TORONTO, Ont. — Electronic logging devices (ELDs) present a real threat to security for the trucking industry says Geotab vice president, product safety Glenn Atkinson.
“It’s surprising the number of small to medium-sized companies that aren’t aware of what they’re putting in their truck,” he said at a morning session at the 2018 Geotab Connect conference.
Fleets and owner-operators who bought devices from smaller providers or that were less expensive may not have the security they think they do.
Like all electronic devices, when ELDs transmit information over-the-air to backend databases, they initiate a process that’s called a handshake.
That handshake occurs when the device transmits a seed-key as a security measure, and like a password might, the seed-key confirms the devices are allowed to share encrypted information with each other.
In some cases that security measure is exactly what makes the device vulnerable to hackers.
Students from the heavy-truck cyber security engineering program at the University of Tulsa found that those with shorter seed-keys, and those with seed-keys that didn’t change with each use (also known as dynamic seed-keys), were easily hacked.
Working in a project to find vulnerabilities in systems the students were able to break into those ELDs that use only 8-bit or 16-bit seed-key encryption.
For security reasons Atkinson could revel how many devices or what manufacturers were able to be compromised.
With shorter keys students were able to create a program that discovered the key and gain access to the devices with very little effort.
Bad guys like to share information, Atkinson said, so keys that are broken are likely to be posted in online hacking communities.
The solution to the issue isn’t to lock down devices by making sure their programming isn’t open-source, however. Experts agree open source programming – that is, programming that isn’t proprietary and allows multiple types of developers to work on it – helps to identify holes in security more quickly and easily.
The answer lies in making sure the seed-key for devices is longer and dynamic, using 96-bit or even 256-bit encryption that changes after each handshake.
Fleets can do that by talking to perspective ELD software providers and device companies and asking the right questions about security.
For those that already have devices in their trucks, you can’t find seed-key information on the device, but it should be available online, in the user manual, or by speaking to a company representative to be sure your device is secure.
For those already operating with devices using shorter seed-keys, the answer may be in attaching another device, called a hardware break, into the ELD.
Compatible hardware breaks will come allow the ELD to function while coming between it and potential hackers. The solution isn’t ideal because it locks down the device and may make it more difficult to use, but it serves as a stop-gap if fleets don’t want to replace their equipment.