Ever since the Federal Motor Carrier Safety Administration opened up its self-certification registration system for mandatory electronic logging devices, there have been a number of new-entrant companies offering ELDs – but how confident can you be that those devices are safe from hacking or data breaches?
IOActive, a global security advisory firm, earlier this year conducted vulnerability assessment research using several ELDs that were available over the counter at big-box distributors. “What we found could allow an attacker to pivot through the device and into the vehicle, where the consequences could be disastrous,” the company said.
The National Motor Freight Traffic Association, an organization of primarily less-than-truckload carriers, issued a bulletin expressing its concern about the results.
“As far as NMFTA has been able to ascertain, the current ELD rule, as written and implemented, requires both two-way CAN bus connectivity and internet connectivity. This creates some genuine concern regarding the cyber security posture of the ELD devices themselves as they create a bridge between the internet and the CAN bus network of the vehicle. If the ELD devices could be exploited to send malicious traffic to the vehicle CAN bus, it could have serious consequences to the safe operation of the vehicle.”
IOActive’s general conclusion was that all the tested devices did little, if anything, to follow cybersecurity best practices and were open to compromise, with shortcomings such as devices being shipped with debug enabled firmware easily accessible for analysis, and lack of encryption.
“IOActive’s findings presented at Blackhat USA 2017 and DEF CON 25 echo our concerns,” said Sharon Reynolds, chief information security officer at Omnitracs.
She explained that FMCSA does have some security standards. “FMCSA regulations outline security controls like encryption at rest, encryption in transport, and any time you try to send it somewhere.”
What are the FMCSA standards?
NMFTA reported in the bulletin to members that in the FMCSA ELD Test Plan and Procedures document, it could not find many details about what ELD providers must do to ensure cybersecurity. “NMFTA has been unable to find any recommendations or guidance for cyber security for the actual ELD devices in this document with the exception of sections 188.8.131.52 and 184.108.40.206, which refer to encryption when communicating with FMCSA servers or sending data via email. No specific requirements for device cyber security were discovered during our investigation.”
Indeed, security does not appear to be included in FMCSA’s published Frequently Asked Questions.
When asked to comment on the NFMTA’s bulletin, an FMCSA spokesman directed us to page 78329 of the Federal Register December 2015 publication of the final rule on security.
That section noted that the proposed rule had "proposed incorporating by reference several industry standards for privacy and encryption, including NIST standards." Responding to comments on the proposal regarding security, FMCSA said the agency “follows all DOT security guidelines, which includes NIST standards for access to any FMCSA system or network,” and that it “believes that the security standards of ELDs have appropriately balanced industry standards, privacy, the need for accurate HOS monitoring, and the cost of security measures.”
FMCSA did note in the rule that “it has only established minimally compliant standards in this rule, and there could be a market for more security features on an ELD. ELD providers are not prohibited from using additional security measures, so long as the data can still be transferred to authorized safety officials as required by the … rule.”
In addition, FMCSA said, “Security on mobile devices is well understood. Banks, governments, and retailers all provide apps which require security. There is no reason to believe that consumer mobile devices cannot be an adequate platform for ELDs. FMCSA believes the specifications and privacy standards and protocols are sufficient to respond to reasonable concerns about hackers.”
The cybersecurity question is right in line with previously expressed concerns about the self-certification process for ELDs and the need for carriers to do their homework, said consultant Avery Vise.
Now doing research for FTR, at the time we spoke Vise was president of TransComply, which helps primarily small trucking operations with safety and compliance programs and with business best practices.
"Malicious hacks of ELDs to affect vehicle operations certainly seem feasible and could be disastrous, but they also seem very unlikely," he said.
"We have previously advised carriers to seek clauses in their ELD vendor agreements to provide for carrier compensation in the event of an ELD's registration is revoked. Based on this credible evidence of a cybersecurity risk, carriers also should try to add language covering that potential as well. However, even if the carrier cannot secure such language, it is possible that general product liability law would allow it to recover damages in the event of a cybersecurity breach that a vendor could have reasonably anticipated and guarded against."
Avoiding a breach
We asked a number of ELD providers for their thoughts on the issue, and most noted that the more problematic concern might not be actually hacking into and taking control of the vehicle, but the vulnerability of data being transferred between the device in the cab, the back office, and the FMCSA’s cloud system for transferring the data to roadside officials.
Hacking into ELDs and taking control of the truck “is going to be pretty hard to do, virtually impossible, as most ELDs are provisioned only to store that data,” explained Daren Lauda, Teletrac Navman's vice president and general manager. “Our system is designed to read data through the CAN bus, we’re not building the ability to write to the vehicle from our application. I think that’s the way most ELDs are being written. But a lot of the concern is, how does the data get to its resting point where it’s going to live? How is it presented through a browser to the people who are going to consume it?”
Joel Beal of LoadTrek has been involved in the telematics business all the way back to the days of Rockwell Tripmaster systems, and notes that telematics devices have been “connected to the ‘back office’ via WiFi, terrestrial or satellite data networks since 1997. This "public" connection has led to concerns about security from day one. [But] other than destroying data there is little to fear. Most telematics devices do not/cannot control the truck's ECM or other computers.”
“Most of these same telematics devices… transmit compressed, encrypted, and sometimes binary data,” he said. “And if you can hack your way through these three levels, the underlying data is of dubious value.”
Of more concern, Beal said, are bring-your-own-device systems (although it should be noted that LoadTrek does not offer BYOD solutions.) These allow you to connect your smartphone or tablet, often via Bluetooth, to an "installed" or plugged-in telematics device. However, he said, “all information on a phone or tablet is available to law enforcement or a hacker. Emails, text messages, pictures, credit cards and bank accounts, social media – it's all there. Have a TMS or load board on your personal device, [and] you also have shippers, consignees, loads, rates, financial information.”
A lot of systems are capturing the CDL number and the person’s name, Lauda noted, “so now that’s in your system – you’re tracking personally identifiable information so you’ve got to be careful how you’re managing that data.”
Lauda said Teletrac Navman has a dedicated SIM and dedicated APN so its information never communicates over the public internet. “Our residing place is Amazon web services, so we’re taking great are to make sure we protect that information. I don’t know that everybody is. I think the weak point is going from the ELD to everywhere else.”
Brad Taylor, vice president of data and Internet of Things at Omnitracs, likened the threat to recent data breaches at companies such as Equifax. “There are human beings involved and a lot of touchpoints, and we want to make sure … not only are we helping them use that data, but we’re also protecting that data.”
Omnitracs, he said, encrypts the data. “If someone went to one of our servers they wouldn’t find data in the raw. That’s an important part of security.” Another layer of security, he said, is anonymizing driver data. In cases where “the individual identify of the driver is not important, we won’t retain it.”
“Cybersecurity is critical across all areas of a carrier’s operation, so we understand that when adding new technology with ELDs, carriers want to ensure the same or more security,” said Jason Hearld, J.J. Keller vice president of technology solutions. The ELD solutions offered by Keller, he explained, use a combination of proprietary and patented designs to ensure security, including a proprietary Bluetooth protocol. “Our ELD device does not allow WiFi, nor does it connect to cell networks, eliminating those two risk areas.”
PeopleNet said encryption and data obfuscation are two of the most effective ways the company is implementing cybersecurity measures. “These two measures ensure data is transmitted in a binary format and sent separately from the encryption keys, so there is no way to decipher what the data shows even if it isn’t encrypted,” according to the company. “PeopleNet’s multiple layers of security eliminate the risk of hacking, providing peace of mind that electronic logs, the truck engine, brakes, etc., cannot be accessed remotely through PeopleNet’s in-cab devices or system.”
Eric Witty, PeopleNet vice president of product management, said one challenge legacy providers or fleets that have been using in-cab computers for years is older generations of hardware in the truck.
“It’s hard to have hardware running in a truck for six to 10 years and have it be capable of possibly understanding and being able to be to [hold off] the most recent types of attacks,” he explained. “The latest PeopleNet Connected Gateway is the next in our line of onboard computers that are connecting to the vehicle. And that piece of hardware, not only does it have software that’s conscious of how it’s communicating to the truck and wirelessly, but it also contains a crypto chip in the hardware itself for adding another layer of security.”
“We anticipated the fact that [the] number of devices being out there may draw attention to the vehicles and more of a possibility of an attack. So we’ve taken not only steps on the software side but also the hardware side.”
Like others, Lauda views this as a potential issue more with new entrants than with established major vendors in the trucking space. He compared it to finding a vendor for offering cloud-computing services. “If you look at major vendors in the cloud space, like amazon.com, you can enter into it with a degree of trust to begin with. But if you were entering in to a startup like Joe’s Cloud Service, I think any responsible IT person would do a ton of research.”
“I think you can assume a higher level of security and structure from established entrants. Whenever you’re buying a cloud-based service I think it’s important to take security very seriously.”
In fact, NMFTA in its bulletin made it clear that its concern was with entry-level device manufacturers, “whose solutions at times are to simply connect a consumer cell phone directly to the J1939 diagnostic port or to use a very basic hardware solution with built-in cellular capabilities.”
NMFTA strongly recommended that members talk to the manufacturer/supplier or their chosen ELD device and ask about cybersecurity, including the technical standards or best practices followed (if any), as well as if adversarial testing or third party security evaluations were performed as part of their product development lifecycle.
Witty, for instance, said PeopleNet “is actively involved in some of the security groups to help guide us and get our stuff tested, so we’re always keeping up with where our weaknesses might be. We will continue to invest in that area to make sure we’re not exposing anybody there.”
Annette Sandberg, former FMCSA administrator who now does safety and compliance consulting as TransSafe (including third-party ELD verification), said that while she does not have a background in cyber security, “I have seen devices that are registered on the FMCSA website that have taken shortcuts to certify their devices. This is truly a 'buyer beware' market, and I highly encourage any company purchasing ELDs to carefully research the company they are purchasing from. This research should not only include the NMFTA recommendations but go further to understand how compliant the ELD is when FMCSA’s mandate, how well financed the company is, do they stand behind their product if there are issues, and what would be the financial recovery for the motor carrier if the device is corrupted or fails.”
Omnitracs’ Reynolds noted, “We’ve been stewards of this data for a very long time. I think the real concern is about startups, new entries in to the market. Are they spending enough [on security]? Are they concerned about security, are they going that extra step? And for a fleet, how can you be sure? Because of the flurry of new entrants, she says, carriers need to look for companies with experience, the financial wherewithal to invest in security, that carry appropriate cyber insurance, have the staff to enforce security, “and have a board of directors or executive leadership staff that is motivated and has a will to make security important,” and the funding and staffing to make it happen.