Since December 2017, nearly every big rig in the United States has been carrying around an extra passenger: the Electronic Logging Device (ELD). The ELD is designed to quietly, unobtrusively record data on drivers’ location and hours of service (HOS), but there are those who worry that they may be vulnerable to hacking, potentially putting both cargo and lives at risk. Others dismiss these concerns as the paranoia that accompanies the arrival of any new technology, but if the devastating cyberattacks of 2017 taught us anything, it’s that motivated hackers will always exploit unwary businesses. There are two basic questions to ask about ELD hacking: where is the technology most vulnerable, and who stands to benefit? The answers to these questions expose the patchwork of issues at play, which vary from device to device.
If you Google “ELD hack,” over half the results come from truckers themselves. Truck drivers are arguably the most motivated group when it comes to wanting to hoodwink their devices, since many view the mandate as an invasion of privacy that threatens their livelihoods. However, it’s plain from the message boards that few (if any) drivers have had much success with tampering with their data, and carriers have reported that law enforcement isn’t fooled, and is aggressively issuing citations for those who attempt to trick the devices. On the other end of the spectrum, in 2016, researchers at the University of Michigan published an alarming report stating that, by connecting to an on-board diagnostic port, they could cause a semi-trailer to accelerate, alter the instrument readings, and even disable one form of the brakes. ELD manufacturers are quick to point out that their devices should be incapable of such actions, but the ELDs themselves can be vulnerable to data theft or malware in a number of ways.
There are hundreds of ELDs currently on the market, and the FMCSA only mandates “minimally compliant standards” for cybersecurity, which stop at requiring encryption when communicating with FMCSA servers or sending data via email. The result is a “buyer beware” environment where some devices are relatively safe, while others (often cut-rate startups) are at risk. In TruckingInfo.com’s article on ELD security, one expert says that bring-your-own device systems (those that allow drivers to use their tablets and smartphones) are some of the most dangerous since, “all information on a phone or tablet is available to law enforcement or a hacker. Emails, text messages, pictures, credit cards and bank accounts, social media – it’s all there. Have a TMS or load board on your personal device, [and] you also have shippers, consignees, loads, rates, financial information.”
Other systems rely on thumb drives that plug into the ELD, but these aren’t entirely safe either. In 2008, Russian spies planted bugged thumb drives in kiosks around NATO headquarters in Afghanistan, and when unsuspecting servicemen and women plugged them into secure computers, they were given unfettered access to military secrets. The idea of hackers doing the same thing with thumb drives at truck stops may seem far-fetched. Consultant Avery Vice was quoted as saying “Malicious hacks of ELDs to affect vehicle operations certainly seem feasible and could be disastrous, but they also seem very unlikely.”
It is unlikely that a bored teenage hacker or even a carrier’s competitor would go to such lengths, but there is another group who could be eager to gain access to a truck’s data: cargo thieves. Today’s cargo thieves are sophisticated career criminals, and they are highly motivated; the FBI calls cargo theft a “multi-billion dollar industry.” Knowledge of a truck’s schedule and route, much less the ability to hijack its controls, could be a frightening weapon in the hands of these thieves, and the mere possibility should impress the need for vigilance on carriers.;
In matters of cybersecurity, the technology may change, but the core tenets remain the same. Carriers (and the shippers who work with them) should educate themselves about the security of their ELDs. The safest models are those with the least interaction with the outside world via Bluetooth or the internet, and those that offer end-to-end encryption for all data. Both drivers and office personnel should be trained to recognize suspicious files, and sensitive data should be segregated from HOS information. Smart carriers will get out ahead of potential problems while everyone else is still accusing them of being paranoid – ha.