Syrus4 IoT Gateway critical Vulnerability Threatens Thousands of Vehicles

The Syrus4 IoT Gateway, telematics technology integrated into over 119,000 vehicles in 49 countries, currently faces a severe security threat due to an unresolved vulnerability tracked as CVE-2023-6248 (CVSS scoew 10).

This critical flaw is impacting the Syrus4 IoT Telematics Gateway version 23.43.2 developed by Digital Communications Technologies (DCT). The vulnerability allows for remote control over fleets of vehicles, not just individual ones, which could lead to significant disruptions and potentially accidents.

The flaw exists in the MQTT Server functionality of the system, where improper authentication practices lead to vulnerabilities, allowing remote attackers easy access.

This flaw enables issuing unauthorized commands and taking over control over numerous vehicles through the Syrus4 system, using just an IP address and a simple Python script. This allows hackers to manipulate vehicle locations, engine diagnostics, speakers, airbags, and even execute arbitrary codes on these devices.

One of the most alarming capabilities of the Syrus4 system is the potential remote shutdown of vehicles. Investigations have identified over 4,000 vehicles in real-time connected to this vulnerable server in the United States and Latin America.

Despite the gravity of this security breach, DCT' so far hasn't released a patch so far.

Until a patch is issued, vehicle owners and fleet managers can take certain precautions:

• Work wth the fleet management companies to understand their security measures to isolate and protect the Syrus4 systems
• Refrain from utilizing features dependent on the Syrus4 system, especially those like remote vehicle shutdown.
• Track for updates and information from DCT