Tractor brake controllers are assumed to be isolated from the trailer's noisy powerline network. This research proves that assumption false. In 2024, a major North American recall was issued for Bendix EC80 brake controllers, citing "memory corruption from power-line noise" as the cause. The power-line in question is the J2497 (PLC4TRUCKS) vehicle network, which is wirelessly accessible via CVE-2022-26131. By reverse-engineering the S12X microcontroller recall firmware and performing binary differential analysis of the update across three affected Truck OEMs, we discovered that the update did more than filter noise: it removed code containing critical vulnerabilities in data parsing and interrupt handling.
We will demonstrate that the removed code contained flaws allowing for Denial-of-Service (DoS) and Remote Code Execution (RCE) on the tractor's primary brake controller—bridging the gap from the trailer network to safety-critical tractor systems. We validated these vulnerabilities on a test bench and in a moving truck, where exploitation caused the loss of the speedometer, dynamic steering, and automatic shifting. Our findings confirm that this safety recall was effectively a silent security patch for a massive legacy codebase. We are releasing the IDA Pro analysis scripts and QBinDiff configurations we developed to conquer the S12X banked-memory nightmare. While Bendix's proactive recall is a commendable safety action, the absence of associated CVEs obscures the critical security nature of the fix from the 450,000+ affected users.
