Why is my truck talking to all these IP-addresses?

[hb.sagen]

Did you filter your pcap capture by the truck's MAC or does your capture include other traffic? I'm not seeing the .mil from my truck in the last 30 days.

Yes, I did filter the capture to my trucks mac. I will recheck the data to be sure.

Sponsored

 

[hb.sagen]

Yes, I did filter the capture to my trucks mac. I will recheck the data to be sure.

It was a DNS request from my truck to the army address, and it was refused along all the other DNS requests to the root servers. I tries a lot of different root servers, and they all refuse.

And then it uses 1.1.1.1 or dns.google and gets a reply. It even use my default dns resolver from time to time, and gets a response.

 

[Runaway Tractor]

That is a very small and reasonable list of contacts. Run that same test on your vacuum or dishwasher and it will probably be contacting most of our global adversaries

 

[reddog21]

I did just start capturing traffic from my truck, sendt over wifi. It is talking to a lot of IP-addresses. Some expected, some not so welcome. There are a lot of traffic to the DNS-root servers as well. My plan was to capture a night of traffic, to see if it did anything during nights, as I don't any OTAs. But it went into battery saver mode, even when plugged in, again.

# Address Name
34.149.193.215 - vehicle.api.mps.ford.com
34.58.221.20 - www.cloud-sync.ford.com
44.239.234.249 - appsvc-dataingest-844929136.us-west-2.elb.amazonaws.com
52.42.212.232 - appsvc-dataingest-844929136.us-west-2.elb.amazonaws.com
4.245.95.115 - ford-1-ams.services.tomtom.com
104.19.242.91 - fordoem.gcs.garmin.com
52.42.212.232 - appsvc-ingest.inrix.io
128.63.2.53 - do-not-reuse.arl.army.mil
23.215.0.138 - example.com

There all legitimate, Ford heavily uses aws for cloud api I believe along with google

34.149.193.215 - vehicle.api.mps.ford.com - Cloud communication
34.58.221.20 - www.cloud-sync.ford.com - Sync updates
44.239.234.249 - appsvc-dataingest-844929136.us-west-2.elb.amazonaws.com - AWS load balancing
52.42.212.232 - appsvc-dataingest-844929136.us-west-2.elb.amazonaws.com - AWS load balancing
4.245.95.115 - ford-1-ams.services.tomtom.com - Routing
104.19.242.91 - fordoem.gcs.garmin.com - weather/traffic
52.42.212.232 - appsvc-ingest.inrix.io - I believe inrix provides traffic
128.63.2.53 - do-not-reuse.arl.army.mil - It's not an active site it just be from a demo test
23.215.0.138 - example.com - used usually for fallback or test domain

 

[thunderbayterry]

Hey everyone, thank you for this really interesting thread. I'll just contribute a quote I picked up somewhere, from a YouTube EV channel I think: "Remember, your EV is basically a smartphone with wheels" - LOL - I love that!

 

[Athrun88]

Hey everyone, thank you for this really interesting thread. I'll just contribute a quote I picked up somewhere, from a YouTube EV channel I think: "Remember, your EV is basically a smartphone with wheels" - LOL - I love that!

Not just EVs; pretty much every new car from 1990 onwards is a computer on wheels to some degree.

 

[hb.sagen]

This is the list so far, only a few short captures. There is a lot of dns traffic?

# Address        Name
192.5.6.30        a.gtld-servers.net
192.33.14.30    b.gtld-servers.net
192.26.92.30    c.gtld-servers.net
192.31.80.30    d.gtld-servers.net
192.12.94.30    e.gtld-servers.net
192.35.51.30    f.gtld-servers.net
192.42.93.30    g.gtld-servers.net
192.54.112.30    h.gtld-servers.net
192.43.172.30    i.gtld-servers.net
192.48.79.30    j.gtld-servers.net
192.52.178.30    k.gtld-servers.net
192.41.162.30    l.gtld-servers.net
192.55.83.30    m.gtld-servers.net

198.41.0.4        a.root-servers.net
192.33.4.12        c.root-servers.net
192.203.230.10    e.root-servers.net
192.5.5.241        f.root-servers.net
192.36.148.17    i.root-servers.net
192.58.128.30    j.root-servers.net
193.0.14.129    k.root-servers.net
192.112.36.4    G.ROOT-SERVERS.NET
202.12.27.33    M.ROOT-SERVERS.NET

1.1.1.1            one.one.one.one
8.8.4.4            dns.google
128.63.2.53        do-not-reuse.arl.army.mil

34.149.193.215    vehicle.api.mps.ford.com
34.58.221.20    www.cloud-sync.ford.com

4.245.95.115    ford-1-ams.services.tomtom.com
104.19.242.91    fordoem.gcs.garmin.com

52.42.212.232    appsvc-dataingest-844929136.us-west-2.elb.amazonaws.com
44.239.234.249    appsvc-dataingest-844929136.us-west-2.elb.amazonaws.com

23.220.75.232    example.com

44.239.234.249    appsvc-ingest.inrix.io
52.42.212.232    appsvc-ingest.inrix.io

 

[chl]

I did just start capturing traffic from my truck, sendt over wifi. It is talking to a lot of IP-addresses. Some expected, some not so welcome. There are a lot of traffic to the DNS-root servers as well. My plan was to capture a night of traffic, to see if it did anything during nights, as I don't any OTAs. But it went into battery saver mode, even when plugged in, again.

# Address Name
34.149.193.215 - vehicle.api.mps.ford.com
34.58.221.20 - www.cloud-sync.ford.com
44.239.234.249 - appsvc-dataingest-844929136.us-west-2.elb.amazonaws.com
52.42.212.232 - appsvc-dataingest-844929136.us-west-2.elb.amazonaws.com
4.245.95.115 - ford-1-ams.services.tomtom.com
104.19.242.91 - fordoem.gcs.garmin.com
52.42.212.232 - appsvc-ingest.inrix.io
128.63.2.53 - do-not-reuse.arl.army.mil
23.215.0.138 - example.com

Interesting...so besides the expected Ford sites, your Ford is using:

Garmin via Ford - an automobile audio provider - is the OEM audio unit a Garmin?

Tom Tom via Ford - they make GPS navigation systems - your maps?

INRIX - partners to upload real-time or historical GPS probe data from connected vehicles and mobile devices. This service is part of the robust INRIX data network that collects billions of data points daily to provide detailed transportation analytics and services

example.com - a placeholder domain which uses Akamai's infrastructure to deliver content, a common setup for web services

do-not-reuse.arl.army.mil - this was one of the original DNS servers for the Internet says AI:

This address belongs to the U.S. Army Research Laboratory (ARL).
It was intentionally renamed to "do-not-reuse" to prevent ARL staff from assigning it to new systems because a significant amount of old software globally still bombards this specific IP address with constant DNS queries, even though it stopped functioning as a root server over a decade ago. The name serves as a permanent, internal reminder that the address must remain unused and is effectively a sinkhole for legacy internet traffic

OK, but why is it being used by the truck?

"The systems in your truck, which use a legacy operating system component (believed to be a version of QNX), are attempting to use this old, hardcoded address for routine DNS queries, even though it is no longer a functional root server..."

 

[chl]

You can run, but you can't hide in the age of the internet...big tech will get ya.

It always amazes me when I hear about some criminal being tracked and captured based on their cell phone pinging - just shows how addictive smart phones can be to dumb people!

 

[evowner]

" Definitely off topic, but I eat there probably once a week for lunch and after a couple of years not one employee has ever acted like they remember who I am. "

Well there it is. If you were going to be given an order at some point to kill Americans, would you want to get to know them?????

 

[hb.sagen]

I tried forcing the truck to use my DNS-server. That works for most addresses, but not for
www.cloud-sync.ford.com. It only tries to resolve that directly with 1.1.1.1. So I had to open port 53 for the truck specifically. Hardcoding it this way will be a problem if 1.1.1.1 dies one day.

 

[chriserx]

Hardcoding it this way will be a problem if 1.1.1.1 dies one day.

Unavailable... eventually, I mean it is currently run by Cloudflare after all. But its death would likely take the death of IPv4. It is interesting it's hard coded like that though.

Sponsored