A recent paper published by researched at the University of Colorado is just the latest in a long line of alarming discoveries of major vulnerabilities in our automobiles and trucks to remote hacking. In this case, the focus is on the Electronic Logging Devices (ELDs), modern commercial trucks are required by law to be equipped with in compliance with U.S. regulations. Not surprisingly, these have become potential major cybersecurity threat vectors.
In real world live tests, the team demonstrated that access to these interfaces could give a hacker direct real-time control over the vehicle, which would allow them to accelerate decelerate deactivate airbags interfere with steering assist and, even more alarming, the potential for a self-propagating truck-to-truck worm, which takes advantage of the inherent networked nature of these devices.
The summary from their report speaks for itself:
Our research uncovers three critical vulnerabilities in commonly used ELDs. First, we demonstrate that these devices can be wirelessly controlled to send arbitrary Controller Area Network (CAN) messages, enabling unauthorized control over vehicle systems. The second vulnerability demonstrates malicious firmware can be uploaded to these ELDs, allowing attackers to manipulate data and vehicle operations arbitrarily. The final vulnerability, and perhaps the most concerning, is the potential for a self-propagating truck-to-truck worm, which takes advantage of the inherent networked nature of these devices. Such an attack could lead to widespread disruptions in commercial fleets, with severe safety and operational implications. For the purpose of demonstration, bench level testing systems were utilized. Additional testing was conducted on a 2014 Kenworth T270 Class 6 research truck with a connected vulnerable ELD.
These findings highlight an urgent need to improve the security posture in ELD systems. Following some existing best practices and adhering to known requirements can greatly improve the security of these systems. The process of discovering the vulnerabilities and exploiting them is explained in detail. Product designers, programmers, engineers, and consumers should use this information to raise awareness of these vulnerabilities and encourage the development of safer devices that connect to vehicular networks.
Jake Jepson, Rik Chatterjee, Jeremy Daily (Colorado State University); Commercial Vehicle Electronic Logging Device Security: Unmasking the Risk of Truck-to-Truck Cyber Worms
As the team points out, mitigating this vulnerability could be very difficult because of the differing models of ELD in the field, and the lack of IT support and cybersecurity threat awareness in trucking companies generally.
This is another example where Faction Pods are well suited to step in. Rather than trying to upgrade or replace this hardware, which would take months or years for most firms, ELDs can be connected to Pods and taken OFF the Internet and into Faction Virtual Private Circuits. Data publishing for law enforcement and other agencies and entities that are authorized to get this data can be configured by the Faction Network Owner in one step for all pods in a fleet. But there is no possibility of connecting to the device itself, which can only come by invitation and authorization by the human driver in the truck.