Thinking of “IoT”?
Forget about the Internet of Things, this one’s a gaping hole in the Internet of Trucks.
That’s what security researcher Jose Carlos Norte found when he went looking for TGUs using Shodan.
To explain: a TGU is a Telematic Gateway Unit, where the word telematics refers to “measuring things from afar,” and Shodan is a search engine that goes looking for insecure devices that are connected to the internet, and indexes them so they can be quickly found in the future.
TGUs are a staple of the trucking and road transportation industry these days: if you’ve seen a truck with a warning sign to would-be hijackers that THIS VEHICLE IS FITTED WITH A TRACKING DEVICE, there’s probably a TGU in there somewhere.
Simply put, a TGU figures out where your vehicle is, typically using GPS or a similar geolocation system, and regularly calls home, typically using a mobile phone connection, so that someone else knows where you are, too.
In other words, if you’re a truck driver, your employers can keep track of you as you work, which is good for you if you get hijacked (they can call in the cavalry), and good for them if you go rogue and start doing jobs on the side (they have the evidence to sack you).
Tracked by anyone
What you don’t expect, whether you’re the driver or the fleet operator, is that a TGU might let just anyone track your vehicle.
But that’s what Norte found when he went looking for GPS-enabled tracking devices on Shodan.
Shodan keeps a record of what it finds when it goes looking for internet-facing services, such as the banner pages or login screens that come up on first connection, so Norte searched for text strings like “GPS” that has showed up on TCP port 23.
Port 23 is the standard listening address for a remote login service called Telnet, and GPS is a likely word to be found in the login banner of a tracking device such as a TGU.
Indeed, Norte got more than 700 hits on his first try.
The problem is that Telnet shouldn’t be running at all, whether on port 23 or anywhere else.
Telnet is a 1970s-era remote login protocol that has no encryption at all, not even of any usernames and passwords you type in during the session.
If you use Telnet across a network, you are as good as guaranteed to get hacked some time soon, because any crook in the vicinity can record every keystroke in every session.
Indeed, if you use Telnet at all, you are breaking just about every rule in the security handbook.
Worse still, Norte found that his unencrypted TGUs didn’t merely allow unencrypted login, they also allowed unauthenticated login, so that no username or password was required.
In short, he could make open and unchallenged connections to he TGUs he’d found, and issue any of a number of dangerous commands, including listing the device’s owner, its current speed, and its location.
In other words, anyone who felt like it could track you at any time.
Also, some of the devices Norte found open and online were apparently running a model of TGU that includes an optional interface to the vehicle’s immobiliser. (What happens if someone engages the immobiliser while you are driving along it not stated.)
What to do?
- Never use Telnet. In fact, don’t even install it, so it can’t be turned on by mistake.
- Never allow unauthenticated connections on a public interface. Security through obscurity, where you hope no one finds your insecure login portal, simply doesn’t work in the age of Shodan.
- Test your IoT devices before you purchase them. Tools like Nmap help you look for listening services so you can make sure there aren’t any rogue ones running.
- Never use Telnet. We thought we’d better say this again.
Trucks on motorway courtesy of Shutterstock.
justiceISfake
There are a lot of PLC’s and other logic controllers on SHODAN… these scare me. I alerted the owner(s) of a few I have found in the past few weeks in my local area. The companies usually has no idea what I am talking about or they get angry and hang up. Very frustrating.
Tom
My auto insurance company gives a discount, albeit a small one, if you use a tracking device. It’s surprising accurate but of course does not explain a rapid deceleration event when another driver cuts you off, instead it only indicates that you braked hard. Since I only use my car to go to work, home and food shopping (and am one of the few people in my area , I don’t feel I have much to hide, and Google already knows a lot more about me by tracking my phone. Given the choice again I probably would not opt to use the device. I will however try nmap to see if I can connect to the device. Thanks.
Paul Ducklin
It’s not one of these, is it :-)
http://nakedsecurity.sophos.com/2015/01/20/cheaper-car-insurance-dongle-could-lead-to-a-privacy-wreck/
Tom
It’s sounds suspiciously similar. The device is from Octo (telematics) USA. I wish it would beep at “infractions,” at least then I would receive immediate feedback, as it is now I have to go the site to see what I did wrong and then try to recall the situation.
Paul Ducklin
Get a bicycle. No number plates, and you get fit :-)
Bryan
a warning sign to would-be hijackers
I suppose I shouldn’t be surprised to learn that truck hijackings are common enough to warrant signs intended to deter the act. I clearly don’t think enough like a criminal.
When the zombie apocalypse arrives I’ll be eaten alive within hours.
Wilderness
Quick security question; should I use Telnet? :-)
David Pottage
Nothing wrong with using a telent _CLIENT_ It is a useful low level test and debug tool for all sorts of things. Only a few weeks ago, I was testing an email server by using telnet to connect to it on port 25.
On the other hand, if you install a telnet _SERVER_, and connect it to any sort of shell, or any other interface to anything remotely trusted, then you need to be banned from administering any sort of computer for a long time.
If you need a low level, non authenticated connection to a shell, then use a serial port, as that way you can easily see and limit access to the immediate vicinity of the device you are debugging.
Paul Ducklin
I recommend that you avoid using Telnet clients as network test tools. They’re simply not general purpose enough. (In particular, the telnet protocol treats some characters on the wire specially, which can interfere unobtrusively but catastrophically with your results.)
At least, if Telnet isn’t already there so that you have to install some sort of add-on tool anyway, I recommend using “ncat,” which is part of the Nmap toolkit I mentioned in the article. Ncat lets you connect over TCP and UDP; supports TLS/SSL; can do IPv4 and IPv6; and can even connect via proxies. It’s available as a single-file, statically-linked binary for Windows to carry around with you. Try it. You will be pleasantly surprised…and still no need for Telnet, server *or* client :-)
Jim
I use telnet for one reason: to find out if some idiot company left a back door (a telnet server) open on their firewall devices. But, there are probably better ways nowadays to check for such things.
Pam Lassila
I like the idea of having more trucking security. You never know what could happen when you’re trucking. It’s also nice if you’re the owner of a fleet to be able to know where your vehicles and drivers are at all times.