At least their product page doesn't have some marketing wank about their security.
In fact it has no mention of security whatsoever, which is apt because it doesn't seem to have any!
The knee-jerk, canned response from most parties erring on the side of Law & Order claims:
Even if the door is wide left open, crossing the threshold
is still trespassing, if you don't belong on the property.
This is why burglars are typically charged with breaking AND entering.
Unlawful entry is still a crime one can commit, without breaking open, or otherwise circumventing pro-active security measures.
When it comes to the idea of "hacking" we often find our words fail to describe activities with precision.
The nuanced distinction some tend to draw between "hacking" and "cracking" is mostly relegated to specialized jargon, community slang, and pedantry. Laymen often do not distinguish between the two.
I can't find any reference to "unlawful entry" in the law books. There is a Kurt Russell film by that name though.
Trespassing is an actual crime, but it does not fit your description, at least in California. Here, you must have an intent to interfere with the owner's property for it to be considered trespassing. If I enter your open door because I want to invite you to a party, or use your restroom, or hang out with your cats and play video games until you come home I have not committed any crime. Well maybe you could get me for stealing water and electricity, but the entry is not a crime.
"Breaking and entering" is also not a crime in California. However, if you actually steal something that is burglary, which is a crime, and does not require forced entry.
Seems to just be using the device in its intended manner, but perhaps it wasn't "intended" for random people on the internet to be accessing an open telnet service on the default port on a system connected directly to the public internet.
The way this usually happens is someone decides to create a device, in order to be able to access it and program it they give it an embedded controller listening to some port on a local area network. Next up someone installs a gateway that starts to assign NAT'd or public IPs to devices and boom suddenly that box is now wide open to whoever stumbles upon the IP. This has caused a whole raft of problems with embedded systems that were built before people were more security conscious.
The real problem is that the end users are more often than not totally unaware that their stuff is exposed to the world until something bad happens.
A lot of this insecure IoT/vehicle etc. like stuff reminds me a bit of the early days of phreaking. Discovering "secret numbers", using open conference lines and the like.
I think mere discovery is in the spirit of hacking since I'd define it as "curious exploration".
No! It's the companies who buys and USE this crap, even when they are configuring the devices and see that they cannot protect them, that needs to be held accountable.
It's like buying a bus with broken brakes, and still use it as public transportation. Nothing wrong with buying the bus.
Its like a company selling a bus with broken brakes, not telling the customer it is broken and then the customer either knowingly or unknowingly use it after working that out for themselves.
I'd hazard a guess that unless the vendor can provide over-the-air updates and every system which plugs into these telematics units can also be easily upgradeable to incorporate the new added auth functionality, it might be better just to make everyone aware of the issue?
Ultimately this blog post doesn't describe any rocket science at all: anyone wanting to cause trouble on the internet is well aware of Shodanning for exposed ICS systems that fail to even implement authentication.
I'd be pretty wary of pushing information like this out in the open without first making sure the vendor had time to alert their customers that his is about to hit the streets. Who knows what kind of vehicles we're talking about and under what conditions they operate. Of course it isn't rocket science, but that doesn't mean you need to advance your stature in the security community by blindsiding some manufacturer on Sunday evening.
Anyway, call me old-fashioned, I don't think this is the way it should be done.
FWIW I'm aware of a SCADA system that is widely deployed that is just about as secure as this system here and I'd be the last person on the planet to publish the details of it because I know for a fact that it is used to control HVAC equipment and other building infrastructure in hospitals and prisons. These things are not toys and being aware of them does not actually allow you to play god. (In that particular case as far as I know the systems are so old that fixing them with an update is not even an option).
I think you might be late to the party. It's widely known that these systems don't have any kind of security at all. The potential criminals already had this information for a long time.
What should be interesting is to see that now the company(s?) producing them must now about this new interest in the details of their devices whether they have contacted all their clients today to warn them of potential issues.
I'm going to go with "no". Companies that admit their failings to their customers are probably pretty rare, particularly "companies that will fail to attempt to secure their computer systems but will actively engage their customers when an issue becomes the focus of unwanted attention" must be close to zero in number.
Agreed, but I would not actually be surprised if they did not learn anything yet. The embedded hardware world is not quite as well connected in that sense as the web start-up scene. It could take a few days before the circle of the people that know about this and the circle of the people involved in that company intersect.
Which makes me wonder, is network traffic profiling common. Like, will the local network admins be getting alerts for traffic spikes on port 23 (SNORT and the like do this sort of intrusion detection I think?)?
I am hoping this an advisory for those implementing these devices. The device does what it should by publishing everything that it is setup to do. It is leaking information everywhere as designed. There are a lot of things such as public transit that you want this information being broadcast everywhere. You could write the same story for an FTP server with an open connection to the internet.
You know it's kind of ironic. How is the customer even supposed to know how insecure these systems are without blog posts like this one so they can avoid bad companies?
Actually, unless the customers are as incompetent as the makers of these devices, they should have asked themselves how come they could configure their device with no authentication, and if they could, who else could.
There is a way to secure this kind of devices. The mobile data providers can offer VPN services for customer devices, so they could be "hidden" from the Internet an the network level, without changing their configuration.
Did I say there was a problem? I just said novel. As in: From Old French novel (“new, fresh, recent, recently made or done, strange, rare”) (modern nouvel), from Latin novellus (“new, fresh, young, modern”), diminutive of novus (“new”).
More towards the meaning of strange, rare rather than young, modern. Google automatically corrects "I.P. address" to "IP address", so I can't easily say how much more widespread the second spelling is. But I bet is a lot more.
