Archive, Industry News

Buses revealed as hacking target

New experiment proves researchers can take control of buses and trucks via computer

Researchers in the US have recently shown how digital technology is able to be manipulated by hacking into the computers of buses and trucks during a controlled experiment.

The University of Michigan researchers tested their mock-hack on a 2001 school bus and a 2006 ‘Class-8’ semi-trailer truck, but the specific makes and models were not revealed as it is not a brand-specific risk.

The experiment was carried out to test the security of design standard SAE J1939, which covers internal digital vehicle communication.

This system originated in the US but is now used widely across the world, meaning the potential for a great number of vehicles to be attacked is large.

The researchers note in the report that one of the outcomes of the test was that they were able to “verify that attacks developed on a semi-tractor also work on a bus, providing evidence that all heavy vehicles with the J1939 standard are affected”.

“Recent attention has been paid to consumer automobile security thanks to several prominent demonstrations of vehicle vulnerabilities on an unnamed car in 2010,” the report says.

“In a similar manner, we wish to first explore the capabilities of an adversary with a physical connection to the heavy vehicle’s internal network via the OBD port.”

With a laptop plugged into the truck’s consoles, the team was able to alter readings the lights and dials displayed on the dash.

In one video (playlist below) uploaded by one of the researchers Bill Hass, the team are even able to create a short ‘light show’ using various patterns with lights on the cluster.

Alarmingly, the RPM of the bus engine was able to be altered using the team’s program.

Once set up, the laptop’s spacebar controlled the engine like an accelerator pedal.

While the team’s modelling showed the gauge altering to be a low-to-moderate safety concern, the ability to cause sudden acceleration in both vehicles was deemed a high risk concern.

“By using publicly available information of a popular vehicle network standard, we have developed concrete examples of attacks that affect safety-critical systems of a semi-truck and a bus which use the same standard,” the report says.

The team warns fleet management systems are the next likely target for remote hacking.

“We only needed one message to implement a series of safety-critical attacks, and while we required physical access 9 to the internal network, it is reasonable to assume that a remote extension to our attacks is feasible given how similar the vulnerabilities are to consumer vehicles and the complexity of fleet management systems already widely employed.

“Our hope is the heavy vehicle industry begins to include the possibility of an active adversary in the design of their safety features.”

Video: Bill Hass

Send this to a friend