From time to time, the National Motor Freight Traffic Association (NMFTA) receives questions that are excellent opportunities for learning and discussing issues with our cybersecurity team. If you have questions for our cybersecurity team, we want to hear about it! Send inquiries to marketing@nmfta.org, and we’ll do our best to answer them here.
“Since the ELD was mandated, we have been discovering how dangerous it is to truckers and the traveling public who must travel next to them on our nation’s roads.
In 2015 you wrote: ‘In 2015, NMFTA conducted research regarding the status of heavy vehicle cybersecurity. Engineers, it seems, have assumed that the computerized vehicle would not have to operate in a hostile environment. It (the ELD) centralizes access to whole fleets of trucks from a single server infrastructure located either at the service provider or the fleet operator, which introduces a large systematic vulnerability for individual fleet operators by making it possible to leverage a single attack or design for self-replicating malware against an entire fleet.’
Has this opinion changed, or are your concerns still valid? I have written to FMCSA, and they replied that the ELD is not hackable. Is it?”
Great question! Thank you for taking the time to review the past research of the NMFTA.
The Federal Motor Carrier Safety Administration (FMCSA) is the governing body responsible for drafting regulations. These regulations require:
Their opinion that the devices are unhackable could be considered true, considering that the ELD providers can self-certify that the devices are unhackable because they satisfy all 0 of the cybersecurity requirements to certify the devices. For more on this, please see Corey Thuen’s IOActive IOAsis Blackhat 2016 video about ELD cybersecurity here.
Also, FBI PIN 20200721-001 shows that since “The ELD mandate does not contain any cybersecurity or quality assurance requirements for suppliers of ELDs” there are risks with connecting an arbitrary ELD to a vehicle network.
The problems with ELD cybersecurity have been publicly known since at least 2015 when the NMFTA published the quote mentioned in your question, and again in 2017, when IOActive presented on the topic. Today:
Here are how both statements can be true: There are no public reports on ELD cybersecurity or commercial vehicle telematics, but we can look at passenger cars anecdotally. Most recently, Sam Curry and a team of his colleagues performed research into the telematics platforms used in passenger cars. They found instances of disclosure of PII, administrative panel access, and the ability to escalate from a newly registered account to other accounts.
Curry’s team found the administrative panel issue in a TSP that does some commercial vehicle business, including ELDs. For more on this, please see an interview with Sam here.
Notably, Curry’s research was conducted free of charge. There does exist paid-for research that occurs by both black and white hat hackers and is done behind closed doors.
None of the findings reported by Curry included the ability to send traffic to the vehicle from the web API (Application Programming Interface) or to compromise a telematics device with remote code execution. However, a more recent vulnerability discovered by Ramiro Pareja and disclosed by the ASRG did find that it is possible to inject vehicle traffic via a HopeChart HQT-401 telematics unit after gaining control of the telematics device’s connection to backend servers. CVE-2023-3028. You can find more information here.
Being able to send traffic to the vehicle is sufficient to affect all manner of detrimental effects for fleets. The good news is that there is no evidence of any safety issues due to injecting CAN traffic vehicle network messages. The bad news is that for fleets, simply affecting the vehicle performance and/or availability is sufficient to cause a problem, e.g., a de-rate event / limp mode, and there are many ways to cause these. In fact, many simple vehicle network attacks result in de-rate events. You can see the known public methods to get to de-rate via attacks or otherwise impact trucks from a fleet’s perspective here.
Not all TSPs have invested the same amount into developing and operating their ELD solutions, and so it makes sense that not all ELDs are as equally secure. Curry’s research found issues in the largest telematics platform providers in passenger cars. You can find more information here.
Given the larger size of the passenger car market, these providers have the industry’s most significant development and operation budgets. We encourage our member fleets to ask: does my TSP invest in cybersecurity for my telematics solution?
The NMFTA’s position on the risks of ELDs and other telematics devices has not changed since the publication in 2015, to which you refer. At that time, the NMFTA set out to create a resource to aid fleets in procuring the best Telematics Devices (including ELDs) that they could. Working with some TSPs, cybersecurity experts, OEMs, and suppliers, an NMFTA workgroup created the Telematics Security Requirements Matrix—this has a questionnaire that fleets can use to assess their current TSP and new TSPs during procurement. You can see the most recent PDF here, which also contains links to further resources on our GitHub.
It is our pleasure to reply to your insightful question. We hope you find the answer helpful.
The National Motor Freight Traffic Association promotes, advances, and improves the welfare and interests of the motor carrier industry and less than truckload carriers operating in commerce, both domestically and/or internationally.