Truck-to-truck worm could infect – and disrupt – entire US commercial fleet

Original article here.

The device that makes it possible is required in all American big rigs, and has poor security

Vulnerabilities in common Electronic Logging Devices (ELDs) required in US commercial trucks could be present in over 14 million medium- and heavy-duty rigs, according to boffins at Colorado State University.…

In a paper presented at the 2024 Network and Distributed System Security Symposium, associate professor Jeremy Daily and systems engineering graduate students Jake Jepson and Rik Chatterjee demonstrated how ELDs can be accessed over Bluetooth or Wi-Fi connections to take control of a truck, manipulate data, and spread malware between vehicles.

“These findings highlight an urgent need to improve the security posture in ELD systems,” the trio wrote [PDF].

The authors did not specify brands or models of ELDs that are vulnerable to the security flaws they highlight in the paper. But they do note there’s not too much diversity of products on the market. While there are some 880 devices registered, “only a few tens of distinct ELD models” have hit the road in commercial trucks.

A federal mandate requires most heavy-duty trucks to be equipped with ELDs, which track driving hours. These systems also log data on engine operation, vehicle movement and distances driven – but they aren’t required to have tested safety controls built in.

And according to the researchers, they can be wirelessly manipulated by another car on the road to, for example, force a truck to pull over.

The academics pointed out three vulnerabilities in ELDs. They used bench level testing systems for the demo, as well as additional testing on a moving 2014 Kenworth T270 Class 6 research truck equipped with a vulnerable ELD.

“In our evaluation of ELD units procured from various resellers, we discovered that they are distributed with factory default firmware settings that present considerable security risks,” the authors noted.

This included an exposed API that permits over-the-air (OTA) updates. The devices also have Wi-Fi and Bluetooth enabled by default, with a “predictable” Bluetooth identifier and Wi-Fi Service Set Identifier (SSID) and weak default password. That makes it easy to connect to the device and then obtain network access to the rest of the vehicle’s systems – at least for attackers within wireless range.

This can be achieved via a drive-by attack, or by hanging out at truck stops, rest stops, distribution centers, ports – basically anywhere that heavy-duty trucks tend to congregate.

The ELDs use a Controller Area Network (CAN) bus to communicate. For one of the attacks, the boffins showed how anyone within wireless range could use the device’s Wi-Fi and Bluetooth radios to send an arbitrary CAN message that could disrupt of some of the vehicle’s systems.

A second attack scenario, which also required the attacker to be within wireless range, involved connecting to the device and uploading malicious firmware to manipulate data and vehicle operations.

Finally, in what the authors described as the “most concerning” scenario, they uploaded a truck-to-truck worm. The worm uses the compromised device’s Wi-Fi capabilities to search for other vulnerable ELDs nearby.

Here’s how it knows the devices are vulnerable:

After finding the right ELDs, the worm uses default credentials to establish a connection, drops its malicious code on the next ELD, overwrites existing firmware, and then starts the process over again, scanning for additional devices.

“Such an attack could lead to widespread disruptions in commercial fleets, with severe safety and operational implications,” the researchers warned.

The team also conducted a real-world, drive-by attack simulation on an empty airfield to demonstrate this attack. It used a 2014 truck, and the “attacker” drove a Tesla Model Y at 20mph with a laptop and an Alfa extended range wireless adapter. While both vehicles were in motion, in just 14 seconds the team connected to the truck’s Wi-Fi, used the ELD’s interface to re-flash the device, and started sending malicious messages causing the truck to slow down.

According to Jepson, the researchers disclosed the flaws to the ELD manufacturers and the US Cybersecurity and Infrastructure Security Agency (CISA) before publishing the paper.

“The manufacturer is working on a firmware update now,” Jepson explained. “But we suspect these issues may be common and potentially not limited to a single device or instance.” ®