between the 560 and the diagnostics connectors so that you have either a separate or a removed network from the power pins that you find there the j2497 power line network should be available on pin 7 of the rp 1226 that's what's in the recommended practice that's published although all the oems that are in the task force recently said they were surprised by this so you may you may not actually practically find it available even though it is
in the published recommended practice and then you know 24.97 may be available on the battery terminals which is you know one of the reasons why this adapter is useful but the uh the filters that we previously mentioned that might be between the 560 and the diagnostics could also be between the battery and the 560 connector so this you may find that it's filtered and segmented here it turns out that one of the easiest ways to get access to 2497 to avoid the filtering problem is just to set up an active antenna and some gnu radio blocks developed by ais and to receive the traffic wirelessly when you're standing next to the trailer and this fact was published as a
sisa advisory you can see it linked there okay other vehicle networks it's not just those three but um you know j939 is going to be found wherever there's a diesel engine and that could be on trains and on ships because uh historically 1728 and 1587 were used for the same reason as 1939 is used today you may find j-1708 and 50-day 7 on diesel diesel applications and then we have heard that j-2497 might actually be found on containers to enable internet connectivity between you know what they're being shipped on and where they're being moved but uh we've only heard about that and haven't had the chance to confirm or deny it yet so something to look for at least
in the future maybe even like in the present because it's so near uh running into high-speed can fd networks is is likely i think uh automotive ethernet connections are inevitable it's certainly one of the alternatives that's being discussed for connecting tractors and trailers and then if any of the marketing material is to be believed there's going to be much much more wireless pervasive on the trucks and the trailers okay so um you've seen all the technical highlights of how the vehicle networks work uh now we're gonna do a review of what you could do when you're connected to these vehicle networks so we're going to review a bunch of the public truck hacks uh who did them and what they do because
trucks are built to order you know the specs and the components are put together in an order by the fleets the results that we have here aren't necessarily applicable to reportable to other trucks they're only applicable to what was tested so your mileage may vary first up is um this def d-rate attack by urban johnson in 2015. so trucks are set ups that they fail safe this is general generally true when the truck runs out of an after treatment fluid the def fluid it actually goes into a limp mode which is really slow like very very slow and the limp mode is not good enough for fleet operations so if you can put the truck into a limp
mode it's effectively a denial of that asset so this attack that was described in 2015 in that in that report is to actually fake the def fluid level messages which then tricks the truck into going into a limp mode next up is uh denial of ecu's so suboxite and team they uh by exploiting a weakness in the data link layer protocol which is the dash 21 of j939 they showed that there's a practical denial of service and they're very practical because these things were later demonstrated on real vehicles you crafting the attack actually requires studying the workflow of j9039 uh and to identify points that were suitable for disruption they showed three different categories of dos there was
request overload false rts and connection exhaustion this one here is another disable with limp method but so robert lee alley of canbus hack in some research that was sponsored by the nmfta took this further and looked for all the classes how you could affect remote disablement using any of them so the engines actually have a whole slew of different parameters that if they go out of range it will affect a limp affect a remote disablement it'll lead to a d-rate event excuse me so they did this an interesting way they created a very simple fuzzing kind of search in their proprietary message space and they found that by sending this fuzzing attack into the proprietary
messages it was reliably causing these d-rate events due to things being interpreted as being out of range for the limits so there was a flip side to this attack which is by having access to diagnostics if you're authorized to change calibration values via diagnostics you can also affect the same attack by lowering the um calibrated d-rate limits
next up is a j-1708 1587 attack so haystack and six volts in their defcon 24 talk mentioned that um they could take the diagnostic software and actually misconfigure it via a simple reverse engineering of the software and or the protocol they also mentioned it's really relevant that the systems that run the diagnostic software are just the windows laptops and access or control of the windows laptop would also be enough to affect these malicious misconfigurations um so now we're going to talk about four different attacks that bill haas and team completed in 2016. the first is demonstrating that you can actually override the instrument cluster in the trunk so you can make it uh represent a state that doesn't reflect
the state of the truck and that's in 1939 uh second they were also able to control the engine rpm and disable engine braking over 1939. uh it's important to note that both of these attacks are actually abuse of intended functionality but not like an exploit i was actually in a room where a truck oem engineer criticized bill and his presentation partner for kind of just demonstrating that j90 39 does what it's supposed to do which isn't exactly a defense i think it actually underlines the power that comes with access to g939 buses the uh the devices on that network are going to respond to the commands over j939 doing what they were designed to do
so bill and team also had 1708 1587 attacks they found that they were able to disable engine cylinders over j1587 very similar to the way that haystack and six volts looked at diagnostic software they did the same here and also cycle abs air release valves so recall that truck brakes are actually loaded by springs and the air pressure releases the springs so you have to have air pressure to disengage the brakes if you can continuously cycle abs air valves you can you know deny deny the asset that is the truck uh then we uh being chris poor at ais and myself and a team of others from ais we actually did some research into j2497
um and in addition to confirming the previous abs cycling result by bill haas we also found that you can read the traffic remotely which we talked about already so in summary uh you know there's about 10 of these uh there's a mix between 1939 and 1708 and a little 24.97 and there's definitely a room for your own so what needs some more what could you focus on if you're interested i would say that um all of the things that j1939 is you know designed to enable so all the legitimate stuff abuse of adas or abusive body control um looking more into seed key exchange and coming up with you know methods to bypass it or
databases for it as well as documenting some of the ways to ecu firmware dump or reflash would all be very interesting stuff but i'd like to also highlight um we need more research into vehicle network gateways these are devices that are bridging multiple vehicle networks they're sometimes being introduced for security purposes but they're oftentimes just being introduced for performance reasons and whether or not they're being introduced as a security boundary they're still going to be security relevant if you think about taking control or bypassing one of these gateways is going to be a going to be a pivot um there's also a lot of other stuff to do in truck hacking you know just like
in car hacking it's the olympics of hacking which is a quote all a tribute to will see you're going to find all the usual iot mobile game hacking and rf stuff right telematics is really just iot stuff there's a lot of mobile and trucking with handheld logistics pads and driver interface pads and that's all usually just the android the diagnostics and the maintenance tools are all just windows tools and there's not a usually for rf but if you if you start with an sdr and start poking of things you're probably going to find stuff that's interesting so how can you get involved i hope i convince you there's room uh and let me show you some ways that
you might be able to so if you're a student i have good news for you right there in colorado you have one of the world leading experts in truck cyber security dr jeremy daly at colorado state uh and he has encouraged me to tell you that you can contact him directly at this email address if you're interested in participating in this program pictured here is the truck that they own just for hacking and his student david naji is actually installing some can logging devices onto that truck if you're a student or a professional uh you can come and participate at the cyber truck challenge it's a challenge event that's designed specifically for for students to create students that are
good at cyber security and good at trucks there is at least ten thousand dollars worth of training given to each student uh there's going to be several trucks present and there will be stipends available for students so i encourage you to participate if you're uh if you're a professional and you want to come as a mentor you can also go to that link and apply to be a mentor another good way to get involved is the car hacking village we usually have some kind of heavy vehicle challenge or something to set to mess with last year we had air brakes set up with nerf darts pictured here for launching to have some fun is one of the
challenges this year i plan to have something as well time permitting and then of course if you want to get involved a bench setup is really really important uh almost necessary in this field because if you're if you're on a truck hacking it or messing with it then it isn't rolling and making money for the fleet so a bench setup is really critical you can actually build yourself a truck in a box and you can look at haystack and six volts talk for details for like the actual nitty-gritty um step-by-step look at this master's thesis by jose when he was at the university of tulsa okay i hope one or more of those ways of getting involved is gonna suit you uh
now let's go back to some technical stuff and i'll cover some tools for hacking on truck vehicle networks so first up is uh decoding j9039 almost all of the signals except for that proprietary space are defined by j939 and um it's going to be mostly time varying signals but also is things like vehicle identifier numbers as you see in this example so at the nmfta we actually wrote a tool to take the digital annex which is an excel spreadsheet that sae publishes from the j959 spec we can convert that into a into a 1939 json file and then that json file can be used to actually parse the j939 frames and decode them in the way you see here
what you're looking at here is actually like a commented can dump this tool will uh accept all kinds of different formats of can logs not just can dump files but you also can change by removing the can data flag the output so that it's just a sequence of json objects and then that sequence adjacent object could be used with all all kinds of adjacent ingesting tools even my favorite is jq to do filtering and coloring um this tool is also compatible with previous versions of the j1939 json file which are floating out there so if you find yourself in possession of one of those json files or find it somewhere on the web you can also just
use that json file directly the can data that we're parsing here is from dr daly's public j939 can data logs which are linked at the bottom and if you want to get into you know reverse engineering 1939 stuff you should probably start with those public logs so what about sending j1939 there's a bunch of different ways to do it here i'll walk you through how to do that using socket can on a truck duck so the truck duck is a beaglebone cape that was developed by six volt and haystack and released in their def con 24 talk they later created the revisions 1.5 yeet and the the mega pictured there this truck duck was also remixed by dr
daley as a truck cape which is pictured on the far right uh in my fancy laser engraved nameplate case that dr daley gave me and also showing an sma connector because i've modified my truck duct to do j2497 work so when you want to send j1939 uh using socket can you you treat it like a normal you import socket and you go from there here's an example from one of dr daly's notebooks that's available linked there on the github actually put together uh some details on how to do address claiming so this right here the data that we're putting together 0603 bf in the middle that's an address claim message i'm not going to go into details of how
that was synthesized but he put together a presentation on the topic and you can watch that video at our ctsrp portal link there at the bottom the gist of sending this data is you have to have a extended frame flag set because we're using the 29-bit identifiers um and then you have to pack the data together into the correct way including a dlc field which is fairly simple to calculate this minimum and then you send it not a big deal this is using socket can raw feature which you'll find in pretty much every version of the linux kernel as opposed to the can 1939 feature so there's actually a can 1939 feature that was integrated into the kernel
since 5.4 and was exposed in python since c python 3.9 that's also how the original python libraries on the truck duck work is via that patch that was back ported so you can just work on the truck duct releases or you can have a more up-to-date system to use can 1939 but as you can see can raw also works um there is a few python j939 libraries that are out there but this one in particular the python can j939 by j-u-e-r-g-e-n-h-87 is the one that's being actively developed as far as i can tell it uses can raw on socket can but it also uses all the other interfaces to can adapters that don't use sucker can
at all so it can be quite quite useful the api for that for that library is really built for kind of developing your own ecu's it's not perfect for hacking but it should it should do the trick um and then another option uh last but not least is things like hand can and truck double that don't use socket cannon at all but are quite powerful and we're going to talk about those a little more later later so what about 1587 and 1708 and also 24.97 you can decode that too um dan saloon at ais actually developed a tool called pretty j587 which kind of like pretty j939 takes the sae spec converts it into a database and then you
can use that database for deep decoding the uh the messages here is a couple examples of decoding some data link escape uh sorry decoding some messages that were put together to try to win the uh car hacking village ctf challenge last year so the first case there's like a device reset attempted and there's a component identification we're just demonstrating that pretty fitting seven can read right from the standard input which is a useful feature um just so you know neither of these attempts work so don't bother trying these if you're going to try to launch the nerf darts sometimes you can also send 2497 or 1708 using the j787 tool which we've put up on plc for truck stuck it's
fairly straightforward uh there's a lot of different ways to send 24.97 of course and for other ways to do that have a look at that defcon 28 talk so not concrete examples just an overview of what you can go and download and use we'll talk about a few of them first up is is truck devil which is a really great tool and i didn't talk about it here in this talk only because i don't feel qualified and i wouldn't do it as well as as hannah did hannah put together some training videos for her truck devil tool and they're available at our ctsrp portal i encourage you to go have a look at them this tool is capable of reading decoding
uh and also fuzzing uh j9039 so you'll find that very useful it also works with the macina m2 so it doesn't use socket cam but the machine m2 is very inexpensive very affordable and will connect directly to your laptop so you don't have to be messing around with the beaglebone if you don't want to in a similar setup there's can cat which also uses an m2 but in this case has a custom firmware atlas who also did rfcat really likes his interactive python sessions and so that's kind of how can cat works it's another interactive reply which i know for some people really suits their style so you check that one out then remember we talked about um in passenger cars all
the signals and our arbitration identifiers are all proprietary information there's a bunch of different ways to interchange the definition of these signals the uh the most common is a ddc file can matrix is capable of converting between the various formats including dbc it also supports j1939 it comes with a very basic database for g939 that you can make use of and it'll also you know create additional databases for you if you get your hands on some definitions then there's um the grj 2497 tool that was developed by chris pore at ais while we were hacking on on this stuff it has flow graphs and a custom block for receiving j2497 using an sdr the pi hv networks library that was
developed by haystack and six volts it's the core of the truck duck features so it's capable of both sending and receiving 1939 it's also capable of doing j50 and e7 traffic which is unique among the tools that we've talked about so far so to get anything done with oem supplied diagnostics tools you're going to need at least one vda which is a vehicle diagnostics adapter they're pretty much all rp 1210 compatible but make sure yours is also you're going to want to get a vda that has a db15 connector because the db15 connector has a lot of cheaply available connectors cables sorry the first we recommend is this nexa usb link there is a second version the usb link
version two but it doesn't have a db15 connector so we don't recommend you get that um there are of course a lot of cheap knockoffs of the nexus of the next usb link but we don't recommend that you buy a knockoffs you should buy the the authentic one of course similarly the dg tech dpa4 which is rp 1210 compatible uh it has a db15 connector there is a dpa 5 which has this same feature we're going to talk about but it doesn't have a db15 connector so it's not as useful in our opinion so the dgtech dpas they have a feature in their drivers in windows that can turn into a data logger just by
turning on this debug file and it'll log all the buses that it's connected to so that's 1708 and 1939 data logging right there from your driver which is handy all right so we did it i gave you the overview um and now we're ready i hope i convinced you that uh commercial transportation is important to us all i i showed you that there's three different main types of vehicle networks and i gave you the technical highlights of all three uh two of these are actually used on all trucks in north america that's g9039 and j2497 some of these networks are going to be shared with other modes of transportation i showed you a bunch of work that was
done by a bunch of smart people finding and publishing attacks and i showed you that there's definitely room for more attacks i encourage you to get involved in one of multiple ways and i hope that that actually convinced you please do get involved one more way to get involved is the program that we have at the item fta the commercial transportation security and research program we are always interested in collaborating on research relevant to trucking cyber security there's some example topics uh right here that we think are relevant but we're not just limited to those if uh if you have an idea and the means to collaborate with us please do reach out and uh let's discuss
thank you so much for your time cool thanks ben pleasure i think uh we'll we'll use discord for doing main q a but there was one question uh s scrinduin was asking if the slides would be available yeah i do plan to release these slides they'll have to go through approval and stuff so you'll have to wait just a bit okay sounds good yeah and we'll uh we can announce that um through various channels once they're once they're available thank you thanks john pleasure all right uh so we will break for lunch uh the the next talk will start at 120 mountain time uh that is the uh black box machine learning models uh the other thing i wanted to mention
is there is a link being shared in discord i think it was shared in in social to register for t-shirts if you would like one for the conference um there there's a limited number of them and it's first come first serve but uh but we do have shirts in case you want them um cool thanks again ben and um we'll see you all uh in an hour or so
Related talks
51:24
47:43
49:58
40:48
47:32
49:19