Trailer Power Line Communications (PLC) J2497

Plan Patch9.3ICS-CERT ICSA-22-063-01Mar 4, 2022

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Power Line Communications (PLC) J2497 (PLC4TRUCKS) is a bidirectional serial communications link used over vehicle power supply lines in trailers. Vulnerabilities in this protocol allow a nearby attacker to execute diagnostic functions on the trailer or trigger the trailer ABS fault telltale in the tractor. The vulnerabilities stem from lack of authentication and message validation on the PLC link.

What this means

What could happen

An attacker within radio/power line proximity could execute diagnostic commands on trailer systems or falsely trigger ABS fault indicators, potentially causing the tractor driver to lose confidence in braking systems or allowing unauthorized diagnostic access to trailer electrical and brake systems.

Who's at risk

Transportation and logistics operators managing trailers equipped with J2497 PLC systems should care about this vulnerability. Specifically, fleet operators, truck manufacturers integrating J2497 into trailers, and roadside service facilities that work with trailer electrical and brake systems are affected.

How it could be exploited

An attacker positioned near a trailer (within power line carrier signal range) can craft malicious PLC messages and inject them into the vehicle power supply line. These messages are interpreted by trailer receivers and executed without authentication, allowing the attacker to run diagnostic functions or trigger fault signals that propagate to the tractor cabin display.

Prerequisites

Proximity to the vehicle (power line carrier signal transmission range)
Ability to generate or inject power line carrier signals on or near the vehicle electrical system
No authentication or encryption required to execute commands

remotely exploitable (via power line carrier)no authentication requiredlow complexity attackaffects safety systems (ABS braking)no patch availableactively used in commercial transportation

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (1)

ProductAffected VersionsFix Status

Power Line Communications (PLC): J2497 (a.k.a. PLC4TRUCKS) a bidirectional serial communications link over the vehicle power supply line is affectedJ2497No fix yet

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDCoordinate with fleet management and training programs to alert drivers to verify ABS fault indicators and not assume immediate system failure without visual inspection

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGReview and restrict physical access to power supply and electrical connection points on trailers to limit attacker opportunity for signal injection

Long-term hardening

0/2

HARDENINGImplement network segmentation and shielding of power line carrier circuits where feasible to reduce the attack surface and limit signal injection points

HARDENINGEstablish monitoring and logging of PLC diagnostic function calls on trailers to detect unusual command patterns

CVEs (2)

CVE-2022-25922 CVE-2022-26131

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/b543ac67-62b7-4ca8-819d-f4ae6cd007c1