The threat is real

By John Bendel, Land Line editor-at-large

Was it you heading east on I-64 just east of South Jefferson Avenue in St. Louis this past July when a white 2014 Jeep Cherokee slowed to a near stop in front of you? If so, you might have been driving the 18-wheeler Wired Magazine writer Andy Greenberg saw "bearing down on my immobilized Jeep." Greenberg wrote that he saw you and hoped you saw him.

It probably didn't look it at the time, but in fact you were about to steer around a major news event.

The Jeep, it turns out, had been immobilized by two techies a few miles away. They had hacked into the SUV's electronics through the radio/entertainment system. It was a staged publicity stunt, of course, but Greenberg was surprised by when and where the remotely triggered slowdown took place.

The hackers began by turning on the fan and AC, then blasting hip-hop on the radio. Greenberg expected that much, but not that the engine would quit in 70 mph traffic on an elevated stretch of I-64 in downtown St. Louis with nowhere to pull over. At that point, Greenberg wrote, "The experiment … ceased to be fun."

Fun or not, word of the wireless hack in Wired stirred up a storm. Chrysler recalled 1.4 million vehicles that might be vulnerable to a similar hack. The National Highway Traffic Safety Administration (NHTSA) began looking into potential vulnerabilities in General Motors' popular On-Star system that operates over cellular connections. The agency also announced an investigation of Harmon-Kardon, which supplied the "infotainment" system that allowed the wireless attackers access to the Jeep, noting that such systems may be installed in many different vehicles - presumably including trucks.

The Jeep hack publicity stunt turned out to be a big deal indeed.

So for truckers, the question arises: If hackers can make that much trouble with a 2-ton Jeep, how much trouble could they make with a 40-ton semi?

Last year in Germany and this year in Las Vegas, Daimler showed off its autonomous truck, in which critical systems are electronically controlled - brakes, steering, and more. In the same time frame, Volvo announced a partnership with Peloton, a Silicon Valley startup that is developing a sophisticated system to enable truck platooning. Trucks one behind the other in platoons will be linked wirelessly to each other as well as to a server on the Internet. Those connections will be added to existing wireless links on many trucks, including telematic systems.

"The risk of hacking is as great for a truck as any machine," said digital security expert David Drescher, "and as you start adding automation to it and wireless networking, you just exponentially multiply your exposure to attack."

Drescher, CEO of Mission Secure LLC, a cyber defense company based in Charlottesville, Va., explained that virtually every vehicle has an electronic connecting module called a bus. The word is short for the Latin omnibus, which means "for all" or "everything." The bus is a micro computer, which connects components within the vehicle and manages commands and communications.

"The bus will be linked to 70 to 100 electronic control units. They control key things on the car or truck that range from windshield wipers to braking, steering, acceleration, you name it. Set the cruise control or hit the anti-lock brakes, it's all controlled by a little computer," Drescher said.

"So the concern is that someone can get into the vehicle's bus or network. Then they can change the software that runs these controllers and essentially do whatever they want."

How much damage they can do depends on a hacker's technology expertise, and also how much he knows about the vehicle he's hacking.

"You definitely need to study a particular manufacturer and understand the bus they use in a particular model," Drescher said. "But look at what Miller and Valasek (Charlie Miller and Chris Valasek, the techies who pulled off the Jeep hack) did when they hacked the Jeep bus. They had 400,000 Jeeps to choose from, all configured the same way."

Similarly, a hacker who masters a particular brand and model of truck would presumably have as many potential targets as there are examples of that truck on the road.

Potential hackers, Drescher said, operate at three essential levels.

"One is somebody who doesn't really know much about a car or truck and isn't really a professional hacker but is computer savvy. Then it depends on what tools he or she can find on the Internet and start applying those tools in a hobbyist fashion. That's one end of the spectrum," he explained, noting it's not clear how much damage such a person could do.

"At the other end of the spectrum are people who might work for companies such as The Mitre Corp. that build space weapons systems and crazy stuff like that - super sophisticated people with all the latest tools and facilities," he continued.

That kind of person is unlikely to be in the truck hacking business, unless, perhaps, he's acting for a foreign government or terrorist group.

Then, said Drescher, there's a middle group.

"We've seen a university researcher who used to work for a hospital working on a project with us. He has come up with five or six pretty interesting attacks in a relatively short period. So the level of sophistication for somebody to figure out what to do is not that high," he said.

"So when you're talking about wireless platooning, just the fact that you're putting some type of a wireless mechanism onto a truck, you're giving communication access into that truck, a way to gain entry.

"I don't want to pick on Peloton," he noted. "I don't know what kind of security they have."

Peloton says they have plenty.

"We recognized at the outset the security issues that are involved in having a very connected vehicle. So we built very high-level security into the system at the lowest levels. It's not an afterthought," said Chuck Price, vice president of cloud engineering for Peloton.

"We're building the best available encryption into our systems, both truck-to-truck and truck-to-cloud," he explained.

With Peloton's platooning system, trucks communicate with each other over short range wireless. They also communicate with a central system on an Internet server that monitors Peloton-equipped trucks and the platoons they might form.

How strong is Peloton's encryption?

"Security professionals like to equate the effort required to crack an encrypted message to the equivalent effort it takes to boil water," Price said.

"The amount of energy required to crack our encryption is equivalent to the amount of energy that would be required to boil all the water in all the oceans. It is a tremendously difficult encryption to crack," he said.

Meanwhile, Volvo says it's aware of the threat.

"We're protecting our current systems with multiple layers of security, and we're not aware of any vulnerabilities at this time," said Avery Vise, manager of public relations for Volvo.

"But certainly we - and the whole industry - need to stay vigilant about security as we continue to explore the many benefits of ‘connecting trucks.'"

Vigilance is critical indeed. Digital threats continue to evolve and multiply. Virtually all software must be probed for vulnerabilities and those holes competently patched. In these times, digital security is a never-ending challenge.

"Cyber defense has a short shelf life," said Mission Secure's David Drescher. "So you constantly have to be updating and adding additional defenses."

Oh yes, in case you were the trucker behind the hacked Jeep Cherokee in St. Louis that day in July, we know you made your way around it. Wired writer Andy Greenberg admitted as much, though in the casually unkind way mainstream writers so often do, writing that he "narrowly averted death by semi-trailer."

Really, Andy? LL