Connect with us

Hi, what are you looking for?



Tractor-Trailer Brake Controllers Vulnerable to Remote Hacker Attacks

Tractor-trailer remote hacking

Tractor-trailer remote hacking

Researchers have analyzed the cyber security of heavy vehicles and discovered that the brake controllers found on many tractor-trailers in North America are susceptible to remote hacker attacks.

The research was conducted by the National Motor Freight Traffic Association (NMFTA), which is a non-profit organization that represents roughly 500 motor freight carriers, in collaboration with Assured Information Security, Inc.

NMFTA has been analyzing the cyber security of heavy vehicles since 2015 and it has periodically disclosed its findings. The latest report from the organization came in early March, when the US Cybersecurity and Infrastructure Security Agency (CISA) also issued an advisory to describe two vulnerabilities affecting trailer brake controllers.

The flaws described in the CISA advisory are related to the power line communications (PLC) between tractors and trailers, specifically the PLC4TRUCKS technology, which uses a standard named J2497 for bidirectional communications between the tractor and trailer without adding new wires.

PLC4TRUCKS was created in response to a requirement for a warning light in the tractor cab in case the trailer’s ABS system fails. However, the NMFTA discovered that the trailer brake controllers have a great deal of additional J2497 functionality beyond what is required for the ABS warning, and this functionality introduces security risks.

CISA’s advisory describes two vulnerabilities discovered by NMFTA and Assured Information Security researchers: a medium-severity issue tracked as CVE-2022-25922 and related to the lack of authentication and authorization for brake controller diagnostic functions; and a critical-severity flaw tracked as CVE-2022-26131 that is related to the susceptibility of trailer PLC receivers to remote RF attacks.

Ben Gardiner, senior cybersecurity research engineer at the NMFTA, told SecurityWeek that while the most common trailer brake controllers on the road today do not have the capability to activate trailer brakes, which could have serious safety implications, the repeated reception of a command by the controller could lead to the pneumatic reservoirs on the tractor and trailer getting depleted, which can impact the vehicle’s mobility.

Advertisement. Scroll to continue reading.

Several studies conducted in the past decades showed that a widespread disruption of trucking services could have a significant impact on a nation, and it may be possible to cause such disruptions using cyberattacks.

The NMFTA shared some examples of potential impact from cyberattacks in a study released in 2015. The examples shared in that report include the use of malicious cell transponders placed at key locations in an effort to disable trucks, malicious insiders disabling their company’s trucks using their monitoring and control system, and threat actors strategically targeting one vehicle transporting hazardous cargo.

According to the new research paper from the NMFTA, remote RF attacks can be launched against brake controllers using equipment that costs from $300 to $10,000, from distances of up to 12ft. The organization said that tankers (used to transport fuel and other liquids) and triple road trains (used to transport a wide range of goods) appear to be more susceptible to attacks compared to other types of vehicles.

Tractor-trailer brake controller remote RF hack

The researchers warned that the PLC functionality currently available to attackers poses a serious risk to fleets and the trucking industry in general.

They have described several theoretical attack scenarios, including one in which well-funded attackers place transmitters at road choke points (e.g. ports, tunnels, bridges) to target a significant number of trucks. It’s also possible for an attacker to use a mobile transmitter in a long trailer towed by a passenger vehicle.

In the case of more susceptible equipment, such as tankers, it may be possible to launch an attack with a limited budget over shorter distances — for example, a lane separation or ditch-to-road.

While an attacker could try to cause damage in an effort to immobilize a vehicle, a malicious actor could also cause the ABS fault lamp in the cab to light up, which will likely get the driver to pull over at a safe location.

The NMFTA has released a document describing mitigation options that can be implemented by vendors. The organization believes that — in the long term — J2497 tractor-trailer interfaces should only allow the required ABS warning messages. Diagnostics, resets, or other commands that could be abused for malicious purposes should not be allowed. Additional functionality should be moved to new data buses, ones that are designed with security in mind.

“NMFTA researched trailer brake controllers and communications because, when we began, there appeared to be a gap in knowledge of security of the trailer brake controllers and the industry was at a point where the existing communications standard (J2497 aka PLC4TRUCKS) would no longer be sufficient for fleets; new interface standards were being drafted by task forces in the ATA TMC [American Trucking Associations Technology & Maintenance Council],” Gardiner said.

He added, “NMFTA wanted to ensure that the next tractor trailer interface would be a secure platform for the myriad of functions that fleets would like to deploy on it over the next decades. NMFTA is working with ATA TMC task forces to propose amendments to the recommended practices, both as updates and as new ones have been developed.”

Related: Remote ‘Brokenwire’ Hack Prevents Charging of Electric Vehicles

Related: New Flaws Expose EVlink Electric Vehicle Charging Stations to Remote Hacking

Related: Researchers Hack Remote Keyless System of Honda Vehicles

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...