Electronic Logging Devices: An Interesting Cybercriminal Target

TLDR: Unchecked cybersecurity requirements leave the commercial motor vehicle industry vulnerable to attack

Photo: Pexels.com

Greg Grisolano, a writer or Land Line, wrote a post regarding electronic logging devices (ELDs) and an FBI bulletin regarding their security. If you are like me and do not know what an ELD is, let me give you a quick background. An ELD is a device that records engine activity in a vehicle. The U.S. Department of Transportation, through the Federal Motor Carrier Safety Administration, mandates that commercial motor vehicle drivers who are required to log hours must use an ELD. Essentially, it is an electronic log of a driver's on and off-duty record. Simple enough, right? So, what concern does the FBI have with security?

The ELDs allow connectivity via cellular, Bluetooth, and satellite communications, depending on the model being used. These devices connect into the electronic control module (ECM) of the vehicle to track things like vehicle identification, hours on the road, how many miles have been driven, and the vehicle's location. If you have ever taken your car to the dealership for a diagnostic evaluation or, perhaps, you have used a system like Verizon's HUM, then your vehicle's ECM has most likely been used at one point in time. 

According to the FBI, many of these ELDs have gone through a self-certification process, not an industry-standard certification. This means the manufacturer of the device has given its own devices a clean bill of health. What the FBI has discovered is that most of these self-certified devices do not follow any cybersecurity standards to prevent attacks or mitigate vulnerabilities. This leaves these devices open to the threat of a cyberattack. So, why would a cybercriminal want to attack an ELD on a truck hauling goods from Walmart's distribution center in Bethlehem, PA, to a store in, say, Omaha, NE?

An ELD (Photo: PeopleNet)

Some of the ELDs the FBI tested showed they provided more advanced options than their intended use. The intention is to simply log information. However, some of the self-certified devices actually provide the ability for the device to send commands to the vehicle's engine. Thinking like a malicious actor, how amazing would it be to have your name on the marquis on the dark web when you bring the trucking community to a screeching halt by shutting down all vehicles utilizing a compromised device? It may sound far-fetched, but it is a real possibility.

The biggest concern, however, concerns the connectivity to the outside world. From a cybersecurity standpoint, this is a huge vulnerability. An attacker could, in theory, target a vehicle utilizing the wireless, Bluetooth, or satellite communication channel on the ELD. Once inside the vehicle’s system, the attacker could then work to gain access to additional networks or systems. These could include enterprise-wide systems such as vehicle tracking; customer databases; personal information for drivers, employees, and customers; or even financial data. In the eyes of the FBI, the door is wide open for a large-scale event. So, how did ELDs become so vulnerable in the first place?

When the DOT and FMCSA mandated the use of these devices, they did nothing to require standards with regards to cybersecurity or quality assurance. Thus, there was no baseline for vendors to follow in order to certify their devices. Rather, they simply made sure they achieved a performance standard, logging all of the required information, and then sold them to commercial motor vehicle organizations to implement. This opens many proverbial doors for would-be attackers.

The FBI alert is a warning to those who use these devices. They urge users to reach out to the vendors to see what is being done to enhance the security of the ELDs. Interestingly, the DOT released cybersecurity best practices for these devices in May 2020, but they appear to just guidelines for the manufacturers to follow. It does not appear that there is any requirement for them to do so.

It is interesting, in our ever-connected world, the doors we can leave open to intruders. We are adding so many devices to our “Internet of Things” each day and, in doing so, only increase the attack surface on society. From a cybersecurity standpoint, we need to do better and enforcing strict requirements and testing to seek out vulnerabilities, fix them, and shut the door on would-be criminals. Our desire to have information at our fingertips, at a moment's notice, in an automated fashion continues to drive our need to ensure such data and information is secured; not just when called out by the FBI but from the very beginning.