Smart traffic sensors are vulnerable to cyber-attacks

Traffic and road sensors are very easy to access and quite vulnerable to cyber-attacks, which could cost city authorities millions in damages, researchers say.

Researchers from the Kaspersky Lab Global Research & Analysis Team (GReAT) took to the streets to test how secure road sensors, including smart traffic lights and cameras are, and what damage could be done if they’re not.

As it turns out, they’re completely insecure and quite easy to break into, and once inside, the data can be sabotaged, resold to third parties, modified, falsified or even deleted. Expensive equipment could be destroyed, and the work of the city authority’s services can be sabotaged.

The entire process was very simple – the device which was used for testing had its manufacturer’s name printed on it. Simply by opening the maker’s website, researchers were able to find crucial information about how the device operates.

“The technical documentation explained very clearly what commands could be sent to the device by a third party,” researchers said.

Just by walking near the device, researchers accessed it via Bluetooth, as no ‘reliable’ authentication process was implemented. They brute-forced their way in, basically.

The data there was easily modified, and as a result, “all newly gathered data was false and not applicable to the needs of the city”.

“Without the data gathered by these sensors, actual traffic analysis and subsequent city transport system adjustments would not be possible. These sensors can be used in the future to create a smart traffic light system and also to decide what kind of roads should be built and how traffic should be organised, or reorganised, in what areas of the city. All of these issues mean that the work of sensors and the quality of data gathered by them should be accurate and stable. Our research has shown that it is easy to compromise the data. It is essential to address these threats now, because in the future this could affect a bigger part of a city’s infrastructure”, said Denis Legezo, Security Researcher for the Global Research and Analysis Team.

Researchers suggest all hardware makers to hide their name from the device (or remove it altogether), change the default names of the device, disguise the vendor’s MAC address, if possible, use two-step authentication, and cooperate with security researchers to find vulnerabilities.

Image credit: Flickr / Thomas Hawk