In-vehicle wireless devices are endangering emergency first responders

In late 2016, security researcher Justin Shattuck was on assignment for an organization that was under a crippling denial-of-service attack by a large number of devices, some of which appeared to be hosted inside the network of a large European airport. As he scanned the airport’s network from the Internet—and later, with the airport operators’ permission, from inside the network—he was eventually able to confirm that the devices were indeed part of several previously unseen botnets that were delivering record-setting denial-of-service attacks on websites.

One of the infected devices was a wireless gateway from Sierra Wireless. Authorized IT administrators used it to connect to the airport network in the event that primary connection methods failed. Surprised that such a sensitive piece of equipment could become a foot soldier in a denial-of-service attack, Shattuck began to investigate. What he found shocked him. Not only did an Internet scan show that 40,000 such gateways were running in other networks, but a large percentage of them were exposing a staggering amount of sensitive data about the networks they were connected to.

Affecting human life

Worse still, it turned out that many of the unsecured gateways were installed in police cars, ambulances, and other emergency vehicles. Not only were the devices openly broadcasting the locations of these first responders, but they were also exposing configurations that could be used to take control of the devices and, from there, possibly control dash cameras, in-vehicle computers, and other devices that relied on the wireless gateways for Internet connections.

An informal probe at the time found that 47 municipalities and 29 police forces were using the unsecured devices. At one point early on, Shattuck, who is principal threat researcher for F5 Networks, tracked several vehicles as they drove around Houston. By tracking their locations over time and noticing the places they stopped regularly, Shattuck soon figured out they were police cruisers.

Shattuck said he has spent the past 22 months investigating the problem and helping wireless gateway providers—which, besides Sierra Wireless, also includes Moxa and Digi—to begin fixing it. Despite the efforts, he said scans regularly show large numbers of unsecured devices continue to expose not only emergency first responders but also remote pipelines, hydrogen refueling stations, traffic monitoring systems, tolls, bridges, and airports. Now, after almost two years of keeping the problem a carefully guarded secret, he plans to discuss it in detail Thursday at the Black Hat security conference in Las Vegas.

“It’s time to talk about this,” Shattuck told Ars. “This affects human life in ways you only see in movies.”

Shattuck said one of his chief concerns is that the unsecured devices reveal a host of sensitive information about first responders in real time. When someone first starts monitoring a feed, it’s not immediately clear that it’s coming from a device located in a police car or ambulance, but with a small amount of tracking it quickly becomes clear. A vehicle, for instance, that regularly shows up at the same precinct every eight hours is almost certainly a police cruiser. Similarly, a vehicle that frequently visits hospital emergency rooms is likely an ambulance. Often, Shattuck would see police cruisers regularly stop at a residence and stay there for several hours, an indication that the location might be the home of the officer.

Divulging that information over the open Internet presents a variety of risks. The most serious is the danger to first responders when their real-time location is broadcast without their knowledge. Police officers often rely on the secrecy of their location. Criminals or organized terrorists who got a hold of a feed might use it in a physical attack or to evade law enforcement. Because unsecured devices also give up configuration details about the networks they connect to, skilled hackers might also use the information to access police or hospital networks, monitor or erase dash cam footage, or monitor drivers’ Internet or radio communications.

“If someone can tell where those police officers are, then you can start to reroute them,” Shattuck said. “You can monitor them. You can tamper with the trusted device by taking it offline or man-in-the-middle the service.”

No easy fix

Fixing the problem has proven vexing, in part because it doesn’t stem from a single cause. In some cases, it’s the result of firmware bugs that don’t properly restrict Internet-reachable devices to authorized users. In other cases, it’s because the devices shipped with default login credentials that no one changed. In still other cases, someone configured services that leak sensitive data. The devices affected include Sierra Wireless Airlink models LS300, GX400, GX/ES440, GX/ES450, and RV50; the Digitransport WR44; and the Moxa Oncell G3.

“The central issue is that devices have been deployed with the configuration UI exposed to the public Internet instead of making use of a platform such as ALMS [short for Airlink Managed Service] for secure remote management and/or using product security features such as Trusted IP to restrict access to the device to approved hosts,” Larry LeBlanc, the chief security engineer for Sierra Wireless, said of the cause of his company’s products being unsecured. In many cases, third-party services are installing the devices using static, publicly accessible IP addresses and not changing default credentials.

Over the past few years, Sierra Wireless has issued six advisories here, here, here, here, here, and here. New Sierra Wireless products now ship with all available security patches and a secure-by-default posture—for example, the configuration interface hasn’t been enabled by default.

The company has also established a free security concierge service to help users secure their devices. Anyone who operates Airlink gateways reachable from the public Internet can use the service by calling Sierra Wireless Technical support at 877-552-3860. People who use gateways from other manufacturers should contact their technical support departments.

Shattuck said that despite how overlooked the small devices are, they represent a risk to emergency first responders.

“To them it’s just a black box in the ambulance,” he said. “They have no idea that little black box you hit your head on is the thing that lets people in. The point is we can control services connected to the device.”