They report:
> "It turns out that any Sprint device anywhere in the country can communicate with any other Sprint device anywhere in the country."
And no, they don't mean by placing calls. They used a femtocell (miniature cell tower) that had been exploited to allow console (command line) access. In particular, a Sprint Airave. Basically that gave them direct access to Sprint's WAN. So then, just as with Windows PCs in the early 00s:
> "To find vulnerable vehicles you just need to scan on port 6667 from a Sprint device on the IP addresses 21.0.0.0/8 and 25.0.0.0/8."
But this isn't limited to baseband radios of motor vehicles, right?
So using the same approach, adversaries could find open ports on Sprint smartphones and other devices with cellular connectivity. And perhaps exploit them, given that cellular baseband radios are reportedly not well secured. Also, the baseband is privileged over the GUI operating system. And given that baseband firmware is a closed-source blob, it's basically impossible to fully assess any of those risks.
Or am I being overly alarmist?
Has Sprint since reconfigured its cellular network to better isolate devices?
And are other US cellular networks as poorly secured?
0) https://news.ycombinator.com/item?id=22024501
1) http://illmatics.com/Remote%20Car%20Hacking.pdf
IIRC this is no longer true for current-gen chips and designs.