Cybersecurity 101 is a regular series on Overdrive intended to help owner-operators and small fleets navigate the growing risks of cybersecurity threats, identity theft, online scams and more. In this installment, Sam Kassoumeh, co-founder and COO of Security Scorecard, details ELDs’ susceptibility to hacks and how you can vet your ELD provider.
Although not all electronic logging devices work exactly the same way, most establish connections with home bases that feed data to remote web applications managed by third parties. This setup can create openings for ELDs to be hacked, allowing fleet and drivers’ data to be tampered with.
Since the 2017 ELD mandate, millions of ELDs have come online. If a hacker was looking to gain access to a fleet’s secured network, they would likely start by searching the internet for peripheral devices, such as ELDs, to exploit a vulnerability or misconfiguration and then pivot into the internal network.
As connectivity grows, so does risk. Hackers’ motivations for gaining access to ELDs will range from common threats, such as the use of compromised devices for botnet activities, including inflicting malware to steal data, to the more targeted infiltration of business networks.
For owner-operators who use “bring your own device” ELDs such as apps on smartphones or tablets, there is also the risk of hackers gaining access to ELD data through malware on the phone coming from another, non-ELD app. Anytime a device such as a phone, laptop or desktop is compromised with malware, attackers can access everything on the device.
Access to ELDs by criminals could lead to input tampering that results in inaccurate data or unauthorized code being sent to the ELD application.
While there have been no widely reported incidents of a compromised ELD vendor or specific strain of malware targeting the technology, there are likely many user devices that access ELDs that have been compromised and are providing access to the systems. There have been vulnerabilities discovered in fleet management software in the past. It is likely that any technology that interfaces with the internet will eventually experience a vulnerability, which is where the importance of continuous monitoring with enterprise cybersecurity tools comes into effect.
ELD buyers would benefit by asking questions to ELD software providers and device companies about measures they have to combat cyber risk: Will this data be stored with a third party? Do you use your own hosting or a cloud hosting provider? Which hosting providers do you use?
Third-party vetting is a critical part of any cybersecurity program. We’ve found third parties can be a major source of larger hacks. Although an organization may be cognizant of the threats posed to their own networks, those they do business with may not have the same security protocols in place.
The reality of cloud computing is that most small businesses rely heavily on third-party vendors to handle outsourced tasks, such as management of data and software platforms. As a result, cybercriminals know that targeting third-party service providers, such as those that might store data from ELD vendors, provides the advantage of being able to hit many organizations by finding a single security control weakness.
In the trucking industry, a cybercriminal successfully exploiting a single fleet management web application provider connected to multiple fleets could compromise authentication information that is reused on other services.
Companies searching for a fleet management service provider, or any ELD provider for that matter, should start by conducting detailed cybersecurity due diligence to ensure the vendor meets basic information security standards.