Theft was once a purely physical transaction. A driver heads into a truckstop after fueling only to return and find his fuel has been siphoned. Or maybe a driver is parked on the side of the road for their 10-hour reset, and his cargo is stolen.
The methods and reasons for attacking a trucking company have changed over the years as technology has evolved with much of it now being done digitally. While the most common types of cyberattacks against trucking companies – as with most any company – come from phishing, smishing, ransomware, social engineering, business compromised email and all those popular terms, mostly related to back-office operations, over-the-road attacks on actual trucks have become digital as well.
[RELATED: Business compromised email one of the biggest threats to cybersecurity]
A group of researchers from Colorado State University recently published a paper that details cybersecurity threat vectors surrounding one of the most used devices in the cab of a truck: the electronic logging device.
The paper shares vulnerabilities in commonly used ELDs that could allow hackers to take control of, steal data from and disrupt entire fleets by spreading malware unnoticed between vehicles. These are the three critical vulnerabilities: they can be wirelessly controlled, enabling unauthorized control over vehicle systems; malicious firmware can be uploaded, allowing attackers to manipulate data and vehicle operations; and there is potential for a self-propagating truck-to-truck worm to take advantage of the networked nature of these devices that could result in widespread disruptions in commercial fleets with severe safety and operational implications.
“The challenges highlighted in our paper are substantial, and we have identified several critical vulnerabilities in a particular ELD model that represents a significant share of the existing market,” said systems engineering graduate student Jake Jepson, a primary author of the paper. “The manufacturer is working on a firmware update now, but we suspect these issues may be common and potentially not limited to a single device or instance.”
The team used bench-level testing systems and conducted additional testing on a 2014 Kenworth T270 Class 6 research truck with a connected vulnerable ELD. It modified the firmware of an unnamed popular off-the-shelf ELD to execute an attack on the vehicle.
There are over 14 million medium- and heavy-duty vehicles registered in the U.S. and approximately 880 registered ELDs – most of which share the same or similar architecture with default settings and minimal security features, making it easy to hack multiple devices through one single device, according to the paper. This could look like forcing a truck to pull over or causing the vehicle to collide with an object via wireless manipulation through a Bluetooth or Wi-Fi connection.
[RELATED: NMFTA shares cybersecurity risk predictions for 2024]
“A bad actor who gains access to a wirelessly enabled ELD may be able to quickly spread the malware to other ELDs in its network,” said Stephen Ritzler, transportation and logistics sales manager at CoverWallet, which provides insurance to fleets. “The viral spread of the malware could give large-scale access to a cybercriminal. They could uncover a lot of sensitive information about the routes and transfer points of high-value loads they may have intentions to commandeer.
“They could also interfere with the data related to safe operations of the vehicles,” he added. “This could involve modifying logbook data to incorrectly display hours of use that are beyond the daily limit, which may put the operator of a compromised vehicle at risk for a DOT sanction.”
So, there are many implications for trucking companies in the event of such an attack. Insurance is one of many – not only because an attack could cause an accident, resulting in a rise in insurance costs, but also because insurers use ELDs – many of which now provide telematics and dash cameras – to inform the safety and insurability of the driver and equipment, Ritzler said. Many fleets are now looking into cybersecurity insurance, too. Ritzler said ELD vendors are trusted to safeguard the privacy of their customers' data.
"Always do your due diligence when choosing an ELD provider to ensure it is not only compliant, but also safe from a cybersecurity perspective," said NMFTA Executive Director Debbie Sparks.
The paper emphasizes that ELDs are not currently required to carry security precautions.
“In our evaluation of ELD units procured from various resellers, we discovered that they are distributed with factory default firmware settings that present considerable security risks,” the paper reads.
Mitigations against attacks
“To address the vulnerabilities identified in our research and effectively prevent truck-to-truck worm attacks in electronic logging devices, a multifaceted approach is required,” the researchers wrote. “This approach encompasses the enhancement of default security settings, implementation of robust firmware integrity and authenticity checks and the elimination of unnecessary and high-risk features.”
The researchers offered these suggestions to enhance ELD security:
• Disable unused interfaces and services that are not in active use. The study revealed that while some resellers utilized Bluetooth, others employed Wi-Fi, but none concurrently used both interfaces or the web server. Therefore, ELDs should be configured to disable unused wireless interfaces and the internal web server by default.
• Implement high-entropy default passwords for initial device access via two methods. Generate long, complex, randomized passwords unique to each device during the first provisioning of the device. Alternatively, a standard password prefix could be used, with the last four digits randomized.
• Use a secure firmware signing mechanism involving cryptographic signing of firmware updates to ensure they are not tampered with and originate from a verified source. This ensures that only authentic and untampered firmware is installed on the ELDs, preventing the installation of malicious firmware.
• Eliminate unnecessary API features. The research findings suggest that the ability to send and receive arbitrary CAN messages via an API in a production ELD presents an unwarranted risk without a valid use case, and it is therefore recommended to eliminate this feature from ELDs. Restricting this functionality will significantly reduce the risk of unauthorized access and control over the vehicle’s CAN network, thereby mitigating potential security threats.
• Implement telematics device firewalls or gateways, which serve as an intermediary layer of security between the ELD and the vehicle’s diagnostic port.
The paper highlights these measures as practical, user-friendly and cost-effective. Jeremy Daily, associate professor at the Walter Scott, Jr. College of Engineering at CSU, who led the research, said these findings are important for the trucking industry, but they also inform some of the broader potential vulnerabilities as different assets and infrastructure elements become interlinked.
“Our group will continue to develop adaptable security measures, assessments and models that can easily be integrated into existing operations,” said Jeremy Daily, associate professor at the Walter Scott, Jr. College of Engineering at CSU, who led the research. “These security design patterns can also be utilized over the truck’s lifecycle, from conceptual design to system retirement.”
