Takeover Hack Could Affect Millions of Trucks
Vložit
- čas přidán 19. 05. 2024
- Get 20% off DeleteMe US consumer plans at joindeleteme.com/seytonic using promo code SEYTONIC at checkout
Get 20% off DeleteMe UK / CA consumer plans at international.joindeleteme.com/ using promo code SEYTONIC at checkout
0:00 Intro
0:14 Truck Hack!
5:26 The 3 Million Door Hack
8:38 Cracking passwords in your browser
Sources:
www.ndss-symposium.org/ndss-p...
• Unmasking the Risk of ...
www.wired.com/story/saflok-ho...
go.theregister.com/feed/www.t...
www.bleepingcomputer.com/news...
www.wired.com/story/saflok-ho...
blog.sucuri.net/2024/03/from-...
wordpress.org/plugins/disable...
===============================================
My Website: www.seytonic.com/
Follow me on TWTR: / seytonic
Follow me on INSTA: / jhonti
=============================================== - Zábava
The obsession to make everything "smart" strikes again...
Zack freeman once said if it’s functionally is dependent on the cloud, it’s not smart
Mr Robot showed the precise reason to never have a smart home
@@Resprays😅
Hypponen's Law:
"If it's smart, it's vulnerable."
Security is like Swiss cheese, they plug one hole while creating another. Often times the best security is simple and low tech.
It's baffling that the WordPress distributed attack can even work when most sites have a Captcha, a timeout, or total lockout of password attempts within a few tries.
The S in ELD stands for Security.... 😎✌️
The "s" in digitization is for security.
the R in capitalism stands for morality over profit
@@draido-dev
As if those that have tried alternatives had any sort of moral high ground
@@draido-dev How's that 10 millon+ body count, commie? You think you wouldn't be 10'000'001? Keep dreaming, you'll never be the Csar.
@@draido-devcorporatism
At this age, adblock is no longer about blocking ads. But more to secure you from malicious website.
was it cia or fbi saying to use AB? its part of online safety.
yeah ad blocker is not working anymore
@@professional.hacker. it still is u just gotta use the right one :D
@@professional.hacker.works fine. are you using chrome?
@@multigameplayer1001 It was the FBI yeah
Another case of: _Why are we connecting an infotainment system running Android 6 that can connect to a network to the critical core components of the vehicle?_
wdym? we should connect everything to everything! think of the convenience! the convenience i say!
They are required by law to be both on the internet and connected to the vehicle controllers.
The spec was probably written by the guy behind the Verge pc build video.
I don't know, I store all my crypto on a Windows Vista PC that is connected to the internet.
@@muizzsiddique I'm thinking of upgrading mine to Vista. Is it stable yet?
Don't forget another scenario: drivers or owners hack the ELD to bypass its features of ensuring regulations are followed.
How dare someone have control over their own private property
@@runed0s86"how dare someone break the law"
So you want sleep deprived truckers that can kill u with one hit?
Driver be like: "Why would I care about worker protections that were put into place for a reason."
@@jakedhaleYeah, activists have no business blocking roads or disobeying unjust laws. Law is law.
I've become increasingly convinced that automobile software security will not be taken seriously unless and until a hacker (or more likely state threat actor) causes a loss of property or life by taking control of a vehicle. It seems like humans prefer to ignore problems until they cannot be ignored any longer.
It is more that the government is requiring these things and the companies say "You require these things BUT make US pay for them so WE are not going to upgrade/update until YOU mandate it to save US the outlay of funds!"
@@christopherkidwell9817 I think you are spot on there, but I would word it slightly differently - Government: "You must have an ELD". Company: "We don't care about this. We don't want this. But we must have it, so therefore we'll buy the cheapest model that ticks the government box".
If a hacker halts an entire truck fleet, or crashes an expensive machine in to a brick wall, then the company will care. But not until then.
Until they take it from me or it breaks down for good my 90s car is the newest car I'll use
@@aaronpower8741No, many of the companies know that the ELD's can be hacked, have warned that doing nothing would be better than requiring these hackable devices, and have objected strenuously.
The problem here is the government trying to do the "We have to do something to cut down on the truck crashes!" when the truck crashes in the grand scheme of things are already rare.
The words you never want to hear as a security tech: "Hey, let's wire this system up to the internet! It'll be so much easier!" So you're telling me that if someone wanted to, say, cause mass vehicular homicide but not get arrested or killed themselves, all they'd need to do is hack into the truck, apply the accelerator, disable the brakes and watch the show. Hmm.
Old news though. They started using ELDs back in the early 2000s. They are always online and directly interfaced with the canbus.
None of the "designers" of these systems know anything about security. The future looks farcical .
IMO because they're not paid to care. Even if they could do something the manufacturers say NOPE to expensive
@@internallyinteralFor damned good reason. They do NOT have unlimited funds in the real world, both these truck companies AND the device manufacturers. That is why when the government mandates things like this they should ALSO mandate minimum standards AND make the device themselves to those minimum standards OR do a contract with private companies that are well written to mandate HIGH SECURITY.
@@christopherkidwell9817 Input sanitization and memory-safe programming practices are basic skills.
The designers of ELDs is the largest surveillance state in the world. If they wanted it to be secure it would.
@@runed0s86 and just, not allow the device's hardware to even assert the bus at all.
Hopefully this ELD issue will be solved before it's too late. I know that the US roads are dangerous enough and truckers have an extremely hard and important job.
Wow that's a really interesting wordpress exploit. Extremely clever.
Love when you upload mate.
True
Four years on from an FBI warning. I don't think we can really hope that these systems will actually do something as simple as signing firmware.
Hopefully we will realize that having these ELD's in the vehicles is too dangerous and will repeal these laws, saying "There was no real widespread issue in the past, there is no need for these devices!"
@@shaknaisrael5271Signing won't solve the issue. The only thing that will solve the issue? Removing these devices from their access via the OBD ports.
There are wordpress scanner bots out there EVERYWHERE.
ISTG my website gets hit by at least 5 bots **A DAY** that are looking for this wordpress crap.
Damm 9:27 thx I am running a wordpress website and was wondering why the heck I have so many failed loggin attempts. Again thx very much
Semis dont even have individual keys. Internationals inly have about 6 key variations. I've had to borrow keys from other drivers when ive locked myself out of my truck before.
U-block coming in clutch yet again. Seriously, everyone should download it.
I am amazed you dug up the 9 prong plug for trucks... great research!
Ironically its got the same wires just a different plug. Its really just a serial port with some extras.
Did you really give DeleteMe power of attorney as it says in the ToC?
A lot of PACS systems have this kind of issue. Unfortunately, mifare classic has been broken for so long that the config cards were going to be cloned at some point. I do wonder how hard it'd be to use a long range reader at a bar and just snag a whole load of cards and look for patterns, eventually getting the UID / keys for every room.
I live in Slovakia and the public transport system in my city still uses Mifare Classic cards
We had them in Stockholm as well until some years ago when people found new ways to ride for free. ;)
Seytonic please also bring awareness about obd port tools like car sound changers that play sound using engine revs fetching data from obd dongles.
As a trucker I can confirm our trucks use locked down android tablets, also under the dash there are cellular routers and switches to give us the truck full connectivity. Hacking these are trivial and a rogue driver only needs to pull the fuse box panel to get access to said equipment
I used to be a truck driver and the ELDs are easy to bypass.
Used to work 2nd line for these systems lol, glad I bailed early!
Uploading of unsigned firmware just shoes absolutely *zero* though was given to security.
Common uBlock W
Door locks is old vulnerability, its in mass media now
I DOWNLOADED THIS VIDEO SO I CAN WATCH THIS ON THE DRIVE TO MY HOTEL 😭💀
Works on ships too 😊
Governments really ought to learn that if they want to enforce something technology related they almost always have to regulate the security for it too.
99% of the time, the free market doesn't care about your security, good security practices are expensive to implement for "no advantage" (for businesses) so why would they spend the time and money?
The question is, why? Why make smart everything?
laziness
Cover Baltimore bridge next, apparently the ship was hacked, but I doubt it
The hackers domain being blocked is usually as a result of the default filter lists that uBO uses. There are bound to be other content blockers that use those same lists since they're not all unique to uBO.
Sounds like the plot to the next _Fast & Furious_ movie!
ChatGPT, please write a script for a movie in the "Fast & Furious" franchise that features hackers hacking the ELD of long-haul truckers.
Title: **Fast & Furious: Digital Convoy**
### Act 1: The Setup
1. **Introduction to the World of ELD Hacking**
- Open with a thrilling scene of a long-haul truck carrying a secret cargo. The truck's Electronic Logging Device (ELD) gets hacked, causing chaos on the freeway and allowing the cargo to be stolen by a mysterious group.
- Introduce the protagonist, a former hacker turned trucker, who is wrongfully accused of the heist.
2. **The Fast & Furious Team Assembles**
- The protagonist reaches out to the Fast & Furious team for help in clearing their name and uncovering the real culprits.
- The team gathers, intrigued by the technological aspect of the crime and its implications on the trucking world.
3. **Understanding the Threat**
- The team learns about the vulnerabilities in ELD systems and how they can be exploited to control commercial trucks remotely.
- They discover a larger plot to disrupt the nation's supply chain by targeting and hijacking high-value shipments.
### Act 2: The Conflict
4. **The Investigation Begins**
- The team splits up to gather information, with some going undercover in the trucking world and others diving into the hacker community.
- They encounter a secretive hacker group known for their skills in infiltrating complex networks and systems.
5. **First Confrontation**
- The team attempts a daring operation to intercept a truck heist, leading to a high-speed chase involving hacked trucks and the team's signature vehicles.
- They manage to thwart the heist but realize it's just a small part of a much larger scheme.
6. **The Mastermind Revealed**
- Through a combination of hacking, street racing, and detective work, the team identifies the mastermind behind the plot: a tech mogul with a vendetta against the trucking industry.
- The mogul's plan is to create chaos, then offer a "secure" alternative to ELDs, giving them control over the nation's logistics.
### Act 3: The Resolution
7. **Preparing for the Final Showdown**
- The team devises a plan to hack into the mogul's system and expose their scheme to the authorities while also setting up a trap to capture them.
- They modify their vehicles for the ultimate confrontation, integrating counter-hacking technologies and preparing for a battle on the roads.
8. **The Final Showdown**
- An epic sequence involving high-speed chases, hacking battles, and intense confrontations on a moving convoy of trucks.
- The team successfully hacks into the mogul's system, exposing their crimes and clearing the protagonist's name.
9. **Resolution and Aftermath**
- The mogul is arrested, and the trucking industry is saved from their malicious plan. The protagonist is hailed as a hero, and the vulnerabilities in ELDs are addressed.
- The team celebrates their victory, reflecting on how technology can be both a weapon and a tool for good. They ride off, ready for their next adventure.
### Key Themes & Elements
- **Technology vs. Humanity**: The screenplay explores the impact of technology on everyday lives and the importance of human ingenuity and resilience in the face of digital threats.
- **Community and Loyalty**: The Fast & Furious franchise's core themes of family, loyalty, and the strength of community are highlighted through the team's camaraderie and their integration into the trucking world.
- **Action and Innovation**: True to the franchise, the screenplay features innovative action sequences, integrating traditional high-speed chases with technological warfare and strategic hacking.
========
That's actually pretty good -- I'd certainly want to see it.
SORA, please ...
In certain vehicles you can reset the security system and/or add new keys via the OBD port. On my old vehicle it had a 15m timer, after that the old keys were removed, the system reset and it would accept new keys.
That was all it would take to steal that vehicle and it's from one of the major manufacturers, that also has a line of trucks.
Perhaps the good old kill switch should be connected to the OBD port.
Modern vehicles with drive by wire can be controlled and driven remotely through the OBD port because it exposes the canbus.
@@tripplefives1402 That's now how it works.
Not every function is connected to the bus and most of them are just transmitting sensor information. You can't just log in and drive them around like you claim. It doesn't work like that. The system is comprised of limited microcontrollers and it carries mostly sensor information.
Depending on the system it's only 1Mbit/s or 5Mbit/s for modern cars.
The worst I have seen is the ability to trigger the self parking mode. At freeway speeds that could easily become fatal. Things like lane assist and collision avoidance could potentially be weaponised because the bus carries the data.
For most it will be functions like altering some engine parameters which could be used to choke the engine.
But as I said, it's limited. It's not a remote control.
@@MissFoxification you do know that they hacked a jeep for defcon and remotely drove it around like freaking 10 years ago right?
@@tripplefives1402 You clearly lack an understanding of the technology and are making massive assumptions. Dunning-Kruger strikes again.
Let me put this really simply for you.
You can not connect to a system and operate something that is not connected to the system. That's like saying you can turn my oven off by connecting to my wifi, even though my oven is not connected.
Drive by wire does NOT mean "Everything is connected to everything else".
Use some common sense. If every single vehicle could be remotely operated we'd have products on the market that take advantage of that. There'd even be third party "self driving" systems.
There's also be cars getting smashed into walls, being hijacked and driven around.. it would be non stop chaos.
You just don't know what you are talking about and are guessing. Stop it, you're being a fool.
At least look up the system, look at how it works and learn something instead of assuming you know it all.
Yes. Really easy to have an additional relay that is tied to the single 12v power wire but be sure that wire doesn't splice anywhere else as some vehicles share circuits with crucial components.
Duuuooode, the D in devolution is not silent! I prefer the term Backwards progression though
1:18 god these connectors go SO HARD, I wish I could be charging my phone via something like this instead of boring old usb
10:37 A more effective way would be to point the domain to localhost in your device's hosts file, as this does not rely on extensions.
The Law of Unforeseen Consequences strikes again.
Thanks to you and a couple other youtubers I became privacy conscious. All the techniques added one on top of the others in order to prevent big tech from getting informations out of me, became a real asset in the same area from hackers and the like. Ublock origin is now just another thing that made me more proud of this choice. Switching was hard but worth it.
Wish people would stop blaming the flipper. Six years ago there was a tutorial you could look up here that taught you how to make your own box to read and copy hotelcards and anything really to duplicate it. I hid mine in my backpack.
A story that’s scary local to me. Let’s go CSU Rams!
Hacking obd is not just plug and play in that it would require physical access to a staging vehicle first in order to directly observe can-bus functions.
There is an added layer of complexity due to potential differences between add-on accessory’s in the same models of vehicles, differences in year models ect. Normally the can-bus functions are at least obscured to such a degree where they appear as a big list of sequential things with no names associated.
It is possible that some lexicon is used for some classes of things but over all it would be extremely difficult to produce a one-size fits all exploit for even 1 model of truck or car from 1 year and one manufacturer.
What you are saying makes it an unlikely target for script kiddies, but state sponsored hackers??? Prime target I'd say.
The commands are obscured but the analytics have generic definitions so i cant imagine it would be hard to compare the current value of, say, the TPS sensor, to other commands going through the canbus until you match the value to whatever command the ECM/injector pump is listening for. But maybe not, i dunno
That's the case for consumer passenger vehicles, but heavy trucks use J1939, which is extremely standardized so things like refrigerated trailers work when attached to most rigs.
@@schizophrenicgaming365 that doesn’t make sense. The commands are yours, it’s the object classes that are obscured in can-bus. You don’t just call the left indicator or O2 sensor, you have to call a list of “things”. Imagine a table full of numbers from 1 to 500. One of those numbers will be associated with the left indicator and another the O2 sensor.
You have to sit there and find what each thing is in that years model of car with this or that set of factory add-ons and so on
Great content. I guess you finally hired a video editor 😂
The possibility of a compromised truck causing a horrible accident that could result in fatalities is enough to deter me from trying to exploit these kinds of vulnerabilities, if it were autonomous trucks, maybe but only to corrupt the path finding system to mess with them or just corrupt the control system to disable them.
You should always be trying to find exploits and break the systems that you use so you know how to defend against real-world scenarios.
@@runed0s86 very true luckily we have these white hats exposing these vulnerabilities and hopefully it gets corrected before a bad actor exploits them causes a horrible accident
I love Tuesday, only because you upload.
We all do man😂
Are there similar devices in container ships?
Fast X irl soon w the trucks 😂
i believe that manafacturers can issue a software update for the vehicle stopping the screed from doing much to it
uBlock Origin the goat
lmao dormakaba. its two words squished together, dorma and kaba, 2 manufacturers that merged.
Is there a reason the ELD needs to be able to transmit on the OBD2/CAN bus? Why not just disable the tx functionality so that it operates in a 'listen only' mode? That would at least prevent the vehicles from being remotely hijacked (by ELDs anyway).
i think it needs the tx function in order to "ask" and "tell" the ECU what data to transmit. I think the OBD2 is active only on request.
Thanks for the video!
If I would be in a hotel with those vulnerable locks, I would be definitely worried. Who can say that what the researchers found wasn't found independently by threat actors as well? Or somebody who reads those security reports might just as well say "Hold my Red Bull" and re-discover the exploit by themselves, and go werac havoc. Flipper Zero isn't exactly hard to get your hands on, and if you know how to code, and you know how to code malware and some cracking tools that are designed to break codes, then you might as well just use it in the wild. So nope, hearing that there are no documented cases of it being used in the wild doesn't calm me in any way. It's good that those hotels are usually very expensive for me. I might as well just look for a hotel that uses the classic FAB keys. Yeah.
But how the distributed cracking password can work with prrsence of CORS?
Because why would you bother with security in a multi-ton death machine that's also critical infrastructure?
its called a key and an imoblizer unstealable if done well like 2000s volvoes
the ELD maybe should only have read access or a physical switch for admin/ wright access.
that's not how CAN bus frames work, unfortunately. Gotta write to the bus before you'll get a response code.
@@GrahamCantinwell that is a bummer
Yeesh using the obd port is absolutely irresponsible
But then again I don’t see an another way for them to connect without developing a whole new way to do so
I could imagine a ransomware hack where they lock data and then lock the trucks separately
What about ships?
2:30 the "upload firmware" page is the root page? this is like putting a hammer outside your glass door and saying "but it's locked!"
The Elds driving multiple trucks in my head reminds me of fast and furious
Does the ELD problem also exist in Europe?
2:40 why the firmware upload is not locked ????
It's up to the hardware and firmware developers to implement this how they wish. A lot of ELD companies have installers which need to be able to service the devices and having bluetooth capability is a benefit. Bluetooth firmware updates are fairly common in many devices. However bluetooth is complex and lots of companies don't implement it or security for it, correctly.
Isn’t it impossible to control engine throttle, brakes and steering wheel etc?
I love the internet of things! I love adding computers and internet access to mundane things that don’t need it!
Trucks have been computerized since 2007ish. They used to have sat connections, then 3g and 4g. Modern systems just have a bluetooth dongle and you run the sodtware on an android tablet.
Hey, I'm watching this from your hotel room!
👀
Looks like many of these product developers just don't spare enough time with pentesters to find the bugs.
do you have any cyber security certs؟؟؟
Guess I added that domain to my pinhole server
uBlock is the goat in all realms
why not build a transmitter to sweep the entire 1.4 ghz band or what ever band the wifi is working on to prevent the data from getting out.
a more legal way would be a deauth attack similar to what hackers use to steal the wifi passwords .
if the really want to wreak havoc just corrupt the firmware by crashing the installer while flashing making the truck a several hundred thousand dollar brick
easy fix replace tcm and ecm done
So, why aren't these ELDs made as read-only devices? Why do they need complete control over the trucks' computer?
The way the electrical communications busses in lots of vehicles work, allows for them to send controls over the same busses which ELD's listen to. Any device on the bus can pretend to be an ECU or report false data, etc. Only cryptographically secure communications using a feature called the transport protocol can actually be signed and authenticated - everything else which is standardised is not cryptographically secure. However it is worth noting that before wireless communications entered this space - all vehicles were essentially air-gapped. A device which connects to the bus and which allows remote updating is a clear vulnerability. It is obviously necessary that such wireless communications be implemented in such a way that a malicious actor cannot take advantage of them. However like I said earlier - because bluetooth is complex, many companies either cannot be bothered or cannot afford to properly learn it or have their engineers learn it. And they fall miles short of implementing it in a secure fashion.
@@supernovahm1178 It seems like in several aspects of life, convenience and privacy/security are inversely related. It's very difficult, if not impossible, to have both at the same time. A shame, really.
One of those devices would have to be remarkably poorly designed to be able to participate on the bus or send commands if it's really not necessary for their function, rather than just sitting on the bus and listening for what's happening.
why the hell would the wireless antennae be on on at all time? like what
wait what if you send incorrect passwords to the hackers, it wold be funny lol
Oh great instead of hackers holding database information for ransom now there going to holding truck companies for ransom remotely.
Hey guys, guess what! The solution to your data being abused everywhere by for-profit companies, is to give your data to another for profit company! Who'd've thought!
You just unplug it and continue driving on paper log. Noting new noting spectacular.
IoT at it again
those rf cards are not news............someone even proved that you can get the code just by beeing close to it or putting something on a door that would also get the info.
A government self-made problem
And of course, “ companies” that government employees have stock in will have a solution to this problem.
Kind of like paying off a ship captain to crash his ship in the Suez Canal to create a supply shortage... you can just spend a month spread a worm to shutdown most/all of the trucking in a country at the same time. Nicely done.
GAWD SPEED uBlock
smart doesn't mean secure
Wow😊
صندلی اداری؟
Iam not worried about outside hackers that much, even tho making every truck ina country suddenly not move anymore would be a desater. I fear that the data of ELD can be tempered with to allow owner/ drivers to drive longer without getting caught. We have seen this in the past where DPF/ AdBlue systems got hacked into thinking they where installed or always toped of to save expenses...
where is hello world?
HELLO
Imagine mining crypto on elds
I’m so tired of these freaking unskippable ads
Use ad block
The release of this info stinks. I wonder if this is to give someone a tip or suggestion. How was the company/companies involved in mfg not contacted to fix before releasing.
mfg?
and what do you mean, which one wasn't notified before?
What you mad cause y'all getting hacked 😊
@@schwingedeshaehers manufacturing. I said there ‘companies involved’ so the can release a software patch etc
@@TheKnowledgeBomB2 maybe if I was a trucker or something lmao
So brave is not blocking the dynamic site?
The latest version does including fingerprinting.
Truck n roll
The c in government stands for common sense
I'm not an important person and I build all my "smart" devices with my custom protocols and firmware. I feel pretty safe no hacker wants to invest time to hack my systems because the gain is very small.
Security by obscurity isn't security
@@smoothbraindetainer yes you are right BUT if you are not interested target you are pretty safe.
@@smoothbraindetainerwhy not both??
Do you think the black market obeys some legal letters from delete me? It will actually delete you from your accounts before you say 'excuse me'.
bruh
government mandated vulnerabilities
11 views and 22 likes is insane
Views are updated slower than likes because views also log shitton of other info used for CZcams analytics.
Also caching and such
Google quality software.
🔓 🔑 Easy
Good video!
Please God let bad actors shit house prime trucking