The FBI has warned interstate truckers that the electronic logging devices (ELDs) required to be installed on their trucks to record adherence to hours-of-service rules make them vulnerable to hackers who could use them to access corporate financial data.
The bureau’s notice points out that the ELD mandate does not contain cybersecurity requirements for manufacturers or suppliers of the devices, and there is no government requirement for third-party validation or testing prior to the ELD self-certification process.
“Industry and academic research into a selection of self-certified ELDs found the sample of devices did little to nothing to follow cybersecurity best practices and were vulnerable to compromise,” the FBI observes. “Researchers demonstrated the potential for malicious activity to remotely compromise the ELDs and send instructions to vehicle components to cause the vehicle to behave in unexpected and unwanted ways.”
Perhaps the scariest aspect of this threat is the prospect of bad actors gaining access to a company’s financial information by using the ELD as a conduit, the bureau explains. Although there have not yet been any reports of cyber attacks via ELDs, they have happened before with other devices.
Several years ago, it was discovered that handheld barcode readers made in China and used in American warehouses were infecting companies’ computer systems with a worm that would search patiently for a system backdoor to eventually enter accounting programs and convey the data back to Chinese army observers.
“ELDs with more advanced telematics functions and a connection to functions such as shipment tracking or dispatching can allow a cyber actor who gains access to an insecure ELD to move laterally into the larger company business network,” the FBI says.
“Cyber criminals interested in stealing data such as personal information, business and financial records, location history and vehicle tracking, or other proprietary data such as lists of customers and cargo can use vulnerabilities in ELDs as a way in to access trucking companies’ enterprise networks and databases.”
With that sort of access, financially motivated cyber criminals would also be positioned to install malware such as ransomware, preventing the ELD, the vehicle or connected telematics services such as dispatching or shipment tracking from operating until the ransom is paid by the fleet owner.
Although the ELDs are only intended to allow the logging of data from the engine, in practice some self-certified ELDs allow commands to be sent to the truck engine via their connection to the electronic control module (ECM).
As a result, the commands passed into the vehicle network through an ELD could affect functions such as vehicle controls and the accuracy of the console display, according to the FBI.
Potential indicators that this is occurring include an increase in nonreproducible equipment performance or maintenance issues, an increase in traffic on the vehicle’s internal network, or networking logs for the ELD showing unexpected incoming remote connections.
“The limited indicators and warning signs for this type of activity increase the importance of selecting a secure device with settings that restrict traffic during normal operations,” the bureau stresses.
Signs of Malicious Activity
The FBI says potential indicators for this kind of malicious activity include unusual traffic or unusual file sharing on the network. It suggests that this could be detected by establishing a network baseline and monitoring network loads and traffic, as well as restricting user and device access privileges for employees to only what is needed for their job.
Unfortunately, this particular kind of vulnerability has been known since before the requirements were drafted, but little apparently has been done about it except for published best practice recommendations. Before the Federal Motor Carrier Safety Administration (FMCSA) began enforcing an ELD mandate for commercial motor vehicles in December 2017, some truckers unsuccessfully sought a two-year delay from Congress to address this threat and deal with other potential technical deficiencies.
In September 2017, a coalition of 31 organizations led by the Owner-Operator Independent Drivers Association (OOIDA) also reported that there were “significant technological and real-world concerns” that hadn’t been addressed by FMCSA.
In Canada, federal regulations requiring ELDs are now in the process of being phased in, with a hard deadline for truckers to have the devices installed by June 12, 2021.
However, because the ELD mandate in the United States doesn’t contain any cybersecurity or quality assurance standards for ELD suppliers, no third-party validation or testing is required, and device vendors are allowed to self-certify their ELDs.
Canada has said that after their ELD mandate goes into effect, U.S. truckers can only enter Canada if their ELDs have been subject to third-party certification as well. The new devices also will need to meet the Technical Standard for Electronic Logging Devices developed by the Canadian Council of Motor Transport Administrators (CCMTA).
Because of the current lack of third-party certification in the U.S., the FBI warns that businesses choosing an ELD to use on their networks must conduct due diligence themselves to mitigate their cyber risk and potential costs in the event of a cyber incident.
ELDs are required to connect to a vehicle’s ECM in order to track date, time, location information, engine hours, vehicle miles, user identification data, vehicle identification data, and motor carrier identification data. ELDs must also permit wireless connectivity.
ELDs create a bridge between critical vehicle components and wireless data transmission, such that the vehicle components themselves can be accessed remotely through Wi-Fi or Bluetooth. The most common implementations of ELDs use built-in cellular modules, but satellite, Bluetooth or cabled tethering to cellular enabled smartphones and tablets are also options, the FBI notes.
Further Mitigating Risk
Before deploying an ELD, the FBI recommends truck owners contact the manufacturer or supplier of the ELD and ask about its cybersecurity. “When contacting suppliers, seek specific and detailed information regarding the security of the entire ELD solution,” it recommends. “Because ELDs can include a combination of in-vehicle, communications link, user interface and cloud back-end systems, the supplier should be asked for details that address the cybersecurity of all functions and components.”
In May, FMCSA released a set of cybersecurity best practices for ELD solutions titled “Cybersecurity Best Practices for Integration/Retrofit of Telematics and Aftermarket Electronic Systems” [FMCSA-RRT-19-013]. It offers guidance about considerations that truck owners should keep in mind when they acquire new devices and explains what suppliers can expect from customer acceptance testing.
The FMCSA recommendations cite a 2018 report by the National Motor Freight Traffic Association (NMFTA), which was updated earlier this year. The document includes a rating for cybersecurity considerations, ranking them as low, medium, or high criticality.
NMFTA recommends that solutions failing to satisfy high-criticality requirements should be avoided, but solutions failing to satisfy medium-criticality requirements may still be considered for purchase with justification by the supplier, and low-criticality requirements may still be considered even without justification by the supplier.
The report, “NMFTA Cybersecurity Requirements for Telematics Systems,” cites these examples of what to look for:
• Is the communication between the engine and the ELD enforced? A high-criticality requirement, and the report recommends that any ELD to be purchased must satisfy this requirement.
• Were technical standards or best practices followed in the device’s development? A medium-criticality requirement, and solutions not satisfying this can still be acceptable for purchase with supplier justification.
• Does the component protect confidentiality and integrity of communications? This applies to each component of an ELD solution.
• Has the component had penetration tests performed on it? This also applies to each component or possibly the system as a whole. However, asking the question for each component makes supplier responses clear, NMFTA says.
• Does the device have secure boot? This applies to any device that could be in attacker hands. In some ELD solutions, this will apply to all of the vehicle-connected devices, such as a modem and a smartphone, as indicated in the report.
• Does the device ship with debug mode enabled? This should be similar for all devices, which may be one, two, or three devices for the solution, as indicated in the report. Insecure devices, even if not specifically targeted by cyber criminals, can experience issues in stability or performance resulting from interference or opportunistic infection.
“An active approach to vetting ELD options before implementation is a small up-front investment of time that mitigates the risk of costly or disruptive cyber incidents in the long run,” the FBI tells truckers.
The FBI encourages reports of suspicious or criminal activity to local FBI field offices or the FBI’s 24/7 Cyber Watch (CyWatch). Field office contacts can be identified at www.fbi.gov/contact-us/field. CyWatch can be contacted by phone at 855-292-3937 or by e-mail at [email protected].