Among the things one can find with Shodan, the search engine for the Internet of Things, are trucks, buses and delivery vans that have been equipped with the Telematics Gateway Unit (TGU) device and a modem to connect to the Internet.
Hacking industrial vehicles
What’s more, security researcher Jose Carlos Norte says that this setup can be misused by malicious individuals to monitor and control these vehicles: discover their position, their speed, and so on, as well as to change some of those parameters, e.g. change the vehicle’s route, or put up a geo-fence for it (he says he does not now what such a change would cause).
“There are thousands of TGUs connected to the internet, with no authentication at all and with administrative interfaces through a web panel or a telnet session,” he says, and claims anyone with a modicum of knowledge can hack into the CAN bus of the vehicles remotely via the TGU.
Part of that knowledge is not hard to find, he points out, as the schematics and capabilities for these TGU units are available online. Shodan can also be used by anyone.
“You can see this device is connected to the bus of the vehicle, to the ignition, to the battery… and the theoretical things that could cause are very scary,” he noted, and added that he wasn’t able to discover all the things that can be done because he didn’t have a unit available and he wasn’t going to do testing in the wild because it would be irresponsible – and advised others not to try that.
“The c4max smartbox is a TGU with powerful capabilities, a simple console on port 23, and is easy to identify while scaning the Internet,” he noted. His scan yielded 733 open devices, but he says that number can vary.