Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Electronic logging devices (ELDs) used to manage fleets of commercial trucks may be riddled with “urgent” vulnerabilities, according to Colorado State University researchers.
Many operators of heavy vehicles are required to equip them with ELDs under federal law for purposes like tracking driver hours, engine operation, distance, and vehicle movements. That means they’re ubiquitous among the 14 million medium- and heavy-duty trucks on the road in the US, which the Cybersecurity and Infrastructure Security Agency (CISA) considers critical infrastructure.
CSU Associate Professor of Systems Engineering Jeremy Daily and grad students Jake Jepson and Rik Chatterjee presented a paper at the 2024 Network and Distributed System Security Symposium showing how ELDs equipped with Wi-Fi or Bluetooth can be remotely hijacked for various malicious purposes.
Jepson told IT Brew he bought an ELD off a “popular e-commerce website” and was able to pull and reverse-engineer its firmware. He found that the device not only had a Wi-Fi connection not mentioned in the manual, but that it was only protected with a weak default password. Additional discoveries included Bluetooth enabled by default and an exposed API that permitted over-the-air updates.
“Some of the newer trucks have this firewall sort of device, which can help in preventing attacks that come across the diagnostics post, which is where [an ELD] is plugged in,” Jepson said. “Those gateway firewalls are not perfect.”
“You can actually get it absolutely right,” Jepson added. “You can easily get it wrong as well.”
Ultimately, this could allow anyone within wireless range of a truck with a vulnerable ELD to connect and send arbitrary controller area network (CAN) messages capable of disrupting a vehicle’s systems. For example, the team was able to abuse the messages to force a truck’s engine to go to zero-percent torque, effectively disabling its accelerator pedal.
Other possible attacks the team discovered included the ability to upload malicious firmware or even spread a “truck-to-truck worm” by using infected ELDs to transmit malware to other vehicles in environments like truck stops.
“The Wi-Fi signal from these small little chips and devices is actually pretty impressive, and you get a good distance out of it,” Jepson said. “So, what we realized is that these devices can basically read their own code and upload their own code to another device.”
According to Daily, the findings illustrate a widespread problem in operational technology (OT)—much of it was designed with security as an afterthought. This problem is particularly pronounced with heavy equipment like trucks, which are designed for long service lifetimes.
“The field of heavy vehicle cybersecurity is newer than some of the trucks,” Daily told IT Brew. “That threat model really didn’t consider a lot of outside connectivity at the beginning of their designs.”
The research team promptly reported their findings to CISA, as well as the vendor, which has put together a candidate firmware update.
“The number one recommendation is to make sure that everybody keeps their systems patched,” Daily said.