Commercial Vehicle Electronic Logging Device Security: Unmasking the Risk of Truck-to-Truck Cyber Worms

Our research addresses a critical aspect of modern commercial transportation: the security vulnerabilities inherent in Electronic Logging Devices (ELDs) mandated for use in commercial vehicles across the United States. As these devices become ubiquitous, ensuring their security is paramount, not only for the safety of the vehicles but also for the broader infrastructure they support.

Electronic Logging Devices are installed to comply with U.S. regulations intended to manage driving hours and prevent driver fatigue. However, our findings suggest that these devices, designed to enhance road safety, also introduce significant cybersecurity risks. This research uncovers three major vulnerabilities:

1. Wireless Control Over Vehicle Systems: We demonstrate that these devices can be exploited to send unauthorized Controller Area Network (CAN) messages, allowing attackers remote control over vehicle functions such as engine speed, braking, and more.
2. Malicious Firmware Installation: Our tests show that ELDs can be reprogrammed with malicious firmware, permitting attackers to manipulate vehicle data and operations. This manipulation could lead to incorrect reporting of driving hours, unauthorized vehicle control, and other illicit activities.
3. Propagation of a Self-Replicating Cyber Worm: The most alarming vulnerability is the potential for a cyber worm that spreads autonomously from one truck to another. This worm exploits the networked nature of ELDs, posing a threat of widespread disruption in commercial fleets. The scenario includes demonstrations on a bench level and real-world testing on a 2014 Kenworth T270 Class 6 truck, which confirmed the feasibility and impact of such an attack.

These vulnerabilities underline the urgent need for stricter security measures within the ELD framework. The National Motor Freight Traffic Association, Inc. (NMFTA) publishes security requirements guidelines, that, if followed, would have mitigated these vulnerabilities.

1. Cybersecurity Requirements for Telematics Systems, March 2022
2. NMFTA Position on WiFi SSID and Password Reuse in Telematics Devices, July 2022
3. Electronic Logging Device (ELD) Cybersecurity Bulletin, August 2017