A security researcher discovered that many of the trucks and buses using Telematics Gateway Unit (TGU), a popular vehicle monitoring device, are connected with login information searchable on Shodan, allowing remote attackers to change routes and monitor the speed and location of the vehicles.
“There are thousands of TGU connected to the internet, with no authentication at all and with administrative interfaces through a web panel or a telnet session,” wrote Jose Carlos Norte, CTO of eyeOS, an open source software platform, in a blog post.
In an email to SCMagazine.com, Norte said TGU is looking into the vulnerability. “They have the theory that a third party distributor has miss configured their devices in their customers. They don't control the supply chain to the client.”
TGU did not respond to requests for comment.
Norte published the results of his Shodan search, where he found 733 open, connected devices. “You can see this device is connected to the bus of the vehicle, to the ignition, to the battery… and the theoretical things that could cause are very scary,” he wrote.
The automotive sector has faced recurring security challenges as the sector attempts to integrate remote capabilities, called the Internet of Cars, into new vehicles. Last month, Nissan took a page from the U.S. Navy, in taking vehicles offline after researchers discovered a vulnerability that allowed attackers to remotely manipulate vehicles' climate control and obtain drivers' ID and driving history.
Security researchers have long argued that the automotive sector would benefit by increasing collaboration with researchers. “
“When we're dealing with cars, we are dealing with life and death,” said SAC CEO Winn Schwartau, in speaking with SCMagazine.com. “Automakers should just go to DefCon, offer a generous bug bounty, and give out all the code. The bad guys are going to steal it anyway.”
This approach is “borderline free when compared to the downstream legal liability,” said Schwartau.