Smart Bus System Flaws Allow Hackers to Track and Control Vehicles Remotely

Security researchers at Trend Micro’s Red Team have revealed over 30 high-severity vulnerabilities affecting consumer and industrial modems—from home ADSL gateways to 4G/5G routers—exposing millions of devices worldwide to remote takeover and data exfiltration.

Many of these devices have reached End-of-Life (EoL) and will not receive vendor patches, leaving users and critical infrastructure at grave risk.

WAN-Side Web and API Authentication Bypasses

In the most widespread case, D-Link’s DSL-6740C series modems suffer multiple pre-authentication flaws (CVE-2024-11067, CVE-2024-11066, CVE-2024-11068) that allow attackers to read system files, execute arbitrary commands, and change root passwords via unauthenticated HTTP requests. For example:

bashcurl 'http://<target>/DELT_file.xgi?set/sys/user:1/password=12345678'

This single GET request resets the root credential to “12345678”, granting persistent administrative control.

Trend Micro’s scan of FOFA data found over 59,000 exposed DSL-6740C units on the public Internet in November 2024, down only slightly to 23,000 by July 2025.

Console and UPnP Command Injection in Industrial Routers

Industrial and in-vehicle routers from Billion/BEC, Zyxel, Nokia, DASAN, and Hitron also contain insecure default settings and command injection vectors.

On BEC’s MXConnect® series, BusyBox command injection (CVE-2024-11983) can be triggered via the CLI prompt:

texthome.gateway> sys ping `cat /etc/passwd`

UPnP abuse (CVE-2024-11980) on port 5555 permits factory resets and SSID changes without credentials.

Zyxel P-6101C devices running Boa/0.94.13 reveal authentication bypass (CVE-2024-11494) by issuing HEAD requests to /cgi-bin/status_deviceinfo.asp.

These misconfigurations allow lateral movement within private LTE and SCADA environments, where modems serve as the network edge.

Hidden Backdoors and Firmware Extraction

Researchers demonstrated firmware exfiltration from thttpd-based devices by chaining BusyBox and Netcat.

On D-Link and Zyxel modems, unauthenticated access to config.xgi discloses the device’s MAC address, which in many models directly derives the default LAN/WAN passwords.

A hard-coded decryption key in BEC’s firmware also enabled the extraction of customer Wi-Fi credentials:

pythonfrom Crypto.Cipher import AES  
key = b'wfqMVcNqHvTIE3smTERwUiZRw0Ypbjtm'  
cipher = AES.new(key, AES.MODE_ECB)  
plaintext = cipher.decrypt(base64.b64decode(enc_string + '=='))

Trend Micro warned that these “design failures” persist across sibling products—from D-Link DSL-7740C twins to Hitron CGNF-TWN cable gateways—yet vendors frequently disclaim responsibility, citing EoL status.

With critical infrastructure—including water plants, power grids, and public safety networks—relying on these modems, the absence of vendor patches poses a national security concern.

Experts urge ISPs to retire EoL devices and adopt “Router Freedom” policies that allow subscribers to deploy secure third-party hardware.

Meanwhile, users should treat modems as Tier-0 assets: disable unused services, change default credentials, and run periodic port scans to detect exposed management interfaces.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates

The post Smart Bus System Flaws Allow Hackers to Track and Control Vehicles Remotely appeared first on Cyber Security News.