Newly Discovered IoT Vulnerabilities in ELDs Raise Risk for Fleet-Wide Attacks

Haim Glikman
HAIM GLIKMAN

Senior Threat Intelligence Analyst | AutoThreat® PRO

April 14, 2024

In late March 2024, The Register published a unique coverage, describing multiple new vulnerabilities and elaborating on the cyber risks in ELDs (electronic logging devices) and the potential impact on vehicle safety and availability. 

The article discusses serious security vulnerabilities in ELDs used in US commercial trucks, found by researchers from Colorado State University. These vulnerabilities could allow attackers to access ELDs via Bluetooth or Wi-Fi. In addition to obvious data integrity and privacy concerns, the articles described how attackers could leverage the newly discovered vulnerability to also gain control of trucks, manipulate data, and even spread malware between vehicles.

The implications are broad and severe, affecting over 14 million trucks, and widespread disruption in fleet availability, operations, and safety

The usage of ELDs in truck fleets is mandatory in the United States, Europe, and other countries around the world, emphasizing a global effort to ensure the safety and regulatory compliance of commercial trucking operations. This worldwide mandate underscores the importance of ELDs in standardizing the logging of drivers’ hours of service, aiming to improve road safety and reduce fatigue-related accidents.

Given the critical role of ELDs in the mobility ecosystem, the presence of multiple vendors in the market necessitates rigorous cyber monitoring to ensure that these IoT devices meet the required safety and cybersecurity standards.

Prominent examples of the matter can be seen in CISA’s (US Cybersecurity and Infrastructure Security Agency) advisory on three vulnerabilities found in IOSIX IO-1020 Micro ELD (version <360): CVE-2024-30219, CVE-2024-31069 & CVE-2024-28878.

CVE-2024-30210 & CVE-2024-31069

CVE-2024-30210 is a high-severity vulnerability caused due to the IOSIX IO-1020 Micro ELD using a default Wi-Fi password, thus making the device easily accessible to hackers via Wi-Fi networks.

CVE-2024-31069 attributes a similar risk. While in physical proximity to the vehicle, an attacker can access the device’s web server in the same manner due to a default password used by the service for authentication.

Requiring physical proximity, an adjacent attacker can exploit the vulnerabilities by logging into the product using default or common password combinations. Once the attacker gains access to the credentials, it will enable full control over the device. 

Both vulnerabilities share the same CVSS score and vector.

CVSS 3.1: 7.4 (AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)

CVE-2024-28878

CVE-2024-28878 is a critical severity vulnerability caused due to the IOSIX IO-1020 Micro ELD downloading source codes and executables without verifying their origin and integrity.

An adjacent attacker can exploit the vulnerability by leading the product to download executable files or source codes without performing necessary checks on the content’s origin or integrity (CWE-494: Download of Code Without Integrity Check).

Due to the gaps in proper integrity checks, an attacker can manipulate the device to download an unverified executable or source code from a physically proximate location. Once installed onto the device, untrusted files have no restrictions whatsoever. As a result, the device is essentially exposed to the cardinal risk of an attacker executing malicious code onto the device, with all doors open for performing a full takeover of the device.

CVSS 3.1: 9.6 (AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Identifying the Blind Spots of Mobility IoT Devices

The proliferation of IoT devices in the mobility ecosystem introduces new attack surfaces and methods and dramatically expands the risk across the entire ecosystem. IoT-based units are no longer stand-alone devices like their offline counterparts, but all exist in one connected network.

Let’s break it simple using an example of standard home appliances: imagine a house with a 10-year-old TV in the living room. Using RF, an attacker could interfere with TV broadcasting – turn it off, prevent operations for some of its features via the remote control, etc. However, even a well-executed attack would inflict risk or damage beyond the specific TV.

With IoT devices, the equation is broader and more dangerous. Let’s upgrade the TV to one of the latest smart TV models out in the market nowadays. The attacker is no longer limited to performing only RF attacks but to a wide array of attacks against the device. Moreover, the scope of the attack is no longer limited to a single device,  and can severely impact additional IoT devices connected within the house’s network, even gain full control or obtain sensitive data.

Now back to the mobility ecosystem, similar events have occurred recently, emphasizing the new attack vectors introduced by IoT devices.

Addressing these risks requires holistic ecosystem-wide cybersecurity measures, including regular software updates, strong network protections, and awareness of the potential for interconnected device vulnerabilities.

Newsletter Icon

The 2024 Global Automotive Cybersecurity Report

Newsletter Icon

Subscribe
to our newsletter

Stay up-to-date on the latest trends, emerging risks, and updates

As Cyber Risks Escalate, ISO/WD 24882 Sets New Standards for Safety and Availability in Agricultural OEMs

The digital transformation sweeping through the Automotive and Mobility ecosystem has also made its mark on the Agriculture sector. As a result, OEMs, suppliers, and…

Read more

SIM-Enabled IoT Devices as Critical Infrastructure: The Data Imperative

In our ongoing series exploring why SIM-enabled IoT devices in the automotive and smart mobility ecosystem should be classified as critical infrastructure, we’ve examined two…

Read more

Ensuring Continuous Operations: The Critical Role of SIM-Enabled IoT in Mobility

In our ongoing series, exploring the critical nature of SIM-enabled IoT devices, we’ve previously discussed the safety implications of these devices. Our H1’2024 report identifies…

Read more

SIM-Enabled IoT Devices as Critical Infrastructure: The Safety Imperative

Upstream’s latest H1’2024 report asserts that SIM-enabled IoT devices in the automotive and smart mobility ecosystem should be classified as critical infrastructure. This classification is…

Read more
Skip to content