Why is my truck talking to all these IP-addresses?

hb.sagen · 2025-12-04T22:37:27-0800

sysop1 said:
Did you filter your pcap capture by the truck's MAC or does your capture include other traffic? I'm not seeing the .mil from my truck in the last 30 days.

Yes, I did filter the capture to my trucks mac. I will recheck the data to be sure.

hb.sagen · 2025-12-04T23:56:36-0800

hb.sagen said:
Yes, I did filter the capture to my trucks mac. I will recheck the data to be sure.

It was a DNS request from my truck to the army address, and it was refused along all the other DNS requests to the root servers. I tries a lot of different root servers, and they all refuse.

And then it uses 1.1.1.1 or dns.google and gets a reply. It even use my default dns resolver from time to time, and gets a response.

Runaway Tractor · 2025-12-05T03:30:02-0800

That is a very small and reasonable list of contacts. Run that same test on your vacuum or dishwasher and it will probably be contacting most of our global adversaries

reddog21 · 2025-12-05T06:40:23-0800

hb.sagen said:
I did just start capturing traffic from my truck, sendt over wifi. It is talking to a lot of IP-addresses. Some expected, some not so welcome. There are a lot of traffic to the DNS-root servers as well. My plan was to capture a night of traffic, to see if it did anything during nights, as I don't any OTAs. But it went into battery saver mode, even when plugged in, again.

Code:

# Address Name 34.149.193.215 - vehicle.api.mps.ford.com 34.58.221.20 - www.cloud-sync.ford.com 44.239.234.249 - appsvc-dataingest-844929136.us-west-2.elb.amazonaws.com 52.42.212.232 - appsvc-dataingest-844929136.us-west-2.elb.amazonaws.com 4.245.95.115 - ford-1-ams.services.tomtom.com 104.19.242.91 - fordoem.gcs.garmin.com 52.42.212.232 - appsvc-ingest.inrix.io 128.63.2.53 - do-not-reuse.arl.army.mil 23.215.0.138 - example.com

There all legitimate, Ford heavily uses aws for cloud api I believe along with google

34.149.193.215 - vehicle.api.mps.ford.com - Cloud communication
34.58.221.20 - www.cloud-sync.ford.com - Sync updates
44.239.234.249 - appsvc-dataingest-844929136.us-west-2.elb.amazonaws.com - AWS load balancing
52.42.212.232 - appsvc-dataingest-844929136.us-west-2.elb.amazonaws.com - AWS load balancing
4.245.95.115 - ford-1-ams.services.tomtom.com - Routing
104.19.242.91 - fordoem.gcs.garmin.com - weather/traffic
52.42.212.232 - appsvc-ingest.inrix.io - I believe inrix provides traffic
128.63.2.53 - do-not-reuse.arl.army.mil - It's not an active site it just be from a demo test
23.215.0.138 - example.com - used usually for fallback or test domain

thunderbayterry · 2025-12-05T06:57:11-0800

Hey everyone, thank you for this really interesting thread. I'll just contribute a quote I picked up somewhere, from a YouTube EV channel I think: "Remember, your EV is basically a smartphone with wheels" - LOL - I love that!

Athrun88 · 2025-12-05T07:13:25-0800

thunderbayterry said:
Hey everyone, thank you for this really interesting thread. I'll just contribute a quote I picked up somewhere, from a YouTube EV channel I think: "Remember, your EV is basically a smartphone with wheels" - LOL - I love that!

Not just EVs; pretty much every new car from 1990 onwards is a computer on wheels to some degree.

hb.sagen · 2025-12-05T07:27:04-0800

This is the list so far, only a few short captures. There is a lot of dns traffic?

Code:

# Address        Name
192.5.6.30        a.gtld-servers.net
192.33.14.30    b.gtld-servers.net
192.26.92.30    c.gtld-servers.net
192.31.80.30    d.gtld-servers.net
192.12.94.30    e.gtld-servers.net
192.35.51.30    f.gtld-servers.net
192.42.93.30    g.gtld-servers.net
192.54.112.30    h.gtld-servers.net
192.43.172.30    i.gtld-servers.net
192.48.79.30    j.gtld-servers.net
192.52.178.30    k.gtld-servers.net
192.41.162.30    l.gtld-servers.net
192.55.83.30    m.gtld-servers.net

198.41.0.4        a.root-servers.net
192.33.4.12        c.root-servers.net
192.203.230.10    e.root-servers.net
192.5.5.241        f.root-servers.net
192.36.148.17    i.root-servers.net
192.58.128.30    j.root-servers.net
193.0.14.129    k.root-servers.net
192.112.36.4    G.ROOT-SERVERS.NET
202.12.27.33    M.ROOT-SERVERS.NET

1.1.1.1            one.one.one.one
8.8.4.4            dns.google
128.63.2.53        do-not-reuse.arl.army.mil

34.149.193.215    vehicle.api.mps.ford.com
34.58.221.20    www.cloud-sync.ford.com

4.245.95.115    ford-1-ams.services.tomtom.com
104.19.242.91    fordoem.gcs.garmin.com

52.42.212.232    appsvc-dataingest-844929136.us-west-2.elb.amazonaws.com
44.239.234.249    appsvc-dataingest-844929136.us-west-2.elb.amazonaws.com

23.220.75.232    example.com

44.239.234.249    appsvc-ingest.inrix.io
52.42.212.232    appsvc-ingest.inrix.io

Why is my truck talking to all these IP-addresses?

hb.sagen

Well-known member

hb.sagen

Well-known member

Runaway Tractor

Well-known member

reddog21

Member

thunderbayterry

Well-known member

Athrun88

Well-known member

hb.sagen

Well-known member

Similar threads