Tuesday, March 8, 2016

Hack the 18 wheeler

You can put the hammer down, from the safety and comfort of your own living room:
Security researcher Jose Carlos Norte says trucks, buses, and vans using Telematics Gateway Unit are exposed on security-search engine Shodan allowing hackers to alter routes and probe speed and location. 
The Barcelona-based eyeOS chief technology officer says thousands of vehicles are exposed over Shodan and can be accessed without any authentication. 
We've seen Shodan here before.  It's bad juju when your device shows up there.
Attackers can download a manual to learn how to navigate the devices and access various functions. 
Teh [sic] devices are used to manage fleets, and send drivers new shipping routes from base. Geo-fencing can also be established to prevent trucks from wandering off course or being stolen. 
"It is possible to monitor and control trucks, public bus or delivery vans from the internet, obtaining their speed, position, and a lot other parameters," Norte says
"You can even control some parameters of the vehicle or hack into the CAN bus of the vehicle remotely.
Connecting the 'Net to the CAN bus (which controls the car/truck/bus telemetry and controls) is Double Plus Ungood security.  Stalin would have had them shot, but it looks like there's a rush to do this - remote immobilization is one "feature" that companies seem to be offering without having really thought about what happens when Joe Bloggs on the 'Net does this to a truck in rush hour.

While IANAL, this seems to fall into the category of "attractive nuisance".

No comments: