Dangerous vulnerability in fleet management software seemingly ignored by vendor

A major vulnerability that could allow hackers to manipulate a fleet of vehicles at once — including the possibility of shutting down the vehicles — has gone ignored by the vendor for months, according to researchers that discovered the vulnerability.

As the auto sector has evolved beyond a simple mode of transportation into “computers on wheels,” vulnerabilities in the software that controls multi-ton steel giants have become an increasingly urgent topic for security researchers.

But while a lot of bugs focus on hacking into a single car, often through infotainment systems, this vulnerability — discovered by Yashin Mehaboobe, a security consultant at Xebia — impacts the software used by companies that manage fleets of vehicles. That means the risk increases exponentially, as hackers can target backend infrastructure to impact potentially thousands of vehicles at the same time.

“In some of the worst cases, you can literally see people driving or you can even stop the car if you want, and you can do this on the fleet scale,” Mehaboobe said.

The bug that impacts the Syrus4 IoT gateway, made by Digital Communications Technologies (DCT), is one such case.

The vulnerability — CVE-2023-6248 — gives a hacker access to the software and the commands used to manage up to thousands of vehicles. Using just an IP address and a bit of python, someone can access a Linux server through the gateway and access a suite of tools, including live locations, detailed engine diagnostics, speakers, airbags and execute arbitrary code on vulnerable devices.

Most alarmingly, however, is the software’s ability to turn off a vehicle.

While Mehaboobe was able to confirm that remote code execution is possible after finding a server running the software on the search engine Shodan, he kept testing to a minimum, as the vehicles were live in transit, raising serious safety concerns. The vehicles on the server they discovered showed more than 4000 real-time vehicles spread across the United States and Latin America.

“You can inject the [controller area network] packets, which means you can even control the vehicle. You can literally stop the vehicle in the highway if you want,” said Ramiro Pareja Veredas, a principal security consultant IOactive who works with Mehaboobe on finding fleet vehicle software vulnerabilities. “We think that this is possible, but we haven’t tested because the consequences are terrible. Everything we do is non-invasive.”

But perhaps even more alarming than the ability to shut down thousands of vehicles with a simple script is the complete lack of response from the company that makes and sells the software to organizations around the world.

Mehaboobe and Pareja Veredas initially reported the vulnerability in April, but repeated efforts by the researchers and several vulnerability coordination organizations failed to contact the company.

On April 25, they got a response from an inquiry for a security contact that directed them to open a support ticket. After providing full details and asking multiple times for updates, they finally got a response: The ticket was discarded with the words “it is not an issue.”

Mehaboobe and Pareja Veredas worked with the CERT Coordination Center, a federally funded vulnerability disclosure coordination organization that is a part of the Software Engineering Institute. CERT/CC was also unable to connect with the vendor, the researchers said.

The researchers decided not to name the vendor at a conference last month, even though they waited more than half a year for a response, tried multiple forms of contact, and went through two CVE Numbering Authorities (CNA), which also could not contact the vendor.

This particular vulnerability is unique in that it did not require the researchers to actually interact with the device or know much about it at all. The initial discovery stemmed from a basic one-word search on Shodan, a website that scans the internet for online devices.

The lack of response led to the researchers holding off on announcing their work, due to the potentially dangerous actions a malicious actor can take and the ease of discovering the vulnerabilities.

It wasn’t until just before Thanksgiving that CERT/CC gave the green light to publish the details. The Automotive Security Research Group approved the CVE, but the researchers have yet to hear anything back from the company.

How widespread the use of Syrus4 is remains unclear, but DCT boasts more than 119,000 devices tracked in more than 49 different countries. There are no known exploits of this vulnerability.

DCT did not respond to multiple requests for comment made via a variety of methods. A support ticket that CyberScoop opened with DCT was closed, with an emailed response noting that the company “escalated the matter internally and if we have any further feedback we’ll notify you.”

This is not the first time Mehaboobe and Pareja Veredas ran into these issues. In fact, they’ve said that some of their research into vulnerabilities is still in the disclosure process, years after the work is done.