Roadside sensors and the data gathered from them can be easily hacked, according to field tests by researchers from Kaspersky Lab on the streets of Moscow.
Transport infrastructure in modern cities typically includes an array of traffic and road sensors, cameras, and even smart traffic light systems. Data from these devices is gathered in real time and used to manage traffic flows and other functions via real-time road traffic maps, as well as being collated for future planning decisions.
The Kaspersky team found that the name of the vendor was clearly displayed on a sensor's box. Technical documentation, including information on what commands could be sent to the device by a third party, was readily available from the vendor's web site.
No authentication was required to communicate with the Bluetooth-enabled device. "Anyone with a Bluetooth-enabled device and software for discovering passwords via multiple variants (brute force) could connect to a road sensor in this way," the Kaspersky team discovered.
Using specialist software and technical documentation, the researcher was able to observe all data gathered by the device. He was able to modify the way the device gathers new data: for example, changing the type of vehicle recorded from a car to a truck or changing the average traffic speed. As a result, all newly gathered data was misleading garbage.
Decisions about future road construction and transport infrastructure planning are made based on information from sensors. So as well as the immediate risk of traffic jams, there's a bigger, longer-term problem if the integrity of collected data isn't assured.
"Without the data gathered by these sensors, actual traffic analysis and subsequent city transport system adjustments would not be possible," said Denis Legezo, a security researcher at Kaspersky Lab.
"These sensors can be used in the future to create a smart traffic light system and also to decide what kind of roads should be built and how traffic should be organised, or reorganised, in what areas of the city."
Car hacking has been a popular sideline for security researchers over the last couple of years. Kaspersky's research shows that roadside systems also need security. The research has immediate implications for those developing Smart Transport Monitoring Systems, since abusing sensor data could be used to create traffic jams or worse.
"All of these issues mean that the work of sensors and the quality of data gathered by them should be accurate and stable," Legezo continued. "Our research has shown that it is easy to compromise the data. It is essential to address these threats now, because in the future this could affect a bigger part of a city's infrastructure."
More on the research – along with suggestions on how to guard against cyber-attacks on transport infrastructure devices – can be found in a blog post by Kaspersky Lab here. These suggestions include using two steps of authentication on devices with Bluetooth connectivity and protecting them with strong passwords. Cooperation with security researchers to find and patch vulnerabilities is also advised.
The research was conducted as part of Kaspersky Lab's support of the Securing Smart Cities initiative. ®