Dangerous vulnerability in fleet management software seemingly ignored by vendor | CyberScoop<\/title> <meta name=\"description\" content=\"Researchers say Digital Communications Technologies has not addressed a bug impacting its Syrus4 IoT gateway, leaving open the possibility for vehicle fleets to be shut down.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/fleet-management-vulnerability-digitial-communications-technologies\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Dangerous vulnerability in fleet management software seemingly ignored by vendor\"> <meta property=\"og:description\" content=\"Researchers say Digital Communications Technologies has not addressed a bug impacting its Syrus4 IoT gateway, leaving open the possibility for vehicle fleets to be shut down.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/fleet-management-vulnerability-digitial-communications-technologies\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2023-12-06T20:48:11+00:00\"> <meta property=\"article:modified_time\" content=\"2023-12-06T23:38:48+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/12\/dangerous-vulnerability-in-fleet-management-software-seemingly-ignored-by-vendor-1.jpg\"> <meta property=\"og:image:width\" content=\"1920\"> <meta property=\"og:image:height\" content=\"1280\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"Christian Vasquez\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@chrismvasq\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1701905043g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress-next\/dist\/css\/related-posts-block-styles.min.css?m=1698686983g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1701899484g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=7dab012cdc88b5676610\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/78429\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.4.2\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=78429\">\n<link rel=\"alternate\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Ffleet-management-vulnerability-digitial-communications-technologies%2F\">\n<link rel=\"alternate\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Ffleet-management-vulnerability-digitial-communications-technologies%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-78429 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/fleet-management-vulnerability-digitial-communications-technologies\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"25.38\">\n<div class=\"single-article__header-content\" readability=\"31.289036544851\">\n<p> Researchers say Digital Communications Technologies has not addressed a bug impacting its Syrus4 IoT gateway, leaving open the possibility for vehicle fleets to be shut down. <\/p>\n<\/p><\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"426\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/12\/dangerous-vulnerability-in-fleet-management-software-seemingly-ignored-by-vendor.jpg?resize=640%2C426&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/12\/dangerous-vulnerability-in-fleet-management-software-seemingly-ignored-by-vendor-1.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/12\/dangerous-vulnerability-in-fleet-management-software-seemingly-ignored-by-vendor-1.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/12\/dangerous-vulnerability-in-fleet-management-software-seemingly-ignored-by-vendor-1.jpg?resize=768,512 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/12\/dangerous-vulnerability-in-fleet-management-software-seemingly-ignored-by-vendor-1.jpg?resize=1024,683 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/12\/dangerous-vulnerability-in-fleet-management-software-seemingly-ignored-by-vendor-1.jpg?resize=1536,1024 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/12\/dangerous-vulnerability-in-fleet-management-software-seemingly-ignored-by-vendor-1.jpg?resize=600,400 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/12\/dangerous-vulnerability-in-fleet-management-software-seemingly-ignored-by-vendor-1.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/12\/dangerous-vulnerability-in-fleet-management-software-seemingly-ignored-by-vendor-1.jpg?resize=506,337 506w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/12\/dangerous-vulnerability-in-fleet-management-software-seemingly-ignored-by-vendor-1.jpg?resize=1013,675 1013w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/12\/dangerous-vulnerability-in-fleet-management-software-seemingly-ignored-by-vendor-1.jpg?resize=1265,843 1265w\" sizes=\"(max-width: 1013px) 100vw, 1013px\"><figcaption> Aerial view southwest of new car and van import park storage by C RO ltd in Purfleet RM19 Essex UK <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"57.811333333333\"><body readability=\"116.88444444444\"><\/p>\n<p>A major vulnerability that could allow hackers to manipulate a fleet of vehicles at once \u2014 including the possibility of shutting down the vehicles \u2014 has gone ignored by the vendor for months, according to researchers that discovered the vulnerability.<\/p>\n<p>As the auto sector has evolved beyond a simple mode of transportation into \u201c<a href=\"https:\/\/foundation.mozilla.org\/en\/privacynotincluded\/articles\/its-official-cars-are-the-worst-product-category-we-have-ever-reviewed-for-privacy\/\">computers on wheels<\/a>,\u201d vulnerabilities in the software that controls multi-ton steel giants have become an increasingly urgent topic for security researchers.<\/p>\n<p>But while a lot of bugs focus on hacking into a single car, often through infotainment systems, this vulnerability \u2014 discovered by Yashin Mehaboobe, a security consultant at Xebia \u2014 impacts the software used by companies that manage fleets of vehicles. That means the risk increases exponentially, as hackers can target backend infrastructure to impact potentially thousands of vehicles at the same time.<\/p>\n<p>\u201cIn some of the worst cases, you can literally see people driving or you can even stop the car if you want, and you can do this on the fleet scale,\u201d Mehaboobe said.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>The bug that impacts the Syrus4 IoT gateway, made by Digital Communications Technologies (DCT), is one such case.<\/p>\n<p>The vulnerability \u2014 <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2023-6248\">CVE-2023-6248<\/a> \u2014 gives a hacker access to the software and the commands used to manage up to thousands of vehicles. Using just an IP address and a bit of python, someone can access a Linux server through the gateway and access a suite of tools, including live locations, detailed engine diagnostics, speakers, airbags and execute arbitrary code on vulnerable devices.<\/p>\n<p>Most alarmingly, however, is the software\u2019s ability to <a href=\"https:\/\/syrus.digitalcomtech.com\/docs\/system-tools#safe-immobilization\">turn off a vehicle<\/a>.<\/p>\n<p>While Mehaboobe was able to confirm that remote code execution is possible after finding a server running the software on the search engine Shodan, he kept testing to a minimum, as the vehicles were live in transit, raising serious safety concerns. The vehicles on the server they discovered showed more than 4000 real-time vehicles spread across the United States and Latin America.<\/p>\n<p>\u201cYou can inject the [controller area network]<strong> <\/strong>packets, which means you can even control the vehicle. You can literally stop the vehicle in the highway if you want,\u201d said Ramiro Pareja Veredas, a principal security consultant IOactive who works with Mehaboobe on finding fleet vehicle software vulnerabilities. \u201cWe think that this is possible, but we haven\u2019t tested because the consequences are terrible. Everything we do is non-invasive.\u201d<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>But perhaps even more alarming than the ability to shut down thousands of vehicles with a simple script is the complete lack of response from the company that makes and sells the software to organizations around the world.<\/p>\n<p>Mehaboobe and Pareja Veredas initially reported the vulnerability in April, but repeated efforts by the researchers and several vulnerability coordination organizations failed to contact the company.<\/p>\n<p>On April 25, they got a response from an inquiry for a security contact that directed them to open a support ticket. After providing full details and asking multiple times for updates, they finally got a response: The ticket was discarded with the words \u201cit is not an issue.\u201d<\/p>\n<p>Mehaboobe and Pareja Veredas worked with the CERT Coordination Center, a federally funded vulnerability disclosure coordination organization that is a part of the Software Engineering Institute. CERT\/CC was also unable to connect with the vendor, the researchers said.<\/p>\n<p>The researchers decided not to name the vendor at a <a href=\"https:\/\/hardwear.io\/netherlands-2023\/speakers\/yashin-and-ramiro.php\">conference last month<\/a>, even though they waited more than half a year for a response, tried multiple forms of contact, and went through two CVE Numbering<strong> <\/strong>Authorities (CNA), which also could not contact the vendor.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>This particular vulnerability is unique in that it did not require the researchers to actually interact with the device or know much about it at all. The initial discovery stemmed from a basic one-word search on Shodan, a website that scans the internet for online devices.<\/p>\n<p>The lack of response led to the researchers holding off on announcing their work, due to the potentially dangerous actions a malicious actor can take and the ease of discovering the vulnerabilities.<\/p>\n<p>It wasn\u2019t until just before Thanksgiving that CERT\/CC gave the green light to publish the details. The Automotive Security Research Group approved the CVE, but the researchers have yet to hear anything back from the company.<\/p>\n<p>How widespread the use of Syrus4 is remains unclear, but DCT boasts more than 119,000 devices tracked in more than 49 different countries. There are no known exploits of this vulnerability.<\/p>\n<p>DCT did not respond to multiple requests for comment made via a variety of methods. A support ticket that CyberScoop opened with DCT was closed, with an emailed response noting that the company \u201cescalated the matter internally and if we have any further feedback we\u2019ll notify you.\u201d<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>This is not the first time Mehaboobe and Pareja Veredas <a href=\"https:\/\/www.youtube.com\/watch?v=kT84Ps_hQHI\">ran into these issues<\/a>. In fact, they\u2019ve said that some of their research into vulnerabilities is still in the disclosure process, years after the work is done.<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\">\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/fleet-management-vulnerability-digitial-communications-technologies\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Dangerous vulnerability in fleet management software seemingly ignored by vendor<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1282,288,1283,643,703],"tags":[1284,294,1285,645,705],"class_list":["post-2156","post","type-post","status-publish","format-standard","hentry","category-automotive","category-threats","category-vehicles","category-vulnerabilities","category-vulnerability-disclosure","tag-automotive","tag-threats","tag-vehicles","tag-vulnerabilities","tag-vulnerability-disclosure"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/automotive\/\" rel=\"category tag\">automotive<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threats\/\" rel=\"category tag\">Threats<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/vehicles\/\" rel=\"category tag\">vehicles<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/vulnerabilities\/\" rel=\"category tag\">vulnerabilities<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/vulnerability-disclosure\/\" rel=\"category tag\">vulnerability disclosure<\/a>","tag_info":"vulnerability disclosure","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/2156","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=2156"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/2156\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=2156"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=2156"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=2156"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":2156,"date":"2023-12-06T20:48:11","date_gmt":"2023-12-06T20:48:11","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=78429"},"modified":"2023-12-06T20:48:11","modified_gmt":"2023-12-06T20:48:11","slug":"dangerous-vulnerability-in-fleet-management-software-seemingly-ignored-by-vendor","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2023\/12\/06\/dangerous-vulnerability-in-fleet-management-software-seemingly-ignored-by-vendor\/","title":{"rendered":"Dangerous vulnerability in fleet management software seemingly ignored by vendor"},"content":{"rendered":"