Monday, March 17, 2025
Homecyber securityResearchers Remotely Hack Commercial Trucks & Buses to Unlock Them

Researchers Remotely Hack Commercial Trucks & Buses to Unlock Them

Published on

SIEM as a Service

Follow Us on Google News

Security researchers have issued an urgent warning that commercial trucks and buses are significantly more vulnerable to cybersecurity attacks than passenger vehicles, potentially leading to catastrophic consequences.

According to a comprehensive analysis by security experts, trucks represent more attractive targets for hackers due to their complex software systems, standardized components, and greater potential financial gains from successful attacks.

As these vehicles become increasingly connected and autonomous, implementing robust security protections has become a critical necessity for the transportation industry.

Heavy-Duty Vehicles Face Greater Cybersecurity Risks Than Cars

Commercial trucks and buses are particularly susceptible to cybersecurity threats compared to passenger vehicles for several key reasons.

These vehicles typically utilize more complex software-driven functionality, create and exchange more data through powerful wireless communication channels, and feature more standardized, homogenous systems.

Security researchers Marko Wolf and Robert Lambert warn that “compared with standard passenger vehicles, heavy-duty vehicles will be even more susceptible to cybersecurity threats.”

The widespread use of the SAE J1939 in-vehicle network protocol across virtually all modern trucks creates a particularly concerning vulnerability, as recently demonstrated by security researchers who successfully executed attacks on a class-8 semi-tractor and a school bus.

This standardized protocol makes attacks easier to execute than in passenger cars.

Additionally, the higher value of commercial vehicles (typically exceeding €100,000) and their valuable or dangerous cargo make them particularly attractive targets.

Trucks remain in motion up to 20 hours daily, travel three times the distance of passenger cars, and can weigh up to 30 times more, magnifying the potential consequences of security breaches.

While passenger vehicle security has received considerable attention from researchers and media, heavy-duty vehicle security has only recently begun to be investigated thoroughly, creating a dangerous gap in security engineering at a time of accelerating technological change.

Four Major Cybersecurity Threats to Trucks and Buses

Security researchers have identified four primary categories of cybersecurity attacks that pose significant risks to heavy-duty vehicles.

Physical theft remains a prominent threat, with thieves exploiting vulnerabilities in remote keyless entry systems and immobilizer implementations.

Reports of quick thefts of locked trucks have raised suspicions that cybersecurity-based approaches are already being used by criminals.

The damage potential for heavy-duty vehicle theft is rated as “critical” compared to “significant” for passenger vehicles.

Manipulation attacks on electronic vehicle functionality represent another common threat, often executed by legitimate owners or drivers to circumvent legal restrictions.

These include disabling exhaust gas treatment systems, tampering with emergency brake systems, or manipulating speedometers and tachographs.

With modern vehicle architectures, virtually all manipulation attacks can be executed electronically with minimal physical intervention, typically through easily accessible onboard diagnosis interfaces.

Data theft and misuse attacks present a “high” cybersecurity risk for commercial vehicles.

Intellectual property theft for counterfeit parts is already a $12 billion per year problem for the automotive industry, with truck braking systems being among the most frequently counterfeited components, resulting in numerous fatal accidents.

Economic espionage is also more likely with commercial trucks, as many modern trucks enable manufacturers, logistics operators, and sometimes even customers to have considerable remote access to internal vehicle data.

Safety attacks represent the most catastrophic potential threat.

Researchers have demonstrated attacks against steering, acceleration, and braking systems in both passenger vehicles and heavy-duty trucks.

The standardized J1939 protocol used in virtually all modern trucks makes such attacks easier to execute than in passenger cars, as the costly attack preparation step of reverse engineering internal commands becomes unnecessary.

Multi-Layered Protection Strategy Essential for Vehicle Security

To counter these significant threats, experts recommend a holistic, systematic approach to heavy-duty vehicle cybersecurity based on three fundamental principles: security for the entire vehicle system, security throughout the complete vehicle lifecycle, and security across the entire vehicle organization.

“For sustainable vehicular security, it is necessary to always consider the whole vehicle system starting from the individual ECU up to the connected services in the backend, since a smart attacker would also check the whole vehicle system for the weakest link,” the researchers explain.

Typical heavy-duty vehicle E/E architecture with its various wired and wireless

This approach requires multiple lines of defense, as any single protection measure might become compromised.

A comprehensive technical security architecture should include automotive-capable hardware security modules as trust anchors, secure boot protection for ECU firmware, and secure onboard communication protocols.

Multiple lines of defense protecting the entire heavy-duty vehicle system.

Vehicle-external communication should be protected by central gateways equipped with vehicular intrusion detection and response systems.

Additionally, the in-vehicle electronic architecture should separate connected ECUs into mutually isolated sub-networks of different security classes.

Unlike traditional engineering, security engineering requires a continuous lifecycle approach from initial requirements through product phase-out – which for heavy-duty vehicles can mean up to 20 years.

Continuous vehicle security lifecycle with exemplary security operations per lifecycle phase, which are executed continuously until product phase-out, to be able to react to the continuously changing security environment.

This continuous process enables manufacturers to respond to newly identified vulnerabilities and evolving threats throughout a vehicle’s operational life.

Organizationally, effective vehicle security demands cross-divisional integration and strong commitment from the entire company.

Researchers recommend establishing dedicated roles including Vehicle Security Officers embedded within various departments, a central Vehicle Security Center with dedicated experts, a specialized Incident Response Team, and executive leadership in the form of a Chief Vehicle Security Officer reporting directly to the management board.

As commercial vehicles continue their rapid technological evolution, implementing these multi-layered security measures has become not just a technical necessity but a critical safety imperative for the entire transportation industry.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free. 

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Hackers Rapidly Adopt ClickFix Technique for Sophisticated Attacks

In recent months, a sophisticated social engineering technique known as ClickFix has gained significant...

Supply Chain Attack Targets 23,000 GitHub Repositories

A critical security incident has been uncovered involving the popular GitHub Action tj-actions/changed-files, which...

Beware! Malware Hidden in Free Word-to-PDF Converters

The FBI has issued a warning about a growing threat involving free file conversion...

MassJacker Clipper Malware Targets Users Installing Pirated Software

A recent investigation has uncovered previously unknown cryptojacking malware, dubbed MassJacker, which primarily targets...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Hackers Rapidly Adopt ClickFix Technique for Sophisticated Attacks

In recent months, a sophisticated social engineering technique known as ClickFix has gained significant...

Supply Chain Attack Targets 23,000 GitHub Repositories

A critical security incident has been uncovered involving the popular GitHub Action tj-actions/changed-files, which...

Beware! Malware Hidden in Free Word-to-PDF Converters

The FBI has issued a warning about a growing threat involving free file conversion...