Can ELDs be hacked? Data security, privacy add to list of considerations

user-gravatar Headshot
Updated Aug 27, 2018
Companies benefit from having visibility to identify drivers with time remaining on their clocks to possibly make an extra pickup or delivery.Companies benefit from having visibility to identify drivers with time remaining on their clocks to possibly make an extra pickup or delivery.

Considering the abundance of industry news involving electronic logging devices, cybersecurity seldom gets mentioned.

As of Dec. 18, most drivers who currently maintain records-of-duty status — about 3 million, according to the Federal Motor Carrier Safety Administration — will be using electronic logs or risk out-of-service violations.

Most fleets will be using devices that come with a monthly service plan, most often associated with a connection to the cellular data network. That connectivity means ELDs are Internet of Things devices — which raises cybersecurity concerns.

In 2016, AT&T reported a 3,198 percent increase over the previous three years in the number of attackers scanning for vulnerabilities in IoT devices. AT&T also conducted a survey last year of businesses to gauge their potential security threats; 58 percent of respondents were not confident in the security of their IoT devices.

Cybersecurity was hardly a concern for fleets that started using mobile communications systems more than 25 years ago to connect to their drivers and vehicles through satellite networks. With millions of ELD devices coming online, could this become a gateway for hackers or even computer novices to access sensitive vehicle controls and information?

Tapping into trucks

The University of Michigan made news in 2016 when researchers presented at an August conference results from their experiments involving the vulnerability of big rigs’ electronic systems. Researchers plugged into a 2006 tractor’s diagnostics port, and this was the result:

By sending digital signals within the internal network of a big rig truck, the researchers were able to do everything from change the readout of the truck’s instrument panel, trigger unintended acceleration or to even disable one form of the semi-trailer’s brakes.

Since the late 1990s, fleets have been using various telematics devices to remotely plug into the controller area network of trucks to capture data from engines and other electrical-mechanical systems.

Incidents of hacking into the electronic control modules of engine and braking systems through telematics units haven’t happened or been publicized.

Partner Insights
Information to advance your business from industry suppliers

Some telematics providers have “black box” units installed in hundreds of thousands of trucks. The companies regularly send updates to the software on these platforms over the air. In a worst-case scenario, a cyberattack could be coordinated around a scheduled software update to an ELD or other application on the devices.

However, spokespeople from ELD suppliers say the probability of hacking into electronic logs — either the current automatic onboard recording device standard (395.15) or the new ELD standard (395.16) — to access the CAN bus of vehicles is virtually impossible. That’s because ELDs are provisioned only to read data.

“We don’t give (our application) rights to be able to write or make requests — all we do is read,” said Marco Encinas, a marketing and product manager of global platforms for Teletrac Navman, which offers the Director ELD.

“There is no protocol in the system that allows us to engage, change code for or manipulate the ECM computer on the vehicle.”

As an extra layer of precaution, PeopleNet has embedded chips in its ELD devices to authenticate the connection between the device in the vehicle and its cloud management system.

“Our latest devices will all ship with an encryption chip built in to authenticate the device to the cloud in addition to standard authentication of the driver’s credentials upon login,” said Eric Witty, vice president of product for PeopleNet. “That way, we have assurance that both the device and the person are authenticated in our system.”

Through PeopleNet’s partnerships with truck OEMs, “we continue to undergo security audits and improvements to our software and hardware solutions to ensure we minimize any risk of these telemetry devices being exploited to access the vehicle,” Witty said.

Restricting access to data

Eld Truck Display

Besides preventing ELDs from talking to vehicles, suppliers restrict their ELD applications from sharing data with other applications on the device.

“We follow secure code development practices that isolate the ELD application code from other applications on the devices,” said Andrew Dondlinger, Navistar’s vice president for Connected Services. “The ELD application also requires positive user credentials before allowing for the collection of the vehicle’s ELD data by any user or by any other application.”

Navistar’s ELD app connects the driver’s mobile device to the OnCommand Connection Telematics device. The app is available through the company’s OnCommand Connection Marketplace.

PeopleNet traditionally has favored using company-owned personally enabled (COPE) communications devices to give fleets the ability to deploy proprietary company apps and approved third-party programs on the same device that runs their PeopleNet software, Witty said.

PeopleNet envisions fleets wanting to use “companion apps” that will allow drivers to access their own log data through a secure driver portal, Witty said.

“The security concerns are much the same as the ELD device itself,” he said. “We will address them by ensuring we are using the same standards, such as secure HTTP (SSL/TLS), similar to how banks secure communication for their mobile applications.”

Teletrac Navman provides a Garmin GPS tablet to run its ELD application, and the only other app on the device is Garmin navigation. “We don’t allow third-party apps to be downloaded,” Encinas said. The tablets communicate through serial connection to a black box that has cellular connectivity.

The display tablets do not have their own cellular connection, which prevents software from being loaded onto the devices.

“For us, it’s about being able to control the types of data communicated to the hardware and to us to limit possibilities for distraction,” Encinas said.

Reporting malfunctions

No ELD product on the market is foolproof. If any hardware, software or connection malfunction — or possibly a hacker — impedes the ELD’s operation, FMCSA’s 395.16 rule requires that the device report the error to the driver and fleet management to trigger support activities.

Navistar’s OnCommand Connection telematics device continuously monitors the truck’s health status, which includes electronics, Dondlinger said. “In the event of a detected malfunction on the truck, OnCommand Connection will provide the customer – and Navistar as well – with a health report highlighting the faults on the truck, along with a fault code action plan, which is a recommended sequence of actions to address each fault.”

Similarly, if a malfunction is detected by Teletrac Navman’s Director ELD application, the device continues to record any data that it can from the vehicle and the driver’s duty status. The driver is alerted by a fault message indicator, and fleet management is alerted through the web portal to notify dispatchers.

Teletrac Navman’s support team can do an over-the-air reset if needed, Encinas said.

Drawing the line on privacy

Regarding data privacy, independent owner-operators may not want carriers or freight brokers to have 24/7 real-time visibility of their logbook data. On the other hand, companies benefit from having visibility to identify drivers with time remaining on their clocks to possibly make an extra pickup or delivery.

“The whole question about data gets typically framed in data privacy or data security,” said Dirk Schlimm, executive vice president for Geotab, a telematics and ELD provider. “As a consumer, you don’t want anybody to know where you’ve been, but in a business context, the area of privacy is much less prevalent.”

Some ELD providers see an opportunity to capitalize on the hours-of-service and telematics data they collect from their customers. With their customers’ permission, they could use that data for matching capacity with loads or offering usage-based insurance.

“It will be very hard in the future for any business of any size to compete without data,” Schlimm said. “You just have to give everybody secure and safe access to that data.”