This repository contains the code for a conceptual worm that propagates between trucks via connected Electronic Logging Devices (ELDs). This code mimics real-world ELD configurations we found, specifically focusing on features such as simultaneous access point and station mode WiFi (APSTA mode), a weak default password (deadbeef77), a web server on the WiFi network for Over-The-Air (OTA) firmware updates, an additional API endpoint for firmware uploads, and the capability to interact with the truck's Controller Area Network (CAN).
Follow these steps to set up and demonstrate the worm:
-
PlatformIO Installation: This project requires PlatformIO. Install either the PlatformIO IDE or its VSCode extension.
-
Hardware Requirements: The project is designed for DoIT ESP32 Rev. 1.1 boards or similar variants. If you have a different version of ESP32 boards, check their compatibility with PlatformIO and update the
platformio.inifile accordingly. There's no guarantee of functionality with other versions. At least two boards are required to demonstrate the worm's behavior. -
Downloading the Repository: Clone or download this repository to your local machine.
-
Opening the Project: Launch PlatformIO and open the project. Ensure the
platformio.inifile is in the root directory for automatic environment setup. -
Environment Setup: PlatformIO will detect the
platformio.inifile and start setting up the development environment, which includes downloading the ESP-IDF. This process might take some time. -
Restarting PlatformIO: After the setup is complete, you might need to restart PlatformIO.
-
Configuration Changes: In the
src/main.cfile, find theMALICIOUS_ELDpreprocessor directive and set it to false. -
Firmware Flashing: Connect an ESP32 board to your computer. Use the upload function in PlatformIO to compile and flash the firmware to the board. Refer to PlatformIO documentation for further instructions.
-
Repeat Flashing Process: Flash each ESP32 board individually, following the same process as in step 8.
-
Powering the Boards: After flashing, disconnect the ESP32 boards from your computer and connect them to a 5V power source, like a USB power brick.
-
Activating Malicious Mode: Go back to
src/main.c, change theMALICIOUS_ELDdirective to true, and recompile the firmware. -
Locating the Malicious Firmware: After compilation, the malicious firmware will be available at
.pio/build/esp32dotit-devkit-v1/firmware.bin. -
Connecting to a Vulnerable Device: Connect your computer to the WiFi network of a vulnerable device, typically named
VULN ELD: <MAC_ADDR>. -
Accessing the Firmware Upload Page: Go to 192.168.4.1 in your web browser to find the firmware upload interface.
-
Uploading the Malicious Firmware: Upload the malicious firmware file. The device may not provide feedback upon a successful upload but may respond if an error occurs. An alternative method to confirm the upload's success involves connecting the ESP32 board to a computer and check the serial output.
-
Observing the Malicious Firmware in Action: After a successful OTA update, the device reboots with the new firmware. The WiFi SSID should change to
COMP ELD: <MAC_ADDR>, indicating the device is compromised. The device will then start scanning for and infecting other vulnerable devices within range. -
Monitoring the Worm's Spread: Track the worm's propagation by observing changes in the WiFi SSIDs or by connecting to and monitoring the CAN bus. The infected devices will emit a malicious Petal Jam TSC1 message.