In August 2018 when we presented our research on the extreme vulnerability of many emergency services vehicles due to their use of onboard cellular gateways, we hoped to get the attention of people who could help change things. After all, when you tell the world you’ve been able to easily track police cruisers, in real-time, all over the country for the better part of two years, you expect people to pay attention. What we don’t know is if the right people are paying attention. In police and fire vehicles, ambulances, traffic signals, oil, gas, and water pipelines, and other applications, unsecured cellular gateways are exposing sensitive details to anyone who cares to see. From GPS coordinates to RADIUS secret keys, access to this information is only a default login/password away; some even display this information on an unauthenticated login screen. Just sitting there. For anyone to see.
Needless to say, something needs to change before people who don’t have good intentions decide to leverage this data for nefarious purposes. What we aim for now is accountability. Not any sort of vindictive accountability, but the kind of accountability we demand from our elected officials in a democratic society. Accountability to ensure that the men and women in emergency services whom we trust to enforce our laws, ensure public safety, and come to the rescue when things go wrong, are not at risk of falling victim to unsecured technology.
As researchers, our wild ride through the world of cellular gateways began in October of 2016. Somewhere along the way we discovered one of the gateways we were tracking was inside a police cruiser. Large numbers of others turned out to be the same, as well as in fire trucks and ambulances, and connected to traffic lights and security cameras. We never knew we would care so much about how the police cruiser we saw in traffic gained access to the Internet; or that we could pull up its GPS coordinates and follow it in real time.
We discovered we could not only track these vehicles in real time, but in precincts where officers took their vehicles home after their shift was over, we knew where they lived. We knew their routes to and from work, could watch as they responded to dispatch calls, and could learn their patrol patterns. We could use sensitive information in the device configuration to infiltrate the networks these devices connected to, and possibly manipulate data. In the wrong hands, the information could be deadly.
During the 22 months of research leading up to our presentation of this data at Black Hat 2018, over 100,000 devices were discovered globally, more than 13,500 disclosures were sent, and dozens of emergency services departments were found. The talk got the attention of industry professionals, but not the attention of those who managed these cellular gateways in use in their local police department’s cruisers. Chances are the people in charge of the fleets didn’t know their devices were vulnerable, or what risks they presented.
What’s wonderful about living in an open, democratic society is the availability of public records. As citizens, we want and deserve to know what our tax dollars are being spent on, and public documents provide a means to hold officials accountable. City councils and other municipal authorities often publish their records online, meaning it’s not hard to find who is using these devices and for what purpose. Disbursement approval records, city council meeting minutes, requests for bids, and the bids themselves have led us to dozens of specific municipalities using devices that may be vulnerable.
Some basic web scraping left us with tens of thousands of pages to review. The documents detail different municipalities’ moves to cellular gateways in their fleets, their traffic signals, water infrastructure, and environmental monitoring projects. We can piece together which devices they decided to use, for what purpose, and even which company won the contract.
For example, we have this receipt from a New Jersey company for a number of items, including 12 Sierra Wireless Airlink GX440 Wireless Routers and labor for the installation.1
(Note: F5 Labs has obfuscated all names in the following documents.)
Another interesting example is the City of Naples, Florida. Here, we came across a request for bids regarding the installation of 140 AVL (Automatic Vehicle Locator) units, including a Sierra Wireless AirLink GX400.1