ELD Security Threats: Can trucks be mass-hacked to physically crash via ELDs?

 

Guest writer Jim March Simpson takes on one of the most controversial questions in trucking — can hackers use ELDs to take control of your truck?

——————————————————————————————————

Introduction

The security of the electronics of heavy trucks is badly substandard. An evil mechanic at just one shop could in theory implant commands to cause a truck to floor the gas and disable the shifter and in some cases brakes, one truck at a time. This is already a confirmed threat. The problem ELDs (“Electronic Logging Device”) bring to the table is that these same insecure onboard computers are opened to attack across the general Internet. How many simultaneous truck crashes (not in the “computer went and broke” sense!) will it take to equal the destructive power of four jumbo jets? If we don’t act quickly we’re going to find out the hard way.

Why Are ELDs A Threat?

I recently published a review of a particularly craptastic ELD by Rand McNally:

What I did NOT do (mainly because I don’t have the right tools and I had to turn everything back in fully intact) is a proper security review. But the more I research the possibilities combined with what little I do know for sure about the RM devices, the more flat-out terrified I am.

Put simply, modern ELDs create a remote-access system for a truck’s internal computer. At a minimum that means remote access to the throttle. In a truck with an auto tranny, it should be possible to lock the gearbox from shifting into neutral [1] and in some cases the brakes are computer-controlled as well, especially in trucks equipped with radar and collision avoidance systems [2].

I’m going to go into some detail but let me cut to the chase right now: so far most ELD systems have been fairly professional, built by larger companies for the mega-fleets. The ELD mandate has inspired a new crop of “fly by night operators” who cater to budget-minded owner-operators and small fleets that have been running on paper. These new “ghetto ELDs” are a security nightmare on multiple levels: the devices themselves are low-grade and they’re designed for “bring your own device” (BYOD) situations where truckers view/edit their logs on Android or iOS/Apple phones or tablets they already own. BYOD means there’s easy ways of remotely communicating with the ELDs and that means…well holy crap guys, it means half a dozen North Korean agents for example could hack entire fleets at once.

Basics Of Computer Security Analysis

To do a threat assessment we need to know what the “attack surfaces” are. Basically, data flows from one device to another and wherever it goes across a boundary it’s open to interception, modification or falsification. This goes triple when the connection is wireless.

To plot out an attack we need a layout of what’s basically there – this is what the map looks like for Rand McNally with a DS200 at the core:

ELD Security Threats: Can trucks be mass-hacked to physically crash via ELDs?
So, the DS200 is the device that is tracking where the truck is based on its internal GPS and its connection to the truck’s computer to tell if the wheels are turning. It also has a cellular modem (on the Sprint network) to pass data on what the trucker does to the trucking company, and a WiFi connection to Rand McNally’s app running on the Android tablet (or phone, or Apple/iOS, or Rand McNally’s own “tablets” like the TND 740 – doesn’t matter for our purposes).

The DC200 installation manual tells us it connects to “JBUS”:

http://www.randmcnally.com/images/randDocuments/support/DES-2044_DC200_InstallGuide_0102_102716_JS.pdf

If we dig into “JBUS” we find it’s full name is J1939, at least in it’s current incarnation – there’s older flavors and we know that trucks going back to at least the year 2000 are ELD compatible.

It turns out that $600 buys anybody a year’s access to the full internal specs of this communications protocol:

http://www.sae.org/misc/pdfs/J1939.pdf

I also know that when you plug the DS200 into the J1939 connector, no password is needed to access the truck’s internals. It’s all sitting there wide open, from the point of view of anything connecting to JBUS/J1939.

J1939 Hacking

So what happens if you connect a computer straight-wired into the J1939 data communications port on a heavy truck? Can you do malicious stuff?

YES!!! Oh hell yeah…first two links are summaries of a report by a test-hacking team from the University of Michigan, last link is the actual peer-reviewed report:

https://www.forbes.com/sites/thomasbrewster/2016/08/05/windows-pc-truck-telematics-hack-def-con/#20d4ea294ab9

https://www.bigmacktrucks.com/topic/46321-us-truck-hacking-report-due-for-release/

https://www.usenix.org/system/files/conference/woot16/woot16-paper-burakova.pdf

The UMich attack team proved they could maliciously hack a 2006-era truck by going in through the physical J1939/JBUS plug. This is the same plug almost all of the Elog devices use. The UMich team proved that if you run the right kind of wire from the SAME J1939 connector the DS200 plugs into straight to a computer, you can make the truck do all kinds of funky dangerous stuff that would make even the worst newbie driver freak out. What the University of Michigan researchers didn’t calculate was that somebody would be stupid enough to put in a small programmable box to that same port they were able to hack, that had both general Internet and WiFi connections. And then years later some ignorant government dweebs would require this on every truck made from 2000 forward.

What does this mean in real life?

Let’s say we have half a dozen DAESH lunatics who got tired of getting shot up in Syria, are in the US and have some technical chops.

One of them grabs the tech specs for J1939, $600. Another goes to a truck stop – list price for a Rand McNally DS200 is $399 cold cash. Another hits up TruckPaper and buys a used truck – $15k for something ugly but runs OK is entirely practical. Another gets a job at a truck stop and starts looking at what hazmat tanker truck fleets are running what ELD system – it’s not hard, each ELD comes with a sticker that goes near the door to tell the cops what logging system you’re running. When he sees the right kind of truck running Rand McNally, he also writes down the MC number and home state/city of that fleet.

The ones with geek creds build the attack. They find the yard where the target trucks are and use a WiFi scanning system like WireShark running on a laptop with an oversize WiFi antenna. What they’re doing is monitoring the WiFi communications between the DS200 and people’s tablets or phones. When the passwords are passed, they’ll capture an encrypted (read: “scrambled”) form of the password that’s not immediately usable.

They take that scrambled copy of the WPA WiFi password back to their evil lair and there, crack it. How? Well that’s an interesting subject. It turns out you can buy heavy duty “graphics cards” that are really meant for very powerful calculations. Here’s an example of a $3,000 monster:

https://wccftech.com/nvidia-titan-v-crypto-mining-performance-tested-bitsbetrippin-spoiler-monster/

Calculation cards like this are meant mostly for mining bitcoins (google that phrase if you want, it’s a weird rabbit-hole) but trust me when I tell you that’s also a killer brute-force password cracker.

It may take days, weeks, maybe a month, but they’ll bust it all wide open – especially since, having bought their own DS200 cash’n’carry, they know generally what a Rand McNally WiFi password looks like (narrowing the search parameters).

Now go back in the same van to the truck yard and with the actual WiFi passwords, upload pre-canned malicious software into the DS200 boxes that…well, there’s all kinds of possibilities. Program it to wait until a truck has done 60+ MPH for an hour or more, and then slows to 35 for a bit (entering an urban area) and then balls-out accelerate with no brakes allowed and no throwing the auto tranny into manual allowed either. OR, set up an Internet connection back to evil lair HQ, track each one, and when they get close to a school…let ‘er rip. Rinse and repeat lots of times. Or just set them all off at once.

This is just one attack. Get somebody into the IT department of a trucking company, you can raid these systems over the cellular network, forget the whole WiFi issue.

Or here’s an even better attack: write a smartphone app that appeals to truckers, or infiltrate the developers of existing apps like TruckerPath (mapping to truck-friendly locations), Fuelbook (find cheap diesel) or the like. Every trucker has some of these apps. Or write a new one – the goal is to have an app in lots of trucker’s phones that looks for “ghetto ELD” devices connected to the phone via Bluetooth or WiFi and sets up a multi-truck (or multi-fleet) catastrophe [3].

What about the more “professional” systems that big fleets use?

Well they all plug into the same J1939 data port. But, something like a classic Qualcomm box has the data connection to the truck, cellular connection to the trucking company plus the driver’s screen and keyboard all integrated. The only outside connection is the cellular data to the trucking company. That would be harder to raid but not at all impossible. The lack of WiFi to yet another local device (such as an Android phone/tablet/etc.) means that whole WiFi “attack surface” available on the Rand McNally products isn’t available, and raiding a trucker’s smartphone won’t help at all. This makes attacks harder but not at all impossible.

Conclusion:

We know that the Rand McNally software that talks to the truck driver is junk – see my initial review, and it’s been confirmed by other truckers I’ve talked to on social media that have also run it. Is the part of the RM product line that talks to the TRUCK garbage as well? Seems likely! Are there blocks put in so that it cannot send signals that tamper with braking, acceleration and the like? Why would there be? That would cost RM money and this was obviously done on the cheap for truckers looking for a quick budget solution because of this idiotic mandate coming up like a freight train.

And while I’m picking on Rand McNally here, all the same issues are present with the Transflo ELDs, the KeepTruckin’ ELD option and any other “BYOD” ELD device, and to a lesser degree every single ELD on the market [4]. The more I look, the more I think the biggest threat is an Android malware package spread to truckers that looks for a variety of “budget ELD devices” and attacks the truck through whichever one it finds. The ELDs available cash retail at truck stops are going to be the most vulnerable because getting samples to prepare a serious attack is simple and anonymous.

Clearly there hasn’t been enough oversight on this whole process – if there was any oversight at all the RM products wouldn’t be allowed to ship yet [5]. Putting Internet-connected devices into a position where we KNOW (via the University of Michigan team) that malicious stuff can be done isn’t just crazy, it’s high treason.

And some of us truckers are going to be first to the scene of the crime.

About the Author

I’m a computer geek turned trucker. Among other things I’m well known for researching and publishing information on threats to electronic voting systems – I’m one of the people who believes that “election hacking” is a real threat. If you’re trying to google my work in this area (mostly 2012 and prior) you need to know that it was mostly done under the name “Jim March”. In 2013 I married Dana Jill Simpson and took her last name. (Never claimed to be an “alpha male” type…) I’m currently shopping for a truck – dated 1999 or earlier!

You can contact Jim at 1.jim.march@gmail.com.

Footnotes:

1. Big truck “automatic” trannies are actually manual transmissions with computer-controlled shifting and clutch.
2. It may also be possible to spoof the brakes via the ABS (Anti-lock Braking System). ABS sensors detect when the wheels stop (due to skidding in low-traction situations like rain and snow) and briefly disable the brakes to allow traction to be regained. What happens if the ABS sensor signal is set to falsely declare tire lock-up? A: no brakes.
3. If you ever see a “free pizza for truckers!” app and it says “doesn’t apply to sausage, bacon or ham toppings” in fine print, be cautious. If it says “A Special Message From Our Dear Leader CEO!”, panic. Seriously though, attacks which target trucker cellphones to communicate with budget ELDs would work even if there’s no WiFi, as in the even-cheaper Rand McNally ELD50 device which has only Bluetooth connectivity to a tablet or smartphone.
4. The crazy part is, this connection to the truck’s onboard computer was never necessary in the first place! Truck movement could have been determined by GPS with no wiring to the truck’s computer needed. Some technoturnip bureaucrat wi3th zero knowledge of computer security screwed up the specs for this whole program.
5. The ELDs available at truck stops all say “FMCSA Certified!” on the box, but it’s a self certification system: https://www.fmcsa.dot.gov/hours-service/elds/choosing-electronic-logging-device-checklist – look at the first bullet point: “The vendors on this list have self-certified that their device is compliant with all of the ELD technical specifications, and registered each ELD model with FMCSA.” Ye Gods and Little Fishies…

Help us grow by sharing this article!