A team of specialists from a cyber security consulting company has reported the finding of a sensitive information exposure vulnerability through the data sent by Power Line Communication (PLC) buses developed by multiple trailer and brake manufacturers.
In a recently published investigation, the National Motor Freight Traffic Association (NMFTA) details that the vulnerability relies in the bus for the transmission of PLC signals used by the vast majority of the freight transport industry. Specialists point out that it is possible to intercept PLC signals using antennas at a distance of up to 2.6 meters, depending on weather conditions.
In addition, experts from the cyber security consulting company believe that implementing some improvements to the receiver will be possible to increase the range of an attack. Regarding the damage of a potential attack, this depends to a large extent on the information sent by the ECUs on the PLC bus of the affected trailer; usually, the traffic of these devices only has to do with failures in ABS systems, so experts do not believe that the confidentiality of users is compromised.
Although the damage this attack could cause is minimal, the Cybersecurity and Infrastructure Security Agency (CISA) considered that it was necessary to issue this alert as a way to raise manufacturers’ awareness of these types of attacks and thus prevent any loss of sensitive information by abusing plc system failures (an example would be to obtain information about towing configurations).
The flaw was tracked as CVE-2020-14514 and received a score of 4.3/10; as mentioned above, the risk of exploitation is reduced given the conditions required for the attack.
Alternative solutions to mitigate the impact of this failure are not yet unknown, although the NMFTA report mentions that manufacturers could reduce PLC emissions by implementing lower ranges and reduced transmission voltage. On the other hand, the experts of the cyber security consulting company who collaborate with CISA recommend taking into account some preventive measures, mainly in relation to the assessment of the expected confidentiality of PLC traffic present in a potentially affected trailer or trailer.