The German hacker collective “Zerforschung” was able to locate around 4300 vehicles of fire departments, police and military worldwide. The group does not reveal whether police water cannons are among them.
Customers of the Austrian Rosenbauer Group can call up geodata with precise coordinates of their commercial vehicles via a “live location” function. This data from fire departments, police and military forces from various countries was publicly accessible, as the German hacker collective “Zerforschung” found out. In each context, it was displayed which organization was operating the vehicle. Geodata from drones of the Chinese manufacturer DJI scaffolded on board were also visible.
The access had been gained via a QR code that Rosenbauer had published on social media. The link contained therein had led the hackers to a “Connected Fleet” website where customers can log in. This access had not been sufficiently secured, “Zerforschung” explains in its blog.
The list of 365 organizations with allegedly 4300 vehicles includes fire departments and civil protection authorities from Germany, Austria, Great Britain or Iran. For the military, according to the report, Switzerland and Lithuania are customers of Rosenbauer.
The company also manufactures water cannons, of which German police forces have ordered around 80. However, the hacker group’s posting, which mentions the organizations only in excerpts, does not name them.
“Zerforschung” looks for security holes in software and reports them to the manufacturers. Afterwards, the information is made public without revealing access data. For experts, however, the hacks are reproducible, as long as the affected security hole still exists.
Published in German in „nd“.