Month: March 2024

Insecurities in commercial trucks

Commercial trucks in the US are required to have something called an electronic logging device (ELD) to track driving hours, log engine data, etc. Some ELDs have some kind of remote code execution vulnerability. The second paragraph of that article talks about taking control of a truck, which sounds like a gross overstatement. Later in the article it says that this could allow an attacker to force a truck to pull over.

This vulnerability is said to be exploitable via WiFi or bluetooth, meaning that you could potentially do this if you’re on the road near a vehicle with a vulnerable ELD. The article also says that an attacker could upload an exploit to a vulnerable truck in a way that the exploit could be self-propagating.

The effect of this is probably limited to a small number of trucks. But if a particular company had bought a bunch of trucks with this problem, and if the company were reliant on the trucks for its revenue, a character in your story could use something like this to cripple the company’s fleet. Your character could remotely upload a self-propagating exploit to one truck, and then that truck might spread it to others back at the company’s warehouse. Imagine what that could do to a small company.

Insecure doorbell cameras, safes

Some doorbell cameras have critical security vulnerabilities that allow an attacker to:

  1. Put the device into pairing mode by holding down a button on the device. This requires the attacker to be physically present, but allows complete takeover of the camera.
  2. Remotely view still images from the camera without authentication, knowing only the device’s serial number. This might also require physical presence to determine the serial number, or maybe not—did the proud new owner post an unboxing video of the the gadget to YouTube?
  3. Intercept metadata like SSID and external IP address sent unencrypted over the internet. This would require some kind of network compromise, so it might be a bit of a stretch using this in a story.

The first two items are pretty interesting. Does your character need to surveil a house? She could see if the house across the street has one of these cameras.

Some physical safes have electronic locks with backdoor codes that can unlock the safes. These codes are supposedly only known to the manufacturers, but that sounds like the kind of secret that doesn’t stay secret. Would a disgruntled former employee of the manufacturer be willing to take a bribe?