Researchers debut Truck Duck security tool

The University of Tulsa’s expertise in heavy vehicle security is expanding with the release of an inexpensive security tool that can monitor big rig networks. Instructions on how to build TU’s Truck Duck analysis system, requiring only a small computer and board, are available online for free. Total cost of materials to build the device is around $100.

Developing a prototype
Research network manager Andrew Kongs and James Johnson (BS ’10, MS ’12, PhD ’15) from the Tandy School of Computer Science spent a year designing the Truck Duck prototype. Both previously worked on Defense Advanced Research Projects Agency-funded projects related to heavy vehicle security including TU’s Truck-in-a-Box concept and a forensic link adapter that downloads digital data from heavy vehicles. The adapter is sold commercially through the spin-off company Synercon Technologies in Tulsa.

security tool“Without the testing environment the Truck-in-a-Box gave us and the background the other grant gave us for how to use engine control modules to code data, this project probably wouldn’t have happened,” Kongs said.

The previous research was a launching pad for the Truck Duck tool, which conducts basic communication between heavy vehicles. The device is open source with no proprietary data or capabilities to download forensics or crash information. It simply talks to a vehicle, speaks its language and performs analyses.

“It’s a lower price point of entry than anything that’s currently available, and at the same time it’s probably more powerful than some of the expensive propriety tools that cost thousands of dollars,” Kongs said.

Johnson specialized in the software design, while Kongs built the hardware. All files are posted online and are released under an open source license. Although the security tool is intended to analyze and protect vehicle data, the researchers said their Truck Duck device also may be used as a hacking mechanism.

“Any security tool can be used either for good or bad things,” Johnson said.

When the technology debuted at the 2016 DEF CON conference, Kongs’ and Johnson’s presentation included an example of the Truck Duck’s security impact. Their demonstration featured the monitoring of an engine’s configuration software.

“I realized if I can monitor it, I can probably alter what it’s doing,” Johnson said. “I wrote a very basic piece of malware that changes what the software does without anyone being able to tell.”

They used information gained by using the Truck Duck’s technology to manipulate a vehicle’s engine control module, and Johnson’s malware represented proof of concept for hacking heavy vehicles.

“We were showing what things you can find when you do that kind of analysis on a truck,” Kongs said.

Fleet Vehicle Risks
Fleet vehicles are routinely plugged into a diagnostic computer to download reports after long trips, but if the computer’s security has been compromised, settings can be changed without the software technician’s knowledge. A truck regulated to 70 miles per hour will show 70 in its report, but malware could attack the vehicle and reduce speed, for example, to 30 mph.

“There would be no visible reason for this to happen,” Johnson said. “If you have an entire fleet where these trucks are torn apart trying to find a mechanical problem because the configuration software doesn’t show anything different—that could have a real economic impact.”

Another application Kongs and Johnson said poses a threat to heavy vehicle security is the telematics units attached to the dash of trucks. These devices can run Windows, hold SD cards and are used for email and other basic functions. If SD cards with malicious content are inserted or the units are hacked, vehicle operations can be manipulated with dangerous consequences. TU’s inexpensive solution can detect suspicious activity in a truck’s onboard technology.

“The Truck Duck is a foothold,” Kongs said. “It’s a way to digitally remain in the vehicle without doing something bad and you can run analysis whenever you want to.”

Since its DEF-CON debut, the security tool has generated interest among potential research sponsors. Kongs and Johnson plan to fine-tune the Truck Duck’s technology for further development.