Electronic Logging Devices: An Interesting Cybercriminal Target

TLDR: Unchecked cybersecurity requirements leave the commercial motor vehicle industry vulnerable to attack

Photo: Pexels.com

Greg Grisolano, a writer or Land Line, wrote a post regarding electronic logging devices (ELDs) and an FBI bulletin regarding their security. If you are like me and do not know what an ELD is, let me give you a quick background. An ELD is a device that records engine activity in a vehicle. The U.S. Department of Transportation, through the Federal Motor Carrier Safety Administration, mandates that commercial motor vehicle drivers who are required to log hours must use an ELD. Essentially, it is an electronic log of a driver's on and off-duty record. Simple enough, right? So, what concern does the FBI have with security?

The ELDs allow connectivity via cellular, Bluetooth, and satellite communications, depending on the model being used. These devices connect into the electronic control module (ECM) of the vehicle to track things like vehicle identification, hours on the road, how many miles have been driven, and the vehicle's location. If you have ever taken your car to the dealership for a diagnostic evaluation or, perhaps, you have used a system like Verizon's HUM, then your vehicle's ECM has most likely been used at one point in time. 

According to the FBI, many of these ELDs have gone through a self-certification process, not an industry-standard certification. This means the manufacturer of the device has given its own devices a clean bill of health. What the FBI has discovered is that most of these self-certified devices do not follow any cybersecurity standards to prevent attacks or mitigate vulnerabilities. This leaves these devices open to the threat of a cyberattack. So, why would a cybercriminal want to attack an ELD on a truck hauling goods from Walmart's distribution center in Bethlehem, PA, to a store in, say, Omaha, NE?

An ELD (Photo: PeopleNet)

Some of the ELDs the FBI tested showed they provided more advanced options than their intended use. The intention is to simply log information. However, some of the self-certified devices actually provide the ability for the device to send commands to the vehicle's engine. Thinking like a malicious actor, how amazing would it be to have your name on the marquis on the dark web when you bring the trucking community to a screeching halt by shutting down all vehicles utilizing a compromised device? It may sound far-fetched, but it is a real possibility.

The biggest concern, however, concerns the connectivity to the outside world. From a cybersecurity standpoint, this is a huge vulnerability. An attacker could, in theory, target a vehicle utilizing the wireless, Bluetooth, or satellite communication channel on the ELD. Once inside the vehicle’s system, the attacker could then work to gain access to additional networks or systems. These could include enterprise-wide systems such as vehicle tracking; customer databases; personal information for drivers, employees, and customers; or even financial data. In the eyes of the FBI, the door is wide open for a large-scale event. So, how did ELDs become so vulnerable in the first place?

When the DOT and FMCSA mandated the use of these devices, they did nothing to require standards with regards to cybersecurity or quality assurance. Thus, there was no baseline for vendors to follow in order to certify their devices. Rather, they simply made sure they achieved a performance standard, logging all of the required information, and then sold them to commercial motor vehicle organizations to implement. This opens many proverbial doors for would-be attackers.

The FBI alert is a warning to those who use these devices. They urge users to reach out to the vendors to see what is being done to enhance the security of the ELDs. Interestingly, the DOT released cybersecurity best practices for these devices in May 2020, but they appear to just guidelines for the manufacturers to follow. It does not appear that there is any requirement for them to do so.

It is interesting, in our ever-connected world, the doors we can leave open to intruders. We are adding so many devices to our “Internet of Things” each day and, in doing so, only increase the attack surface on society. From a cybersecurity standpoint, we need to do better and enforcing strict requirements and testing to seek out vulnerabilities, fix them, and shut the door on would-be criminals. Our desire to have information at our fingertips, at a moment's notice, in an automated fashion continues to drive our need to ensure such data and information is secured; not just when called out by the FBI but from the very beginning.

Controls and Benchmarks: Necessary Evils

TLDR: Controls and benchmarks, while appearing to be cumbersome to some, are necessary evils in today's IT environment.

Figure 1 - CIS Controls

Benchmark, as it relates to computer systems, is defined as, "a standardized problem or test that serves as a basis for evaluation or comparison." In the world of information technology, there are various benchmarks available. You can test your office computer to see if it can efficiently run various administrative programs. Or, perhaps, you would like to see where your newest gaming computer ranks among other testers. The most important benchmarks, in my opinion, are those developed by the Center for Internet Security (CIS).The overall mission of CIS is to make the information technology world better for everyone; governments, schools, municipalities, businesses, individuals, etc. They do this by providing controls and benchmarks. The easiest way to visualize these is control = policy and benchmark = evaluation.

20 controls have been developed by CIS based on real-world attacks and defenses which have worked effectively against those attacks. You can look at controls as after-action items that have feasible solutions. They are broken down into three categories: basic, foundational, and organizational (Figure 1).

An example of a control is the basic control of Inventory and Control of Hardware Assets; the first control listed. Under this control, the organization should do several things regarding devices. Among these are: utilize an active discovery tool (identify security function), address unauthorized assets (respond security function), and deploy port-level access control (protect security function). The CIS provides guidance on what these controls are for but leaves it up to the organization to determine how to properly implement them.

Figure 2 - An Ubuntu Benchmark Setp

Benchmarks are not controls; however, they are closely related. While the controls provide guidance on what an organization should be doing to protect its information technology assets, the benchmark provides direction on how to secure assets. For instance, CIS provides a benchmark for securing systems running Ubuntu Linux 18.04 LTS (Figure 2). Following through the benchmark allows the organization to implement know best practices for assets. Again, these are based on information gathered from attacks and what has effectively worked well against such attacks.

Controls and benchmarks are necessary evils in today's information technology-driven world. An organization utilizing controls and benchmarks, best practices to secure information systems, stands a much better chance of thwarting off an attack than one which does not. Controls are the mechanisms by which an organization can implement policies to protect assets and the benchmarks are there to make sure those assets are secure.