Thinking of “IoT”?
Forget about the Internet of Things, this one’s a gaping hole in the Internet of Trucks.
That’s what security researcher Jose Carlos Norte found when he went looking for TGUs using Shodan.
To explain: a TGU is a Telematic Gateway Unit, where the word telematics refers to “measuring things from afar,” and Shodan is a search engine that goes looking for insecure devices that are connected to the internet, and indexes them so they can be quickly found in the future.
TGUs are a staple of the trucking and road transportation industry these days: if you’ve seen a truck with a warning sign to would-be hijackers that THIS VEHICLE IS FITTED WITH A TRACKING DEVICE, there’s probably a TGU in there somewhere.
Simply put, a TGU figures out where your vehicle is, typically using GPS or a similar geolocation system, and regularly calls home, typically using a mobile phone connection, so that someone else knows where you are, too.
In other words, if you’re a truck driver, your employers can keep track of you as you work, which is good for you if you get hijacked (they can call in the cavalry), and good for them if you go rogue and start doing jobs on the side (they have the evidence to sack you).
Tracked by anyone
What you don’t expect, whether you’re the driver or the fleet operator, is that a TGU might let just anyone track your vehicle.
But that’s what Norte found when he went looking for GPS-enabled tracking devices on Shodan.
Shodan keeps a record of what it finds when it goes looking for internet-facing services, such as the banner pages or login screens that come up on first connection, so Norte searched for text strings like “GPS” that has showed up on TCP port 23.
Port 23 is the standard listening address for a remote login service called Telnet, and GPS is a likely word to be found in the login banner of a tracking device such as a TGU.
Indeed, Norte got more than 700 hits on his first try.
The problem is that Telnet shouldn’t be running at all, whether on port 23 or anywhere else.
Telnet is a 1970s-era remote login protocol that has no encryption at all, not even of any usernames and passwords you type in during the session.
If you use Telnet across a network, you are as good as guaranteed to get hacked some time soon, because any crook in the vicinity can record every keystroke in every session.
Indeed, if you use Telnet at all, you are breaking just about every rule in the security handbook.
Worse still, Norte found that his unencrypted TGUs didn’t merely allow unencrypted login, they also allowed unauthenticated login, so that no username or password was required.
In short, he could make open and unchallenged connections to he TGUs he’d found, and issue any of a number of dangerous commands, including listing the device’s owner, its current speed, and its location.
In other words, anyone who felt like it could track you at any time.
Also, some of the devices Norte found open and online were apparently running a model of TGU that includes an optional interface to the vehicle’s immobiliser. (What happens if someone engages the immobiliser while you are driving along it not stated.)
What to do?
- Never use Telnet. In fact, don’t even install it, so it can’t be turned on by mistake.
- Never allow unauthenticated connections on a public interface. Security through obscurity, where you hope no one finds your insecure login portal, simply doesn’t work in the age of Shodan.
- Test your IoT devices before you purchase them. Tools like Nmap help you look for listening services so you can make sure there aren’t any rogue ones running.
- Never use Telnet. We thought we’d better say this again.