Insecure configurations expose car telematics to hacking. Industrial vehicles like trailer trucks, delivery vans, or buses that have an Internet connection, can be tracked, and even hacked, if they use insecure and improperly-configured TGUs (Telematics Gateway Units), security researcher Jose Carlos Norte claims.
TGU devices, or telematics, are basically a portable 3G, 4G, GPRS, LTE, Edge, HDSPA Internet modem. Most companies use TGUs in their vehicles as a way to track the movement of their trucks, and to keep in touch with the drivers, optionally sending them new routes, orders, and other valuable information they might need to ship their cargo.
According to Mr. Norte, there are thousands of such devices in use, probably more, connected to the Internet in a vulnerable and insecure manner.
Some telematics come with insecure administration panels
One of such devices is C4 Max, a telematic manufactured by New Eagle, which can be connected to any vehicle and allow the company’s staff to access the TGU via a public IP address, on port 23 (via Telnet) or via a special-crafted Web administration panel.
Mr. Norte says that he was able to find hundreds of such devices via Shodan, a search engine for Internet-connected devices, many featuring no authentication for both Telnet sessions and the device’s Web administration panel.
What this means is that an attacker could very easily scan the Web via Shodan, identify C4 Max devices, access them and get information on trucks and vehicles currently on duty.
TGUs expose information about trucks and routes
A hacker would be able to retrieve the vehicle’s GPS coordinates, the alarm’s state if the key is in the ignition, the vehicle’s speed, the battery’s voltage, modem network information, and many other more details.
The attacker can also query and see what modules the TGU supports, and also set up geo-fencing for the targeted vehicles. Geo-fencing is a feature used to limit the areas where a car can travel. If that limit is crossed, the TGU can stop the vehicle, trigger the vehicle’s alarm, automatically alert police, or the driver’s parent company. (These scenarios depend on the TGU make and model, and are not specific to C4 Max necessarily, but are a theoretical attack vector.)
Another way that a hacker could sabotage Internet-connected industrial vehicles is to alter their routes. This would result in missed or delayed deliveries, which could cause financial damage to a company, just what a competitor would want.
Even worse, because TGUs are connected directly to the vehicle’s CAN bus, the device can also be used as an entry point for delivering attacks on the car’s inner software, attacks which could result in permanent loss of functionality.