A significant security flaw in Digital Communications Technologies’ fleet management software, which could potentially allow unauthorized control over vehicle fleets, has not been addressed by the vendor, despite being reported months ago. The vulnerability, identified as CVE-2023-6248, affects the Syrus4 IoT gateway and poses a risk of vehicle shutdowns.
Security experts have emphasized the gravity of this oversight, as the auto industry’s shift towards highly interconnected “computers on wheels” has made software vulnerabilities a critical concern. Unlike common bugs that target individual vehicles, this particular vulnerability has far-reaching implications, as it could enable hackers to disrupt entire fleets simultaneously through backend infrastructure.
The flaw grants access to a Linux server via the gateway, allowing manipulation of a wide array of vehicle functions, including location tracking, engine diagnostics, and even the potential to execute arbitrary code on affected devices. The most concerning aspect is the software’s capability to deactivate vehicles, a feature that was confirmed to be exploitable by security consultant Yashin Mehaboobe during limited testing to avoid endangering live vehicles in transit.
Despite the severity of the issue and the extensive reach of the software, which is used by organizations globally, the vendor’s response has been notably absent. Efforts to engage with Digital Communications Technologies for a resolution have been met with silence, and an initial response to a support ticket was dismissively closed, stating that the reported vulnerability was not an issue.
This lack of action raises serious questions about the company’s commitment to cybersecurity and the safety of the numerous vehicles and fleets that rely on their software. The situation underscores the need for prompt and responsible handling of security vulnerabilities by vendors to protect against potential large-scale disruptions.