OEMs see weaknesses in researchers’ case and IT security developments covering any threat
The Truck Industry Council (TIC) believes vehicle IT security is ahead of the vehicle hacking game.
In a considered response from its original equipment maker (OEM) members on the issue, TIC has sought to put a recent US experiment into perspective and but also to reiterate their own concerns about potential weaknesses beyond their control.
“All OEMs selling trucks in Australia are aware of the potential cyber hacking attempts/issues that exist in 2016 and all truck OEM’s are taking some level of precaution to guard against such threats (such as restricting CAN data access via a CAN gateway, secure ‘coded’ messages, etc),” TIC says in a written statement.
“These precautions will increase over time, particularly where a truck’s electronic control system moves to regulate other vehicle functions such as brakes and steering systems.”
TIC’s response follows reports that US researchers were able to hack into the onboard control systems of a truck and a bus through their J1939 controlled area network (CAN) system – an experiment that followed a similar action on three car models reported three years ago.
TIC says the ‘hacker’ had to physically plug into the truck and bus J1939 CAN system and be physically in the vehicle to control it.
“It would have made more sense for the hacker to simply get in the driver’s seat and drive the vehicle, rather than control a couple of functions from the passenger’s seat,” TIC states.
“These trucks and buses could not be controlled remotely/externally (from a person outside of the vehicle).
“This is quite a different scenario to the car hacking events reported in the press in the recent past.”
The researchers admitted the direct physical hack but say the existence of the J1939 pathway means a remote hack is conceivable.
Of more concern to TIC members, it says, is the unregulated fitting and use, with no government or legal requirements attached, of ‘third party’, or ‘aftermarket’ telematics systems.
“Most, if not all, truck OEM’s in Australia have a dedicated ‘CAN gateway’ that their own (and third party/aftermarket) telematics systems should be connected to,” TIC says.
“The OEM supplied gateway typically provides some level of protection/security against ‘hacking’.
“Many of these CAN ‘gateways’ allow ‘read only’ access to the truck’s CAN system; messages cannot be transmitted through the gateway to the truck, thus ensuring vehicle functions cannot be controlled by unauthorised external sources.
“However, if the OEM-supplied CAN gateway is not used by the third party/aftermarket telematics system (these suppliers could ‘hot wire’ their systems directly to the trucks CAN) then the truck’s CAN security systems could be bypassed, compromised or breached, allowing an avenue for cyber attack.”
Explaining its view in the Australian context of the points raised by University of Michigan Transportation Research Institute (UMITRI) researchers in their experiment, TIC notes firstly that trucks without substantial electronic engine control systems – ‘drive by wire’ accelerator systems and engine engine control units (ECU) – cannot be hacked.
Pre-2003 ADR70 trucks use mechanical or simple electrical control systems, these trucks cannot be subjected to cyber attacks.
“These vehicles represent 48 per cent of Australia’s truck fleet,” TIC says.
“‘External’ or ‘remote’ ‘cyber hacking’ on older trucks is not possible because they were not fitted with infotainment and/or telematics systems – the only possible ‘entry point’ for an external cyber attack.”
It goes on to address the era of the sort of truck the UMITRI researchers experimented on, noting that ADR80/00 (Euro 3, 2003 to pre-2008) trucks have varying levels of electronic control, depending on the truck or engine OEM.
Some truck OEMs used J1939 CAN systems in their ADR80/00 trucks, however many did not use J1939.
“These early J1939 systems controlled very few vehicle functions,” it says.
“These trucks were not fitted with OEM infotainment or telematics systems, so there is no ‘external’ or ‘remote’ way of hacking these trucks.
“There is a possibility that some of these trucks could be hacked if they have been fitted with a ‘third party’, or ‘aftermarket’ telematics system … but the likelihood of cyber attach is very low.
“These vehicles represent a further 23.4 per cent of Australia’s truck fleet.”
TIC also underlines the effect of continual technical evolution on vulnerabilities real and perceived.
“It was not that long ago that aircraft and building designers did not consider the threat of someone deliberately crashing a plane into a building, but that is now a key design consideration for those industries,” TIC chief technical officer Mark Hammond says.
“Likewise, truck designers are now not only striving to achieve better fuel economy, vehicle safety and productivity for their customers, but an increased level of cyber security in trucks to protect all road users.
“As our society changes so does the design of many things, including trucks, constantly adapting to the new challenges that we face.”