The ELD Hacking Threat: Q&A with Serjon's Urban Jonson

Did you know your fleet’s electronic logging devices may be vulnerable to hackers?

It’s true. Serjon, a cybersecurity firm specializing in fleet transportation security, held a press conference during the Technology & Maintenance Council annual meeting in New Orleans in early March. Urban Jonson, senior vice president, information technology and cybersecurity services for Serjon, briefed media on the threats facing fleets with compromised ELDs.

ELDs are essentially communication devices used to record and report truck driver hours of service. Due to certain technical requirements of the regulations, ELDs require the ability to “write” messages to the truck’s network to obtain information, such as engine hours. The ELD also requires internet access to report the HOS information.

This creates a truck network-to internet communication bridge that introduces significant cybersecurity concerns.

We sat down with Jonson to learn more about this new cybersecurity threat to North American fleets and what they can do to protect themselves. (This interview has been lightly edited for clarity)

HDT: Many fleets aren’t aware that ELDs can be hacked. Talk a little about how hackers can gain access to an ELD.

Jonson: Different ELD vendors use different designs to deliver the functionality required by the ELD mandate. A common design is a hardware device that connects to the vehicle's on-board diagnostics (OBD) port and then uses a Bluetooth or Wi-Fi connection to a cellular device, such as a tablet or cellphone, to collect the ELD information and report it.

That ELD information can be attacked by hackers locally (close to the truck) or remotely across the internet.

In a recent paper presented at VehicleSec’241, the researchers were able to compromise an ELD device locally by simply connecting to the ELD Wi-Fi connection point, which had a predictable SSID [network name] and a weak default password. This allowed the researchers to send arbitrary CAN messages to the vehicle and even modify the firmware of the ELD itself.

There have also been reports of remote compromise of these types of vehicle OBD-connected devices going back to 2015, when a researcher could compromise Progressive Insurance OBD devices over the internet because the devices' cellular modems were discoverable and openly accessible on the internet and had a weak default password.

HDT: What are these hackers looking for?

Jonson: The most likely ELD attack scenarios do not involve obtaining sensitive information from the ELD or the trucking company, but rather disabling or impacting the vehicle’s ability to function.

If an attacker can write arbitrary controller area network (CAN) messages to the vehicle's CAN bus network, they can impact the vehicle's functionality in many different ways. For example, if you can write messages to the CAN bus, you can send bogus sensor messages that would make the vehicle derate and go into limp mode, effectively disabling the vehicle.

The threat actor’s motivation could be money, in which case they could hold the company’s vehicles for ransom — not unlike what we have seen with traditional backend systems in the trucking industry.

It could also be a nation-state threat actor whose motivation is to negatively impact the U.S. transportation systems at a time of their choosing. If you disable enough trucks in tunnels or on bridges, interstates, and shipping ports and facilities, it would effectively snarl the entire transportation ecosystem.

In either case, the threat actors would be looking to compromise vehicle function “at scale,” which would require a systematic attack against an entire company or across multiple companies by attacking an ELD provider’s back-end infrastructure.

HDT: Can hacking into an ELD lead to a more widespread hacking issues? Can hackers gain access to other IT systems in a fleet?

Jonson: Getting access to a single ELD can compromise other systems, but usually at the ELD provider level and not the fleet itself. Most telematics system providers connect the ELD device to their backend system(s) for data collection, and then they integrate with the fleets through portals or direct system integrations.

HDT: Can hackers gain access to employees’ personal information?

Jonson: If the threat actor's motives involve getting employee or customer data, they will attack the backend systems of the fleet rather than trying to get at the ELD devices.

Attacking regular backend systems requires much less effort and expertise. Estes Express was hit with ransomware in October 2023 and lost personal identifiable information due to the breach. This was done by compromising their backend systems and not via their operational technology, such as ELD or TSP devices.

Ransomware attacks against the backend systems of fleets are still the biggest threat to fleets and not attacks against the vehicles themselves. But that is just a matter of time and will happen eventually.

HDT: What is a worst case scenario for a fleet whose vehicles have been hacked via ELDs?

Jonson: The worst-case economic scenario is that fleets cannot use their vehicles to conduct business. Uptime in transportation is a major concern.

As our vehicles become more connected and more automated, with technologies such as lane-keeping assist and automatic emergency braking, the stakes for safety-critical applications increase dramatically.

A compromised ELD device on such an advanced vehicle with the ability to send arbitrary CAN messages could result in tragic consequences, including the potential loss of life.

HDT: What are some telltale early signs that a system has been hacked?

Jonson: There are few real-world public examples of threat actors attacking fleets, so it is hard to say what the early indicators would look like.

A compromised device could result in unexpected and unrelated diagnostic trouble codes (DTCs) being reported. Or there could be no symptoms at all until the vehicle cannot function and the owner receives a ransomware demand.

Trying to determine the difference between a cyberattack and diagnosing and troubleshooting normal vehicle issues is very hard to do.

HDT: What should drivers do if they suspect an ELD has been hacked?

Jonson: If a vehicle driver suspects that their ELD device or vehicle has been hacked due to erratic vehicle performance or activity, they should immediately contact their fleet maintenance professionals for further guidance. Safety should always be the first priority.

HDT: How can fleets fight back against ELD hackers?

Jonson: First and foremost, evaluate the cybersecurity posture of the ELD devices in your fleet.

Not all devices are created equal. Make sure you ask your provider for information about their cybersecurity practices.

For additional information on criteria to use to evaluate a TSP/ELD provider, you can consult Cybersecurity Best Practices for Integration/Retrofit of Telematics and Aftermarket Electronic Systems into Heavy Vehicles by the Federal Motor Carrier Safety Administration and Cybersecurity Requirements for Telematics Systems by National Motor Freight Traffic Association.

All technologies and systems have the potential to fail, either due to outside influence, such as hackers, or on their own. I know of instances where fleets have lost access to their TSP/ELD systems due to cloud computing outages that were the result of provider misconfigurations. It was nothing malicious per se, but it still caused a major failure.

The best way to combat ransomware and ELD hackers is to make your business systems and vehicles as resilient as possible. Analyze your business and vehicles, identify critical systems that need to be protected, do your best to protect them, and develop contingency plans for what to do if those systems fail. I know of a motor freight carrier that got hit with backend ransomware but could continue operations due to a good backup plan.

HDT: How can Serjon help?

Jonson: Serjon offers professional services and training to the transportation industry, including strategy, planning, cybersecurity assessments, and cybersecurity training to help fleets defend their companies and vehicles.

Serjon recently released a new eLearning cybersecurity training and certification program. The training provides practical advice and case studies on becoming an incident-response-capable organization and responding to cybersecurity events to become more resilient. The training comes with downloadable emplates/tools to enable stakeholders to secure and defend their information technology systems, equipment, vehicles, and company.

Updated 3/25 to correct the spelling of Urban Jonson's last name.