Researchers at Colorado State University have uncovered alarming vulnerabilities in Electronic Logging Devices (ELDs) used in millions of commercial trucks across the United States. These flaws could allow attackers to remotely control vehicles, manipulate data, and even spread malware between trucks, potentially causing widespread disruption in the trucking industry. The findings highlight the urgent need for improved security measures in these critical systems.
ELDs Present in Over 14 Million Commercial Trucks
According to the research conducted by associate professor Jeremy Daily and graduate students Jake Jepson and Rik Chatterjee, the vulnerabilities found in common ELDs could be present in more than 14 million medium- and heavy-duty trucks in the US. While there are around 880 registered ELD devices, only a few tens of distinct models are actually in use on the roads.
The federal mandate requires most heavy-duty trucks to be equipped with ELDs, which track driving hours, log engine operation data, vehicle movement, and distances driven. However, these devices are not required to have tested safety controls built in, leaving them open to potential exploitation by malicious actors.
Researchers Demonstrate Wireless Manipulation of ELDs
The researchers pointed out three main vulnerabilities in the ELDs they tested. Using bench-level testing systems and a moving 2014 Kenworth T270 Class 6 research truck equipped with a vulnerable ELD, they showcased how these devices can be wirelessly manipulated by another vehicle on the road.
For example, an attacker could force a truck to pull over by sending commands to the ELD. The academics also discovered that the devices are distributed with factory default firmware settings, which present considerable security risks, including exposed APIs and weak default passwords.
Drive-By Attacks and Truck Stop Targeting
Attackers can exploit the vulnerabilities in ELDs by being within the wireless range of the targeted truck. This can be achieved through drive-by attacks or by targeting trucks at locations where they tend to congregate, such as truck stops, rest stops, distribution centers, and ports.
The ELDs use a Controller Area Network (CAN) bus to communicate, and the researchers demonstrated how anyone within wireless range could send arbitrary CAN messages to disrupt some of the vehicle’s systems. Additionally, attackers can connect to the device and upload malicious firmware to manipulate data and vehicle operations.
The Truck-to-Truck Worm: A Concerning Scenario
Perhaps the most alarming finding in the research is the possibility of a truck-to-truck worm. The researchers uploaded a worm that uses the compromised ELD’s Wi-Fi capabilities to search for other vulnerable devices nearby. It identifies potential targets using default credentials and establishes a connection to drop its malicious code, overwrite existing firmware, and continue spreading to additional devices.
The authors warn that such an attack could lead to widespread disruptions in commercial fleets, with severe safety and operational implications. The ease with which the worm can spread between vehicles makes this a particularly concerning scenario for the trucking industry.
Real-World Attack Simulation Demonstrates Risks
To demonstrate the feasibility of these attacks, the research team conducted a real-world, drive-by attack simulation on an empty airfield. Using a 2014 truck and a Tesla Model Y as the “attacker” vehicle, they successfully connected to the truck’s Wi-Fi, re-flashed the ELD, and sent malicious messages causing the truck to slow down – all while both vehicles were in motion.
The entire process took just 14 seconds, highlighting the speed and ease with which an attacker could compromise a vulnerable ELD. This simulation underscores the real-world risks posed by these vulnerabilities and the need for swift action to address them.
Disclosure and Potential Widespread Impact
Before publishing their findings, the researchers disclosed the vulnerabilities to the ELD manufacturers and the US Cybersecurity and Infrastructure Security Agency (CISA). According to Jake Jepson, one of the graduate students involved in the research, the manufacturer is currently working on a firmware update to address the issues.
However, Jepson also expressed concern that these vulnerabilities may be common and not limited to a single device or instance. The potential for widespread impact across the trucking industry is a serious concern, given the critical role that commercial vehicles play in the US economy and supply chain.
The Need for Improved Security Measures
The findings of this research highlight the urgent need for improved security measures in Electronic Logging Devices used in commercial trucks. As these devices become increasingly common and interconnected, the risks associated with vulnerabilities and potential attacks grow exponentially.
Manufacturers must prioritize the development and implementation of robust security features, including stronger authentication methods, encrypted communications, and regular security audits. Additionally, the trucking industry as a whole should invest in cybersecurity training for drivers and fleet managers to help them identify and respond to potential threats.
Balancing Safety, Efficiency, and Security
The adoption of ELDs in the trucking industry has been driven by a desire to improve safety and efficiency on the roads. By accurately tracking driving hours and vehicle data, these devices help ensure compliance with regulations and optimize fleet operations.
However, the vulnerabilities uncovered by this research demonstrate that security must also be a top priority. As the industry continues to evolve and embrace new technologies, it is essential to strike a balance between safety, efficiency, and security to protect both drivers and the public at large.
Collaboration Between Industry and Researchers
Addressing the challenges posed by vulnerabilities in Electronic Logging Devices will require close collaboration between the trucking industry, ELD manufacturers, and the cybersecurity research community. By working together, these stakeholders can identify potential risks, develop effective solutions, and establish best practices for secure implementation and use of these devices.
Ongoing research, such as the work conducted by the team at Colorado State University, plays a vital role in uncovering vulnerabilities and driving progress toward more secure systems. The industry must be receptive to these findings and proactive in addressing the issues they highlight.
Regulatory Oversight and Standards
Given the potential for widespread disruption and safety risks associated with vulnerabilities in ELDs, there is a clear need for stronger regulatory oversight and standards. While the federal mandate requires the use of these devices, it does not currently include specific requirements for security testing or controls.
Policymakers and regulatory agencies should work with industry stakeholders and cybersecurity experts to develop and enforce minimum security standards for ELDs. This could include mandatory testing and certification processes, as well as guidelines for secure implementation and ongoing maintenance of these devices.
The Broader Context of Connected Vehicle Security
The vulnerabilities found in Electronic Logging Devices are just one example of the broader challenges facing the rapidly evolving world of connected vehicles. As cars, trucks, and other vehicles become increasingly reliant on digital systems and interconnected networks, the potential for cyber-attacks and disruptions grows.
Securing the future of transportation will require a comprehensive approach that addresses not only ELDs but also the myriad of other technologies and systems that make up the modern vehicle ecosystem. This includes in-vehicle infotainment systems, telematics, autonomous driving features, and more.
Lessons for Other Industries
The challenges and vulnerabilities highlighted by this research on Electronic Logging Devices hold valuable lessons for other industries as well. As the Internet of Things (IoT) continues to expand and more devices become connected, the risks associated with insecure systems and default configurations will only grow.
Industries ranging from healthcare and manufacturing to energy and utilities must prioritize cybersecurity in the design, deployment, and maintenance of their connected devices and systems. By learning from the experiences of the trucking industry and proactively addressing potential vulnerabilities, these sectors can help prevent similar disruptions and safeguard their operations.