According to attendees at the 2018 Geotab Connect conference in Canada, lower-cost electronic logging devices (ELD) may pose a cybersecurity risk to the motor carriers who use them. Small- to medium-sized companies may be putting themselves at unnecessary risk if they don’t do their homework before deciding on an ELD solution.
So, what’s the problem?
Technological Achille’s Heel
Consider that ELDs are an electronic device like anything else. They also need to transmit information over the air to systems back at fleet headquarters. The process is called a handshake. During the handover, the ELD transmits an encrypted key that acts as an additional security measure. Much as a password, this key confirms the validity of the devices transferring information before it is transmitted.
Yet, this security key could also be a major vulnerability. How? The University of Tulsa did a study showing that shorter keys and keys that don’t change are more susceptible to hacking. Dynamic keys that change after each use were less likely to be hacked.
Whether it was 8- or 16-bit encryption, the student researchers were able to break into the ELD devices in question using a program that was able to discover the encryption key fairly easily and in a short amount of time. Of course, University officials will not reveal what devices could be breached or what OEMs had problems.
Fortunately, there were solutions. The team proposed that ELD manufacturers focus on creating dynamic keys using 96- or 256-bit encryption. It is up to motor carriers to ensure that the ELD provider they partner with can answer basic security questions. If a provider is unable to give information regarding the security of their devices, it may be time to look somewhere else.
For fleets that are already stuck with the shorter key varieties, there are solutions. Manufacturers also provide devices called hardware breaks, which allows for full ELD functionality even as it blocks intruders. In cases where there is a suspected intrusion, they can lock down the device.
Too Many Cooks in the Kitchen?
Ever since the FMCSA opened up the self-certification registration system for ELDs, new companies have come onto the system. But how secure are these companies’ devices? It wasn’t just the University of Tulsa doing studies. The global security advisory firm IOActive also set up a test. Their research was designed to assess vulnerabilities in ELDs.
Their findings were shocking. The security firm discovered that many big-box ELDs were susceptible to penetration that would allow an attacker to access the vehicle through the device, which is potentially disastrous for many reasons.
As a result, the National Motor Freight Traffic Association issued a bulletin expressing its concern about IOActive’s findings. They specifically pointed out the two-way CAN vulnerability. If a vehicle’s CAN bus can be hijacked to send malicious information to the vehicle itself, there could be a major safety and security risk.
Still, some point out the FMCSA regulations do outline specifications where encryption at rest or in transportation are concerned. Let’s take a deeper look at what the FMCSA does outline.
There is not much detail regarding what ELD manufacturers must do in order to ensure the security of their devices within the FMCSA’s ELD Test Plan and Procedures guidance. There is also no mention of device security within the FMCSA’s recently published Frequently Asked Questions section.
The concerns arise from previously expressed industry reservations regarding the self-certification process ELD providers must go through. Motor carriers must do their homework to ensure the certification is valid.
An important measure is for fleets to ask for clauses within their ELD provider contracts that provides the motor carrier with compensation if the ELD provider has their registration yanked. They must also demand their partner includes language covering cybersecurity risk. In situations where the language cannot be inserted, general product liability should cover any damages that result from a cybersecurity breach.
How to Avoid a Cybersecurity Breach
Another thing fleets and ELD providers must keep in mind is not just malicious attacks taking over the vehicle, but also compromised data being transmitted between the device, back office, and cloud system attached to the FMCSA.
In fact, ELD providers say that hacking into the truck should not be the largest concern. Many ELD providers do not allow anything to be written to the truck through the application. They point out the real problem arises when the data is transferred to the server. How it gets through the application and browser is critical to ensuring the security and integrity of the data.
What many don’t realize is that the telematics industry has been connected to the back office through WiFi and satellite connections for over 20 years. The new concern is in the “public” connection. Yet, how valuable is this data? Generally, ELD data is sent as compressed, encrypted, or binary data. Representing a proprietary string of information, how much value could potential hackers get out of the information?
Bring-your-own-device solutions present their own problems. These devices allow truck drivers to connect smartphones or tablets to “plugged-in” telematics and ELD devices. If a smartphone or a tablet can be hacked, information vital to fleet operations could be compromised. A lot of systems capture and hold CDL numbers, truck driver names, identification information, and so much more.
To avoid potential breaches, fleets should utilize a provider that offers a dedicated SIM and APN. This way, the information contained within the device is never sent over the public internet. Many companies using the public cloud have taken great pains to ensure the data contained within the cloud is protected.
There are also still a lot of human beings making decisions and specific touchpoints. In many cases, breaches occur as a result of a decision made by a human user, rather than one made within the machine. Is data being anonymized to prevent potential theft? If there is no reason to store data related to the truck driver, why store it?
Using 96- or 256-but encryption – combined with data obfuscation – can be the most effective methods of combating potential hacks or other cybersecurity breaches. Only through thorough analysis of all internal processes can you ensure your vital information is safe. What are the technical standards and best practices? Does getting involved with security groups make a difference?
The True Story About Truck Hacking
The question on every motor carrier’s mind is a simple one: Can a tractor be hacked? We’ve discussed it a bit so far in this latest blog posts, but many ELD providers caution against automatically assuming heavy-duty commercial motor vehicles can be hacked.
Industry insiders and truckers voice their concern about the J1939 common communication architecture. While it is an efficient standard, it could open vehicles up to hacking by malicious actors. The American Trucking Association (ATA) has put together a task force to look at the issue.
The problem arises when truck makers buy systems and components from many different manufacturers. Standards must be applied across the supply chain spectrum to ensure devices are secure. Fleets need to talk to their truck drivers to ensure they are not adding their own electronic devices, which could further complicate security.
There has been some speculation that diagnostic tools and systems installed by truck drivers can be used to initiate a virus-like attack against a truck. Yet, without write privileges, there is only so much a hacker can do.
The Bad Actors
The only motivation to hack heavy-duty commercial motor vehicles would be to cause overall chaos on the nation’s roadway. Otherwise, a criminal can gain little from taking over control of a tractor-trailer.
Even if a thief has designs of navigating the vehicle to a compromising area, he/she has to get the vehicle there without the truck driver or home office dispatch alerting authorities. Sure, there are organized crime rings that are good at putting together large-scale heists, manually piloting a vehicle to a desired location with a truck driver still inside is not an easy proposition.
Yet, there are still concerns with potential terrorist actors creating chaos. If savvy criminals are able to harness digital tools that allow them to break into vehicles, what would stop them from hacking into vehicles taking needed supplies to Washington D.C.? There are potential national security implications at stake.
The fact is, trucking companies and industry players must do everything they can to ensure their digital domain remains secured. With reputations at stake, due diligence is more important than ever.