FBI Bulletin Puts Spotlight on ELDs and Cybersecurity

A recent bulletin distributed to the trucking industry by the FBI warned that cyber criminals could exploit vulnerabilities in electronic logging devices, which have been mandated for most of the trucking industry since December 2019.

The mandate does not contain cybersecurity requirements for manufacturers or suppliers of ELDs, noted the FBI bulletin, and there is no requirement for third-party validation or testing prior to the ELD self-certification process.

“This poses a risk to businesses, because ELDs create a bridge between previously unconnected systems critical to trucking operations,” the agency said.

“[Neither] FMCSA nor Congress gave any importance to ELD security in the ELD mandate as it relates to unauthorized access or hacking,” said Joel Beal with ELD provider Loadtrek in response to an HDT query. “’Public Keys’ help secure the data being transmitted, keeping drivers from hacking their own ELD files and changing their logs. But as far as unauthorized access – nothing.”

Beal noted that telematics generates lots of data, including a detailed history of vehicle and driver activities.  Fleets can use this to control payroll, billing, fuel costs, maintenance costs and activities, route productivity, and minimize risk.  “We also use telematics for collision reconstruction, route and customer analysis, and testing various aftermarket fuel saving devices.
“If data from an organization where ELD data is used in different parts of the company is accessed by a malicious party, schedules, customers, vendors, shipments, location of assets, and personal information are at risk.”

Hacking ELDs

The FBI reported that industry and academic research into a selection of self-certified ELDs found the sample of devices “did little to nothing to follow cybersecurity best practices and were vulnerable to compromise.” The sample included ELDs that could be purchased off the shelf at superstores and ELDs supplied by well-known companies.

Researchers demonstrated the potential for malicious activity to remotely compromise the ELDs and send instructions to vehicle components to cause the vehicle to behave in unexpected and unwanted ways, according to the FBI.

“Although the ELDs are only intended to allow the logging of data from the engine, in practice some self-certified ELDs allow commands to be sent to the truck engine via their connection to the ECM. Commands passed into the vehicle network through an ELD could affect functions such as vehicle controls and the accuracy of the console display.”

ELDs with more advanced telematics functions and a connection to functions such as shipment tracking or dispatching can allow a cyber actor who gains access to an insecure ELD to move laterally into the larger company business network. There, cyber criminals could steal data such as personal information, business and financial records, location history and vehicle tracking, or other proprietary data such as lists of customers and cargo.

That access also could allow cyber criminals to install malware such as ransomware, preventing the ELD, the vehicle, or connected telematics services such as dispatching or shipment tracking from operating until the ransom is paid.

Cybersecurity Best Practices for ELDs

The bulletin identifies some best practices to help mitigate the risk.

In May, the Federal Motor Carrier Safety Administration released a set of cybersecurity best practices for ELD solutions in “Cybersecurity Best Practices for Integration/Retrofit of Telematics and Aftermarket Electronic Systems” [FMCSA-RRT-19-013].

The best practices provide guidance regarding considerations for trucking companies when acquiring new devices and what suppliers can expect from customer acceptance testing of these requirements.

Some of the questions fleets should ask their ELD suppliers include:

• Has the component had penetration tests performed on it?
• Is the communication between the engine and the ELD enforced?
• Does the device have secure boot?
• Does the device ship with debug mode enabled? (This could be a vulnerability)

At ERoad, for instance, the company had PIT Group independently test and verify its ELD solution for meeting FMCSA’s self-certification requirements, and it has obtained an independent Secretary of State audit and annual independent security audits.

“Our in-cab devices are hard-wired to the ECM so that the vehicle data cannot be exposed through wireless networks,” explained Marketing Director Keith Halasy in an email response to our questions about the FBI notice. “The ECM connection is in listen and read-only modes that does not write any code on the ECM. The hardware communicates to the backend platform through a secure APN (private network) that is isolated from internet networks which may be subject to interference.”

Samsara advises fleets “to make sure their provider has received third-party validation (e.g., SOC2) and follows best practices when it comes to cybersecurity (e.g., data encryption and regular penetration testing by independent experts) -- all of which we do.”

Similarly, Geotab last year announced that its plug-in, connected telematics device received validation under a federal cryptography standard that requires it to meet four levels of security to protect the transfer of data from the vehicle module. Geotab also uses third-party penetration testers and services from accredited cybersecurity laboratories to identify vulnerabilities, according to the company.

Once ELDs are deployed, the FMCSA best practices document recommends:

• Security patches should always be deployed to fleet devices in timely manner. As part of the patch management process, fleets should have a process in place for tracking vulnerabilities identified by their ELD suppliers
• Sharing cybersecurity information and collaborating with other industry members is highly useful for responding to threats efficiently.Fleets should consider joining an industry-
• specific information-sharing and analysis organization, such as the Auto
• Information Sharing and Analysis Center, the American Trucking Associations
• Technology & Maintenance Council Fleet CyWatch Program, or the National Motor
• Freight Traffic Association.
• Have a documented process for responding to incidents, vulnerabilities, and exploits.

The FBI also noted that “Insecure devices, even if not specifically targeted by cyber criminals, can experience issues in stability or performance resulting from interference or opportunistic infection.”

ELD cybsersecurity is not a new concern. In 2017, when the mandate first went into effect, we reported that ELD suppliers said the biggest concern might not be actually hacking into and taking control of the vehicle, but the vulnerability of data being transferred between the device in the cab, the back office, and the FMCSA’s cloud system for transferring the data to roadside officials.

Loadtrek’s Beal called the FBI notice “a good start. By engaging the FBI's cybercrimes division, we give the issue some heft and importance that will force trucking technology providers to pay attention. Today – some do and some don't.”