Truck-to-truck worm poses a threat to the entire US commercial fleet

A critical security flaw has been discovered in Electronic Logging Devices (ELDs) used in American big rigs, potentially affecting over 14 million medium and heavy-duty trucks. Researchers at Colorado State University have demonstrated that these ELDs can be accessed through Bluetooth or Wi-Fi connections, allowing attackers to take control of a truck, manipulate data, and spread malware to other vehicles.

The findings, presented at the 2024 Network and Distributed System Security Symposium, emphasize the urgent need for improved security measures in ELD systems. The researchers have identified three vulnerabilities in these devices, including the distribution of factory default firmware settings that pose significant security risks.

ELDs are mandated for most heavy-duty trucks in the US, serving to track driving hours and log data on engine operation and vehicle movement. However, they are not required to have built-in safety controls, making them susceptible to wireless manipulation by other vehicles on the road. Attackers can exploit the exposed API, default Wi-Fi and Bluetooth settings, and weak default password to gain access to the truck's systems.

The researchers conducted tests on various ELD units, revealing the ease with which attackers can disrupt a vehicle's systems. They demonstrated how attackers within wireless range can send arbitrary messages to disrupt the truck's systems or upload malicious firmware to manipulate data and operations. In the most concerning scenario, they deployed a truck-to-truck worm that uses the compromised device's Wi-Fi capabilities to search for other vulnerable ELDs nearby. This worm can overwrite firmware and spread to other devices, potentially causing widespread disruptions in commercial fleets.

To demonstrate the real-world implications of these vulnerabilities, the researchers conducted a drive-by attack simulation using a Tesla Model Y and a 2014 truck. In just 14 seconds, they were able to connect to the truck's Wi-Fi, re-flash the ELD, and send malicious messages to slow down the vehicle.

The researchers have responsibly disclosed these flaws to ELD manufacturers and the US Cybersecurity and Infrastructure Security Agency (CISA). While the manufacturer is working on a firmware update, it is suspected that similar issues could be present in other devices as well.

These findings highlight the critical need for enhanced security measures in ELD systems to protect the US commercial fleet from potential disruptions and ensure the safety of operations.