The University of Michigan made news in August 2016 when researchers at a conference presented results from their experiments with the vulnerability of big rigsâ electronic systems. As reported in Wired magazine ahead of the conference, researchers plugged into a 2006 tractorâs OBD II port and largely commandeered the truckâs internal network. In this hack simulation, researchers âwere able to do everything from change the readout of the truckâs instrument panel, trigger unintended acceleration, or to even disable one form of the semi-trailerâs brakes.â
The experiment followed previous high-profile researcher hacks of consumer vehicles, exploiting vulnerabilities in the carsâ over-the-air-connected infotainment systems. Researchers were able to disable acceleration, brakes and more in a Jeep Cherokee.
These incidents have sparked continuing discussions inside and outside the trucking community. They are part of a growing concern over vulnerabilities in âinternet of thingsâ (IoT) devices. These are not only phones and computers, but also modern home appliances, vehicles and the like that open connections to the Internet.
The impending Dec. 18 electronic logging device mandate puts more focus on potential hacking in trucking. Most ELDs open up a connection to the cellular data network, whether directly or through paired smartphones or tablets. (The notable exception is the base version of the Continental VDO RoadLog.)
ELD makers partially downplay the threat. They say their devices arenât set up to write to the engineâs electronic control module â only to receive and transmit data from it and that they have various security measures in place. Nevertheless, scanning for vulnerabilities in IoT devices has been on the rise in recent years as hackers look for ways to turn problems into opportunity. Much more hacking is expected, possibly via ELDs.
ELD system designers also increasingly are taking security into account. âI think weâre at an inflection point in the industry,â says Sharon Reynolds, Omnitracsâ chief information security officer. Guarding against vulnerabilities should be even more of a chief concern for everyone in the industry, Reynolds says.
Owner-operator Chris Guenther knows what it feels like to lose some control over a truckâs electronics, as was noted in a similar report earlier this year here. Last summer, he was fresh out of the shop with his 2012 Kenworth T700 powered by a Cummins ISX. Going across Southern Ohio toward Erie, Pennsylvania, his Omnitracs MCP50 onboard unit began switching log statuses erratically and flickering on and off.
âMy dashboard started popping all kinds of engine and re-gen codes,â Guenther says. âThe truck then de-ratedâ slightly, but he was many miles away from a good place to get service or even pull off.
Guenther called the shop that had just worked on the truck and was referred to Omnitracs, where a tech-support representative recommended a forced reboot. âHe told me, âItâs going to shut down and reboot five times in a row,â â with about 10 seconds between each reboot, he says. âIâm still going 60 mph trying to keep it going. So he does that, and when the MCP50 shut down, so did my engine. It did that five times.â
The representative, when told what was happening, said, âThis doesnât normally happen.â
âWe donât have another documented case like this,â says Scott Hildebrandt, Omnitracsâ vice president of support and customer experience, who reviewed Guentherâs experience. âWe definitely see the unit reset and see the unit come back up, but we canât prove or disprove anything that happened out there.â
Guenther says moisture could have caused his problems. âIâve got an issue with water getting into my harness plug [on occasion] that kicks off a slew of different codes.â
Asked about Guentherâs case, Cory Hunt of Pivot Technology Resources, a remanufacturer and reseller of used ELDs, says heâs heard of similar cases. âWhen youâre tying into the data connectors and some of the wiring in these trucks, theyâre all integrated into the functionality of the trucks themselves,â Hunt says. âIâve seen it where the onboard unit wonât even let the truck shut off,â even with the ignition key removed. In such cases, the truck wonât power down without powering down the onboard communications device.
âIâve seen some really crazy things over the last 17 years,â he says. âTheyâre funny to hearâ sometimes, but scary if youâre the victim. While such instances are rare, they suggest that ensuring the integrity of your truckâs electronic system will be doubly important when plugging in any IoT device, including an ELD, Hunt says.
A company such as Omnitracs has a large security staff, Reynolds says â likewise the capability of over-the-air software updates, enabling quick protection against malware and hackers. âWhen you select the IoT device, make sure it was engineered with security in mind,â she says.
ELD suppliers say the probability of hacking into electronic logs either the current automatic onboard recording device standard (49 Code of Federal Regulations 395.15) or the new ELD standard (49 CFR 395.16) to access the controller area network (CAN) bus of vehicles is virtually impossible, as ELDs are provisioned only to read data.
âWe donât give (our application) rights to be able to write or make requests,â says Marco Encinas, marketing and product manager for Teletrac Navman, which offers the Director ELD. âAll we do is read. There is no protocol in the system that allows us to engage, change code for or manipulate the ECM computer on the vehicle.â
Encinas says heâs seen glitches like those experienced by Guenther. âThe dashboard starts lighting upâ and indicating fault codes and the like, he says, but things return to normal when the onboard unit is unplugged. He says itâs a result of an âincompatibility between the protocol weâre reading and the protocol the vehicle is broadcasting.â
In the case of a newer vehicle, it could be the vehicle manufacturer âchanged a pin on the plugâ so that itâs function was also changed.
As an extra layer of precaution, PeopleNet has embedded chips in its ELD devices to verify a secure connection.
âOur latest devices will all ship with an encryption chip built in to authenticate the device to the cloud in addition to standard authentication of the driverâs credentials upon login,â says Eric Witty, the companyâs vice president of product. âThat way, we have assurance that both the device and the person are authenticated in our system.â
Through PeopleNetâs partnerships with truck makers, âwe continue to undergo security audits and improvements to our software and hardware solutions to ensure we minimize any risk of these telemetry devices being exploited to access the vehicle,â Witty adds.
Encinas says that perhaps the biggest risk for an owner-operator may be the physical connection to the ECM itself. While a sophisticated hacker âcould find a way to generate that protocol to write into a vehicleâs ECM, to go through our device would be extremely hard. If someone wanted to do it, most likely theyâd unplug it and insert their own hardware directly.â
Regarding his incident, Guenther says, his customer support representative speculated an over-the-air update didnât go through to his unit because of a solar storm happening at the time the update was transmitting. Missing the update possibly contributed to the problems.
Guenther says his unit ran fine for months following the incident, but questions still bothered him. If the Omnitracs representative could control the unit from afar, who else could do the same? He takes that further, noting that if fault codes are being thrown by the ECM, âWhatâs to say thatâs not somebody hacking the system and telling it that somethingâs wrong? It scares the hell out of me â a huge Pandoraâs Box.â
To date, thereâs no public evidence that a truck has been hacked maliciously. The University of Michigan researchers, plugged into the truck, were far from simulating a more difficult remote hack through an ELD or other access point.
But, says Omnitracsâ Reynolds, Guenther is asking the right questions. All industry parties need to cooperate to âcontinue to mitigate those risks,â she says. âWe all have a hand in this game.â â Aaron Huff contributed to this report.
