2 critical vulnerabilities exploitable remotely in trailer brake controllers can cause accidents on highways

Cybersecurity specialists report the detection of two critical vulnerabilities in Power Line Communications (PLC) J2497, a two-way serial communications link used in trailers and other transport vehicles. According to the report, successful exploitation of the reported flaws would allow threat actors to deploy multiple hacking tasks.

Below are brief descriptions of the reported flaws, as well as their respective security keys and scores according to the Common Vulnerability Scoring System (CVSS).

CVE-2022-25922: An authentication flaw in a critical function would allow unexpected diagnostic functions to be invoked when brake controllers play J2497 messages.

This is a medium severity vulnerability and received a CVSS score of 6.1/10.

CVE-2022-2613: Inadequate protections against electromagnetic injection errors make controllers vulnerable to radio frequency signal emission attacks.

This is a critical severity vulnerability and received a CVSS score of 9.3/10.

The report of these flaws was attributed to Ben Gardiner, a researcher at the National Motor Freight Traffic Association (NMFTA) and researchers Chris Poore, Dan Salloum and Eric Thayer of the security firm Assured Information Security. The report includes some mitigation methods such as:

  • Install a LAMP ON firewall for each vulnerable deployment
  • Use LAMP detection circuits with each trailer
  • Change directions dynamically on each tractor in response to the detection of a transmitter in its current direction

These flaws were publicly disclosed through the Cybersecurity and Infrastructure Security Agency (CISA), which recommends users take a proactive stance to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to drive the implementation of constant impact analysis and risk assessments to know how best to mitigate exploitation risk.

The Agency also provides a guide to recommended safety practices for control systems such as these. Users of these deployments are encouraged to review the guidelines for constant improvement to their security practices.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.