Why is my truck talking to all these IP-addresses?

[hb.sagen]

I did just start capturing traffic from my truck, sendt over wifi. It is talking to a lot of IP-addresses. Some expected, some not so welcome. There are a lot of traffic to the DNS-root servers as well. My plan was to capture a night of traffic, to see if it did anything during nights, as I don't any OTAs. But it went into battery saver mode, even when plugged in, again.

# Address Name
34.149.193.215 - vehicle.api.mps.ford.com
34.58.221.20 - www.cloud-sync.ford.com
44.239.234.249 - appsvc-dataingest-844929136.us-west-2.elb.amazonaws.com
52.42.212.232 - appsvc-dataingest-844929136.us-west-2.elb.amazonaws.com
4.245.95.115 - ford-1-ams.services.tomtom.com
104.19.242.91 - fordoem.gcs.garmin.com
52.42.212.232 - appsvc-ingest.inrix.io
128.63.2.53 - do-not-reuse.arl.army.mil
23.215.0.138 - example.com

Sponsored

 

[rugedraw]

128.63.2.53 - do-not-reuse.arl.army.mil

I don't have the answer to your question, but this one is registered to the US Department of War.

Break out your tin foil hats!!!!!

 

[GDN]

I don't have the answer to your question, but this one is registered to the US Department of War.

Break out your tin foil hats!!!!!

Maybe something to do with GPS?

Working with @bmwhitetx on reviewing some map differences, I found this yesterday. The Navigation has to know data about the GPS satellites - and Russia's too I guess - Glonass.

PS - I'll save you some time with those coordinates. They might give away my neighborhood, but my profile already says Dallas. Those coordinates will take you to lunch at Panda Express.

 

[Henry Ford]

Those coordinates will take you to lunch at Panda Express.

So you're working with the Chinese...

 

[chriserx]

I did just start capturing traffic from my truck, sendt over wifi. It is talking to a lot of IP-addresses. Some expected, some not so welcome. There are a lot of traffic to the DNS-root servers as well. My plan was to capture a night of traffic, to see if it did anything during nights, as I don't any OTAs. But it went into battery saver mode, even when plugged in, again.

# Address Name
34.149.193.215 - vehicle.api.mps.ford.com
34.58.221.20 - www.cloud-sync.ford.com
44.239.234.249 - appsvc-dataingest-844929136.us-west-2.elb.amazonaws.com
52.42.212.232 - appsvc-dataingest-844929136.us-west-2.elb.amazonaws.com
4.245.95.115 - ford-1-ams.services.tomtom.com
104.19.242.91 - fordoem.gcs.garmin.com
52.42.212.232 - appsvc-ingest.inrix.io
128.63.2.53 - do-not-reuse.arl.army.mil
23.215.0.138 - example.com

Best guesses:
1) Ford app API polling instead of push
2) Vehicle status
3 & 4) Alexa/Amazon services
5 & 6) GPS traffic/routing/elevation, possibly weather
7) Vehicle usage analytics
8) ARP, reverse domain lookup
9) Shot in the dark here without port testing but possibly is online/offline status

Edit: Just read the rest of the thread, yeah kinda crazy to see the US military being contacted until you realize the modern internet was born out of ARPANET. Also, it's possible that it's being used as an authoritative DNS server, not at my computer to attempt a port scan.

 

[carys98]

Best guesses:
1) Ford app API polling instead of push
2) Vehicle status
3 & 4) Alexa/Amazon services
5 & 6) GPS traffic/routing/elevation, possibly weather
7) Vehicle usage analytics
8) ARP, reverse domain lookup
9) Shot in the dark here without port testing but possibly is online/offline status

3 and 4 could still be Ford renting AWS space to store data.

 

[chriserx]

3 and 4 could still be Ford renting AWS space to store data.

Definitely could be, I only ruled it out because of number 2, and the appsvc subdomain in 3 & 4. I'm at work now so I'm left to speculation instead of testing

Edit: I had actually been wanting to do this for a while, so thanks for doing it for me. I'd love to send all of the cellular through my personal VPN to analyze all of the traffic but the modem is pretty locked down.

 

[MountainAlive]

Here’s what Gemini says about that military IP address. Apparently it’s just a DNS server https://g.co/gemini/share/427b2bbd69ff

 

[chriserx]

Here’s what Gemini says about that military IP address. Apparently it’s just a DNS server https://g.co/gemini/share/427b2bbd69ff

That's what they want you to think.

 

[digitaldad]

@hb.sagen , I posted something similar; was trying to identify what the update servers/IPs were. I was taught that most OTAs use cellular network, so it was sort of a bust.

https://www.f150lightningforum.com/...te-url-dns-name-from-your-wifi-network.25772/

 

[mr.Magoo]

Those coordinates will take you to lunch at Panda Express.

Do we get a free lunch if we mention your name ?

 

[sysop1]

Did you filter your pcap capture by the truck's MAC or does your capture include other traffic? I'm not seeing the .mil from my truck in the last 30 days.

 

[tls]

That address at ARL is one of the original root DNS servers. It's been renamed to "do-not-reuse" to remind ARL staff that it's now unusable for any other purpose because ancient software like the version of QNX in our trucks bombards it with literally billions of DNS queries per minute even though it has not been a root server for a decade.

 

[sysop1]

That address at ARL is one of the original root DNS servers. It's been renamed to "do-not-reuse" to remind ARL staff that it's now unusable for any other purpose because ancient software like the version of QNX in our trucks bombards it with literally billions of DNS queries per minute even though it has not been a root server for a decade.

I only have 30 days of data but I don't see that IP from my truck.

 

[GDN]

Do we get a free lunch if we mention your name ?

Definitely off topic, but I eat there probably once a week for lunch and after a couple of years not one employee has ever acted like they remember who I am. Have the super greens, Teriyaki chicken without the sauce and Kung Pao chicken - somewhat healthier than a burger and fries.

Sponsored