AIS brings awareness of vulnerabilities to transportation systems


ROME — Assured Information Security (AIS) and the National Motor Freight Traffic Association, Inc. have published two new vulnerabilities within Trailer Power Line Communications (PLC) signals, now totaling three vulnerabilities discovered by the team and published by the Cybersecurity and Infrastructure Security Agency (CISA).

Last month CISA issued an Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) advisory to bring awareness of the vulnerabilities to the transportation systems sector.  

AIS researchers Dan Salloum, Chris Poore and Eric Thayer and NMFTA researcher Ben Gardiner reported these vulnerabilities to CISA.  

“This research has focused on raising industry awareness to the potential issues that could impact the reliability and integrity of connected systems,” said Thayer, principal investigator at AIS. “These vulnerabilities could lead to the exposure of sensitive information or possibly enable attacker access to the vehicle bus, so it’s essential to take defensive measures to minimize the risk of exploitation.” 

“With these new discoveries, our team now has three published vulnerabilities as a result of PLC research performed under AIS’ Internal Research and Development Program, which helps shape employees’ concepts and ideas to create future programs for the company and provide value to our customers,” said Cat Hulser, of AIS. “This is an incredible accomplishment for AIS and it’s rewarding to know that we’re helping to create a safer transportation sector in our community, while continuing to build our reputation as leading researchers in the field.”  

The research indicates that there is missing authentication for critical function and improper protection against electromagnetic fault injection in PLC: J2497, also known as PLC4TRUCKS. Successful exploitation of the vulnerabilities could allow a nearby attacker to execute diagnostic functions in the trailer or light the trailer ABS fault telltale in a tractor. 

CVE-2022-25922 has been assigned to the first vulnerability and a CVSS v3 base score of 6.1 has been calculated. CVE-2022-26131 has been assigned to the second vulnerability and a CVSS v3 base score of 9.3 has been calculated.  


No comments on this item Please log in to comment by clicking here