Security researchers have warned that basic security flaws in smart traffic monitoring systems could allow black hats to change, falsify or even delete crucial data, potentially creating widespread disruption in the city.
Kaspersky Lab security researcher, Denis Legezo, highlighted a recent test of Moscow’s smart transportation system – a network of road sensors which gather traffic info to help officials alter traffic flow in real time and make future infrastructure planning decisions.
He revealed several basic security issues which made the system highly vulnerable to hackers.
The first was that the name of the manufacturer was printed clearly on the side of the sensor box.
Following up online, the Kaspersky Lab team was then able to find technical documentation on the vendor’s site – including crucial information on the firmware it uses, how it communicates with third party devices, and so on.
Its job was also made easier by virtue of the fact that each sensor device was accessible via Bluetooth, allowing a hacker to brute force it with ease.
The researchers were able to access the device firmware memory, and “change the way that passing vehicles are classified according to their length, or change the number of lanes,” Legezo explained in a blog post.
“To sum up, a car driving slowly around the city, a laptop with a powerful Bluetooth transmitter and scanner software is capable of recording the locations of traffic sensors, collecting traffic information from them and, if desired, changing their configurations,” he added.
“I wouldn’t say that traffic stats are a major secret, but tampering with sensor configurations could affect their validity. And that data could be used as a basis for controlling ‘smart’ traffic lights and other traffic equipment.”
That data could be hacked and compromised in a sabotage attempt, or even sold to third parties. Either way, it could spell trouble for the city authorities which rely on the accuracy of such data to make crucial traffic planning decisions.
To mitigate the risk of such an attack in the future, the city authorities need to hide the vendor’s name from view on the side of each sensor; change default names on devices and disguise their MAC addresses; use 2FA for Bluetooth authentication; and work with white hats to find and patch bugs, Legezo recommended.
He told Infosecurity that the security flaws found in Moscow could be replicated elsewhere.
“Although the research was done in Moscow, devices that could be accessed simply via Bluetooth could be easily found in many cities, as there are at least 135,000 such devices in global circulation,” Legezo claimed.