Spanish security researcher Jose Carlos Norte revealed in a blog post this week that he’d used the scanning software Shodan to find thousands of publicly exposed “telematics gateway units” or TGUs, small radio-enabled devices attached to industrial vehicles’ networks to track their location, gas mileage and other data. He found that one TGU in particular, the C4Max sold by the French firm Mobile Devices, had no password protection, leaving the devices accessible to any hacker who scanned for them.
With a quick scan, Norte could find the location of as many as 3,000 of the units turned on in vehicles at a given time and trace their GPS coordinates. “You could track trucks and watch them and steal their contents,” Norte argues. “There are a lot of operations that bad guys could use this for. My fear is that it could be repeated using industrial vehicles with a vector that’s completely exposed on the Internet,” Norte says.
The C4Max uses Morpheus3 OS, an Open Telematics Operating System based on Linux developed by Mobile Devices. Morpheus3 allows developers to write Java code and control the device and the services directly via dedicated telematics APIs using the Morpheus3 SDK.
CEO Aaron Solomon contended that the problems Norte discovered were because his devices were deployed incorrectly by the customer. Only devices in “development” mode rather than a more secure “deployment” mode would be accessible to the kind of scans that Norte performed. Solomon noted that C4Max unit generally customers don’t actually connect them to the vehicle’s CAN bus, which would prevent hackers from accessing any critical driving systems.
Solomon further noted that his company has little control over how his products are deployed or managed by customers in the field.
The C4Max incident points out just how easily Linux products can be used as an attack vector to access and exploit customer systems and networks. By embedding a secure remote environment like iTivity into their products, Linux vendors have far greater visibility into who is accessing their products and far greater control over what actions they can take.