Research reveals more security risks with telematics

Quimby Mug Bayou Florida Headshot
Updated Mar 13, 2016
A Spanish researcher was able to hack thousands of telematics units. The C4Max by Mobile Devices, shown above, was among the most vulnerable.A Spanish researcher was able to hack thousands of telematics units. The C4Max by Mobile Devices, shown above, was among the most vulnerable.

A Spanish security researcher announced this week that he discovered thousands of telematics units vulnerable to hacking.

Wired.com reported Thursday that researcher Jose Carlos Norte revealed in a blog this week that he used scanning software to access thousands of telematics gateway units, or TGUs, which revealed location, gas mileage and other information of fleet vehicles, such as trucks, busses and ambulances.

Norte said that C4Max, a TGU marketed by French company Mobile Devices and available in the U.S., were especially susceptible to hacking since the devices had no password protection.

“There are tons of open TGU and similar vehicle appliances on the internet. One very interesting and easy to find is the C4Max,” Norte, chief technology officer for the security firm EyeOS, writes in his blog.

“The C4Max smartbox is a TGU with powerful capabilities, a simple console on port 23, and is easy to identify while scanning the internet.”

Concerns over violating the law kept Norte from further probing the TGUs, which he believes would have led him to overtaking a vehicle’s CAN bus and allow him to manipulate its transmission, brakes and steering.

Mobile Devices CEO Aaron Solomon tells Wired that security risks do exist for TGUs left in development mode. However, when placed in deployment mode, the devices were more secure.

Mobile Devices has warned customers not to leave their TGU in an insecure mode. C4Max units are often not connected to a vehicle’s CAN bus, which will prevent hackers from overtaking vital components, Solomon explains.

“We are running [an] investigation these days and we will let you know if we discover that any devices are still in development mode although used in deployment and if these devices are connected or not to the vehicle buses,” Solomon writes in an emailed statement to Wired.

“In that case we will make sure that the [customer] gets all the support from us to switch these devices in deployment mode ASAP.”

Nontheless, Norte warns that having access to vehicle location and other data still poses significant risk.

“You could track trucks and watch them and steal their contents,” Norte explains. “There are a lot of operations that bad guys could use this for.”