ELD security a 'shared responsibility,' expert says, as logging devices ID'd as cyberattack vector

Pic Headshot

The days of fleets comprised of disconnected, self-contained trucks have long passed. Semis in 2024 are sprawling, connected computer and IoT devices on 18 wheels.

For almost a decade, Electronic Logging Devices (ELDs) have been mandatory mainstays in cabs. While the ELD mandate is relatively recent, it isn't as if ELDs were invented 10 years ago; the first ones began appearing on the scene in the early 1980s. And cybersecurity experts say that legacy equals vulnerability.

Legacy meets reality

Michael Hasse, an independent cybersecurity consultant who works in the trucking industry, said most of the ELDs on the road today were designed decades ago.

"That makes retrofitting security into an embedded system like that, when it was never planned for previously, cost-prohibitive for various reasons," Hasse said, adding that implementing security often requires a complete reimplementation and reimagining of the entire product. And usually, manufacturers are slow to react until there's an actual incident. However, the cheapest, most effective way to stop a cybersecurity problem is to prevent it in the first place.

"These security flaws are quite serious, but until somebody starts exploiting them and crashing trucks or hijacking loads, the industry isn't likely to respond in any meaningful fashion, and it may take a government edict to force the issue," Hasse said.

Hasse finds parallels in trucking to what has happened in upscale automobiles like Tesla, where criminals found connectivity vulnerabilities and caused real damage before the issues were fixed.

"Although, even in the case of cars, there's been considerable disparity between manufacturers," Hasse said.

ELD systems will follow a similar arc, with perhaps a few early responders doing a thorough job and capturing a more significant portion of the market, Hasse said, adding, "Those who are slower will likely shut down or be bought out.”

What are manufacturers doing?

CCJ contacted some of the leading ELD players to discuss cybersecurity features currently built into their systems.

Partner Insights
Information to advance your business from industry suppliers

Geotab, one of the largest ELD manufacturers, prioritizes cybersecurity. A spokesperson for Geotab said security is at the "forefront" of everything they do, adding the company uses cryptographic algorithm integration to fortify their ELDs.

"These technologies validate the authenticity, integrity and confidentiality of every message transmitted to and from our GO devices, and help to mitigate the potential for an adversary to abuse or alter GO firmware,” said Don Bailey, senior security researcher at Geotab. "By first securing our GO device, we help ensure the vehicle and its CAN network from any remote attack."

Trimble is another heavyweight in the  ELD space, and they also indicate that they are monitoring the cybersecurity landscape while fortifying its devices.

"Trimble conducts security due diligence, which includes whitebox testing of all our hardware and embedded firmware for vulnerabilities," said Trimble's Global Business Information Security Officer Conan Sandberg, adding testing includes all interfaces.

"Trimble uses several measures of security, including secure certificates and authentication mechanisms, and we do not use default authentication or configuration settings from the manufacturer that malicious actors can target," Sandberg said.

Cybersecurity is constantly evolving, and manufacturers must evolve with it or eventually be stuck with a legacy product vulnerable to the newest attack methods. Sandberg said Trimble is moving its ELD systems in real-time to keep up with threats.

"ELD threats are ever-evolving. We strive to measure and understand those threats through advanced vulnerability management scanning, endpoint detection and response, and threat intelligence tooling inside our solutions. We provide updates to the devices and certificates used and manage inter-process communications securely," Sandberg said.

Manufacturer vs. customer?

Then, there is the issue of who is responsible for the ELD's cybersecurity features.

"From the OEM to tech providers to the end user, there is a shared responsibility to maintain best cybersecurity practices," Sandberg said, adding that Trimble continuously invests in developer security training, code scanning solutions and firmware updates. 

"We have a dedicated global cybersecurity staff on hand, including an in-house 24/7/365 Security Operation Center (SOC) and dedicated experts attached to our transportation business," Sandberg said.

The customer, though, can augment the manufacturer's efforts by taking extra ELD steps alone, something Trimble encourages.

"We encourage our customers to implement their own best practices, while also taking advantage of tools like Trimble App Manager offered as part of our Trimble Instinct end-to-end fleet management solution to layer in a robust mobile device management strategy," Sandberg said, adding that they encourage customers to ensure they are correctly safeguarding their credentials, performing cybersecurity awareness training, and applying vendor recommended updates as well.

Data theft is one of the biggest features of hacking into ELDs, but trucking and hacking capture the imagination in other ways. Experts have feared criminal actions from attackers that could turn off a moving truck since the systems are so connected. For Trimble's part, Sandberg said the way to avoid that scenario is to have robust protections. 

"The best defense is a good offense," Sandberg said. 

Preventing the exploitation of initial attack vectors is the best way to ensure a bad actor cannot gain a foothold in a commercial vehicle. To prevent that, Sandberg said Trimble is continually working on cybersecurity capabilities and integrating application security into the product development process while advocating shared responsibility for cybersecurity prevention throughout the connected supply chain.

Your most valuable cargo isn’t what you think

Uptake, which makes security software for trucking  said that manufacturers of ELDs need to be aware of the security risk factors that come with a backlog of data and possible entryways into a truck's connectivity.

"Incorporating security compliance protocols like SOC2 or ISO2700 for all vendors accessing ELD data is a crucial step in ensuring the safety of the data and preventing unauthorized access by hackers and other potential vulnerabilities," said Uptake CEO Adam McElhinney 

McElhinney says another crucial step is implementing tenant isolation, providing data segregation, and enhancing security and privacy for each user of the ELD system.

"Each user's data needs to be stored separately and securely, preventing unauthorized access to sensitive information," McElhinney said, adding that end-to-end encryption protocols secure the data transmitted between the device and the backend systems. 

"This encryption ensures that even if data is intercepted, it remains unreadable to unauthorized parties," McElhinney said.

Up until now, most truckers assumed their most valuable cargo was in their trailer and that is where security has been focused through the years with better locks and back-end camera capability. But now some of the most valuable assets on the truck are stored in the ELD.

“Data is one of your fleet's most valuable assets, so implementing these standards will provide a framework for establishing, maintaining and continually improving your fleet's information security management systems,”  McElhinney said. 

Kevin Williams is a journalist based in Ohio who regularly covers real estate, business, politics, tech, and breaking news for The New York Times, Washington Post and CNBC. Before that, he covered the Midwest for Al-Jazeera America. Williams also covers cybersecurity for Barracuda Networks and has written about the freight sector for Mack Truck’s Bulldog Magazine.