Thousands of Trucks, Buses, and Ambulances May Be Open to Hackers
Your car, in some sense, is only as secure as the least secure Internet-connected gadget you plug into it: Researchers proved as much last summer when they hacked a Corvette’s brakes via a cellular-enabled insurance dongle attached to the sportscar’s dashboard. Now another hacker has found that those digital accessories may have left another, bigger class of automobile vulnerable to the same sort of over-the-internet intrusion: industrial vehicles like buses, trucks, and ambulances.
In a blog post published earlier this week, Spanish security researcher Jose Carlos Norte revealed that he’d used the scanning software Shodan to find thousands of publicly exposed “telematics gateway units” or TGUs, small radio-enabled devices attached to industrial vehicles’ networks to track their location, gas mileage and other data. He found that one TGU in particular, the C4Max sold by the French firm Mobile Devices, had no password protection, leaving the devices accessible to any hacker who scanned for them.
That allowed Norte, the chief technology officer for the security firm EyeOS owned by the Spanish telecom Telefonica, to easily look up the location of any of hundreds or thousands of vehicles at any given moment. And Norte believes he could have gone further, though he didn’t for fear of violating the law; with a few more steps, he says, an intruder could send commands over the vehicle’s internal network—known as its CAN bus—to affect its steering, brakes or transmission.
“Anyone can connect and interact with the device…but what really scares me is that it’s connected to the CAN bus of the vehicle,” says Norte. “These are big vehicles with a lot of mass, and having an attacker manipulate the CAN bus to make one stop in the road would be super dangerous.”
To be clear, Norte didn’t actually go beyond his basic scans to test such CAN bus attacks, which would have required considerably more time, skill and legal flexibility. But his findings follow earlier work by researchers at the University of California at San Diego last summer who did develop a full CAN network attack via a different Mobile Devices’ vehicle accessory, albeit one aimed at smaller cars and trucks. The UCSD researchers were able to remotely alter that dongle’s firmware to send CAN commands to a Corvette that turned on its windshield wipers or disabled its brakes, showing the danger of those insecure, Internet-connected car gadgets.
Karl Koscher, one of the researchers who pulled off that hack, says that the same dangers likely apply to the C4Max units Norte spotted. “I’d suspect this box is architected in a very similar way,” says Koscher. “I don’t think it would be unreasonable to assume you could do that with this system, too.”
Mobile Devices, based in the city of Villejuif near Paris, markets its C4Max device for applications “ranging from standard fleet management to complex driver behavior monitoring,” including tracking location, gas usage, and tire pressure of vehicles like garbage trucks, shipping trucks and ambulances. When WIRED reached out to the firm, its CEO Aaron Solomon contended that only devices in “development” mode rather than a more secure “deployment” mode would be accessible to the kind of scans that Norte performed. He was aware of the research out of UCSD last summer, and said that since then Mobile Devices had warned customers not to leave their gadgets in that insecure mode. Solomon’s customers include fleet management and insurance firms. He notes also that for the C4Max units, many customers don’t actually connect them to the vehicle’s CAN bus, which would prevent hackers from accessing any critical driving systems.
“We are running [an] investigation these days and we will let you know if we discover that any devices are still in development mode although used in deployment and if these devices are connected or not to the vehicle buses,” Solomon wrote in an emailed statement. “In that case we will make sure that the [customer] gets all the support from us to switch these devices in deployment mode ASAP.”
Even without access to the target vehicles’ CAN buses, Norte’s findings represent an unusually detailed amount of location information about a vehicle’s fleet left in public view. With a quick scan, Norte could find the location of as many as 3,000 of the units turned on in vehicles at a given time and trace their GPS coordinates. “You could track trucks and watch them and steal their contents,” Norte argues. “There are a lot of operations that bad guys could use this for.” (We wrote about ways this kind of information could be exploited to steal from fleets of semi trucks last year.)
But Norte’s real concern, he says, is preventing the kind of full vehicle attack that UCSD demonstrated. “My fear is that it could be repeated using industrial vehicles with a vector that’s completely exposed on the Internet,” Norte says. “The only reason I decided to publish this is to force an update to fix this problem.”