CVE-2023-6248: Unpatched Syrus4 Vulnerability Threatens Thousands of Vehicles

A critical vulnerability affecting the Syrus4 IoT Gateway, a technology found in over 119,000 vehicles across 49 countries, has been left unpatched for months, leaving millions of drivers vulnerable to hacking. This vulnerability, identified as CVE-2023-6248, could allow attackers to remotely take control of fleets of vehicles, potentially leading to widespread chaos and even accidents.

At the heart of this issue lies a flaw in the Syrus4 IoT Telematics Gateway, version 23.43.2, developed by Digital Communications Technologies (DCT). This vulnerability, discovered by Yashin Mehaboobe from Xebia, has been assigned a maximum CVSS score of 10.0, indicating its critical nature. Unlike typical exploits targeting individual vehicles, CVE-2023-6248 enables attackers to manipulate software managing entire fleets, compromising backend infrastructure and potentially impacting thousands of vehicles simultaneously.

The vulnerability allows unauthorized access to the Syrus4 IoT Gateway’s software, enabling control over commands managing vast numbers of vehicles. With just an IP address and a simple Python script, attackers can gain control over live locations, engine diagnostics, speakers, airbags, and execute arbitrary code on the compromised devices. This flaw is categorized as a critical issue in MQTT Server functionality, leading to improper authentication vulnerabilities. The unsecured MQTT server becomes an entry point for remote, unauthenticated attackers.

Syrus4’s most concerning feature is its ability to remotely shut down vehicles. A search revealed over 4,000 real-time vehicles connected to the server across the United States and Latin America. Despite the severity of this flaw, DCT’s response has been notably slow, raising concerns about the preparedness of industry leaders in addressing cybersecurity threats.

While we wait for a patch, there are some steps you can take to protect yourself:

• Contact your fleet management company and inquire about their security practices.
• Avoid using features that rely on the Syrus4 system, such as remote vehicle shutdown.
• Stay informed about the latest developments regarding this vulnerability.

The automotive industry needs to take cybersecurity seriously. Millions of drivers are at risk of having their vehicles hacked, and the consequences could be devastating. We urge DCT to take immediate action to fix this vulnerability and protect the safety of their customers.