back to article Open trucker comms lets Shodan snoops alter routes, tap CANs buses.

Security researcher Jose Carlos Norte says trucks, buses, and vans using Telematics Gateway Unit are exposed on security-search engine Shodan allowing hackers to alter routes and probe speed and location. The Barcelona-based eyeOS chief technology officer says thousands of vehicles are exposed over Shodan and can be accessed …

  1. Ole Juul

    "New delivery address: my place"

    Too risky. Better to act as a middleman and sell the goods on-line, delivered of course.

    1. Destroy All Monsters Silver badge
      Trollface

      Re: "New delivery address: my place"

      Georgy McTrucker may be able to phone dispatch and whether it's normal that's he's being asked to pull into hangar saying "Daesh Import/Export" with weird bearded dudes in pajamas hanging around doing nothing in particular.

  2. DropBear
    Facepalm

    And the reaction of course will be (as always) "how did you dare looking?!?". Because keeping the flaw giant gaping hole secret will protect us indefinitely, surely...

  3. Voland's right hand Silver badge

    Realtime Embedditis

    Embedded software development at its usual best.

    One of the reasons the only IoT that is likely to enter my house and vehicles over the next decade is IoT I am going to write myself, outsource to offspring to write instead of me and/or get as open source packages whose source I can inspect.

    Car upgrades are postponed too for pretty much the same reason - the household ones are already "Razzie-ed", but with a proper firewall in place and talking back to base via a VPN. As they should.

    1. Stoneshop
      Go

      Re: Realtime Embedditis

      One of the reasons the only IoT that is likely to enter my house and vehicles over the next decade is IoT I am going to write myself,

      IoT will enter your house via a redirected truck driving up your garden path and through your front door.

  4. Doctor_Wibble
    Megaphone

    Owners warned?

    So did the owners of these boxes get warned, or is this it, and they are now all having to scramble to stop a massive everywhere-fckup because they didn't get any warning?

    Also script-kiddie feeders like Shodan should fck off.

    I get frequent probes from 'services' like them and bunches of cloud-based 'just checking you are not a relay no honest I am' twats who have no actual useful purpose - has anyone ever been contacted by any of these when they find a problem?

    1. Anonymous Coward
      Anonymous Coward

      Re: Owners warned?

      Well put, here's the list to well and truly tell them to fuck off

      shodan.io 208.180.20.97 US

      census1.shodan.io 198.20.69.74 US

      census2.shodan.io 198.20.69.98 US

      census3.shodan.io 198.20.70.114 US

      census4.shodan.io 198.20.99.130 NL

      census5.shodan.io 93.120.27.62 RO

      census6.shodan.io 66.240.236.119 US

      census7.shodan.io 71.6.135.131 US

      census8.shodan.io 66.240.192.138 US

      census9.shodan.io 71.6.167.142 US

      census10.shodan.io 82.221.105.6 IS

      census11.shodan.io 82.221.105.7 IS

      census12.shodan.io 71.6.165.200 US

      atlantic.census.shodan.io 188.138.9.50 DE

      atlantic.dns.shodan.io 209.126.110.38 US

      pacific.census.shodan.io 85.25.103.50 DE

      rim.census.shodan.io 85.25.43.94 DE

      blog.shodan.io 2) 104.236.198.48 US

      hello.data.shodan.io 104.131.0.69 US

      www.shodan.io 3) 162.159.244.38

      scanner01.project25499.com 98.143.148.107 US

      scanner02.project25499.com 155.94.254.133 US

      scanner03.project25499.com 155.94.254.143 US

      scanner04.project25499.com 155.94.222.12 US

      scanner05.project25499.com 98.143.148.135 US

      Always remember to DROP and not REJECT.

      1. Alan Brown Silver badge

        Re: Owners warned?

        "Well put, here's the list to well and truly tell them to fuck off"

        Go ahead, block 'em. Pat yourself on the back and feel good - whilst the blackhats continue from their own set of (probably constantly changing) search IPs.

        You may as well push water uphill with a rake.

        Obscurity is NOT security.

        1. Anonymous Coward
          Anonymous Coward

          Re: Owners warned?

          Sad but very true, at least I can take myself off Shodan for starters used along with various other tools fail2ban etc...

        2. Doctor_Wibble
          Boffin

          Re: Owners warned?

          > Obscurity is NOT security.

          No but it is an effective delaying tactic and removing the 'chaff' reduces the danger to being those who deserve a closer eye without the stupid distractions.

          Every address (or range, after checking) that does a probe gets banned except for ones that look interesting and I want to watch.

          edit: And now I see a remark about using these pirates to 'probe my ports' as a self security scan? Seriously?

          1. Anonymous Coward
            Anonymous Coward

            Re: Owners warned?

            Doctor_Wibble

            "No but it is an effective delaying tactic and removing the 'chaff' reduces the danger to being those who deserve a closer eye without the stupid distractions."

            You really need to change careers with that attitude. preferably something without any responsibility, burger flipping?

            1. Destroy All Monsters Silver badge

              Re: Owners warned?

              I don't see what the problem is. Dogma much?

              Of course it's a delaying tactic. Not one you can rely on, but security is not about certainty...

              1. Doctor_Wibble

                Re: Owners warned?

                > Of course it's a delaying tactic. Not one you can rely on, but security is not about certainty...

                That's it, really - any time a vulnerability is published you get a grace (as in 'there but for the... go I') period to get it fixed and any delay helps - though more to the point if someone is going to have a go at backtracing my IP to 'send spike' via piggybacking on multiple satellites and a sandwich toaster then I would like to think that I at least managed to avoid being caught out by those merely casually rattling the door handles as they wander past.

                Proper security is modelled on a spork of many prongs.

    2. Flywheel
      Thumb Down

      Re: Owners warned?

      Shodan can be very useful: I run a regular test on my IP address to make sure I'm not showing unexpected services.

      If someone decides to fit a box which clearly has holes the size of the Blackwall Tunnel without running a security audit on it first then that's their problem!

  5. Lysenko

    Embedded software development at its usual best.

    Internet Explorer. Flash. Windows 98. Telnet. Forged mail headers.

    "Desktop" software development has a few too many skeletons in its closet to get sanctimonious about the embedded space. That doesn't invalidate your point about IoT of course. Just lets remember that what we're asking the embedded world to do is learn from the colossal list of bone headed mistakes that the desktop world already made. I would rather have an insecure humidity sensor in my fridge than IE6 and Flash 10 on my PC.

    1. Anonymous Coward
      Anonymous Coward

      Sadly

      This looks to be rather modern software - note the references to Android in the list of commands in the picture. Somehow someone designed something in the last few years, and decided that access via telnet was fine despite SSH having been around for a couple decades now.

      I'm not sure how best to solve this. You want some reasonable security precautions like encrypted communications and a requirement to not use default/guessable passwords, but if you put a security professional on the development team you'll not only bear his cost but the cost of the design decisions he'll enforce to justify his existence (don't try to tell me the typical security pro wouldn't come up with a dozen theoretical attacks that raise hardware cost to defend against)

      Then there's the problem of what exactly Android is being used for here. If the version of Android is customized, as you'd guess it must be since this GPRS telematics device is only sort of like a phone, then good luck getting it patched against all the known Android holes. Using Android here is sort of the opposite of 'security through obscurity'...'insecurity through ubiquity' I guess.

      1. Nick Ryan Silver badge

        Re: Sadly

        You may want reasonable security, but every day I still see "professional developers" intentionally/blindly doing stupid. In the last week or so:

        Windows service application running using a user account that has domain administrator access. The service doesn't need this level of access, it was just used because the developer was too security blind to understand that they should have used a specific (service) account and to give it only the bare minimum permissions it needed to operate.

        A new, public facing Internet system with a hard coded super-administrator password. Because that's never been a daft idea (no sir) even with the "justification" was that it would "prevent the situation where the final administrator account was locked out". Not withstanding the fact that we'd have been able to run database scripts fixing this should the rather unlikely happen.

  6. DaLo

    "He urges hackers to avoid probing active vehicles."

    Yeah, that'll do it.

  7. Rene Schickbauer

    eBay: Used bus, 1 owner, free delivery,...

    "We will deliver the Bus to an address of your choosing. Due to business reason, our driver hasn't been informed yet that this is his last delivery and will be fired upon arrival.

    Upon payment, we will send to the relevant document by email from human resources for you to hand over to the driver on delivery of the bus."

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like