Tyler Biggs, Rik Chatterjee, and Jeremy Daily, Colorado State University
California Senate Bill 210 (SB 210), enacted in 2019, mandates the California Air Resources Board (CARB) to enforce emissions compliance through either remotely connected continuous monitoring devices or non-continuous plug-in devices. This led to the establishment of the Clean Truck Check (CTC) program. Most non-continuous plug-in devices achieve emissions data collection via RP1210-based diagnostic tools running on Windows environments. However, these compliance inspection mechanisms inherently trust data from third-party vehicle diagnostic adapters (VDAs), which translate vehicle network messages for CARB-approved software. This trust model assumes the integrity of the RP1210 API, which lacks fundamental cybersecurity controls, leaving it vulnerable to DLL hijacking attacks.
This demonstration exposes a critical security weakness in the CARB Clean Truck Check trust model, showcasing how a shim DLL can intercept and manipulate emissions data before it reaches compliance software. Using both test bench and real-world vehicle configurations, this attack forges emissions reports, effectively bypassing CARB regulations without modifying vehicle hardware or firmware. The shim DLL acts as a transparent proxy, intercepting emissions-related parameters and altering the data before submission. These findings underscore the urgent need for regulatory bodies to understand the limitations of the security model upon which they build their compliance enforcement mechanisms.
Open Access Media
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
