Attack data from electronic logging device for medium and heavy duty vehicles
Data files
Mar 15, 2025 version files 13.88 MB
-
README.md
2.45 KB
-
Wireless_Pedal_Jam.log
13.87 MB
Mar 15, 2025 version files 13.88 MB
-
README.md
2.45 KB
-
Wireless_Pedal_Jam.log
13.87 MB
Mar 15, 2025 version files 13.88 MB
-
README.md
2.72 KB
-
Wireless_Pedal_Jam.log
13.87 MB
Abstract
Modern commercial vehicles are required by law to be equipped with Electronic Logging Devices (ELDs) in an effort to make it easier to track, manage, and share records of duty status (RODS) data. Research has shown that integration of third-party ELDs into commercial trucks can introduce a significant cybersecurity risk. This includes the ability of nefarious actors to modify firmware on ELDs to gain the ability to arbitrarily write messages to the Controller Area Network (CAN) within the vehicle. Additionally, a proof-of-concept self-propagating truck-to-truck worm has been demonstrated.
This dataset was collected during controlled testing on a Kenworth T270 Class 6 truck with a commercially available ELD, during which the firmware on the ELD was replaced remotely over a Wi-Fi connection from an adjacently driving passenger vehicle. The compromised ELD then gained the ability to perform arbitrary CAN message writes of the attacker’s choice. The dataset contains CAN traffic in the `candump` format collected using the Linux `socketcan` tool.
After taking control of the ELD, the attacker writes Torque Speed control messages onto the CAN network, impersonating the Transmission Control Module (TCM). These messages command the Engine Control Module (ECM) to request 0% torque output, effectively disabling the driver’s control of the accelerator and forcing the truck to idle.
Attack data for electronic logging device vulnerability for medium and heavy duty vehicles
Dataset Overview
This dataset contains Controller Area Network (CAN) logs captured using candump from the SocketCAN framework during a remote drive-by attack on an electronic logging device (ELD). The attack is detailed as a public advisory through CISA at: https://www.cisa.gov/news-events/ics-advisories/icsa-24-093-01. The logs are in a traditional .log format, preserving raw CAN messages, timestamps, and metadata. This dataset is intended for research, forensic analysis, anomaly detection, and reverse engineering of vehicular communication networks.
File Format
Each .log file follows the standard candump output format:
(1623847291.123456) can0 0CF00400 [8] FF FF FF FF FF FF FF FF
Explanation:
- Timestamps (
(1623847291.123456)) – Epoch time with microsecond precision. - CAN Interface (
can0) – The name of the CAN bus interface used for capturing. - CAN ID (
0CF00400) – The hexadecimal identifier of the CAN frame. - DLC (
[8]) – Data Length Code, indicating the number of bytes in the data field. - Data (
FF FF FF FF FF FF FF FF) – The payload transmitted in the CAN message.
Dataset Contents
Wireless_Pedal_Jam.log– Raw CAN logs collected on a specific date.
Capture Environment
- Hardware Used: SocketCAN
- Software Used:
candumpfrom thecan-utilspackage on Linux. - Vehicle/System: 2014 Kenworth T270
- Bus Type: J1939
Usage
To analyze the dataset, you can use the following tools:
candump(for live monitoring)canplayer(to replay logs)can-utils(cansniffer,canbusload,canlogserver, etc.)- Python with
python-can(for programmatic parsing) - Wireshark (for visualization)
Example Commands
Replaying the Log File
canplayer -I dataset_YYYYMMDD.log
Filtering Messages by CAN ID:
cat dataset_YYYYMMDD.log | grep "0CF00400"
Converting Logs to CSV
Using Python:
import pandas as pd
log_file = "dataset_YYYYMMDD.log"
data = []
with open(log_file, "r") as f:
for line in f:
parts = line.strip().split()
if len(parts) >= 5:
timestamp = parts[0].strip("()")
interface = parts[1]
can_id = parts[2]
dlc = parts[3].strip("[]")
data_bytes = " ".join(parts[4:])
data.append([timestamp, interface, can_id, dlc, data_bytes])
df = pd.DataFrame(data, columns=["Timestamp", "Interface", "CAN_ID", "DLC", "Data"])
df.to_csv("dataset.csv", index=False)