Kaspersky Lab has proved that data gathered and processed by some smart road sensors can be dramatically compromised, potential affecting future city authority decisions on the development of road infrastructure.
The flaws were discovered during an attempt by a Kaspersky Lab Global Research & Analysis Team (GReAT) expert to explore security issues in smart city transport infrastructure and give recommendations on how to address them, who conducted field research into the specific type of road sensors that gather information about city traffic flow.
Transport infrastructure in a modern megalopolis represents a very complicated system, containing different sorts of traffic and road sensors, cameras, and even smart traffic light systems. All the information gathered by these devices is delivered and analysed in real-time by the special city authorities. Decisions about future road constructions and transport infrastructure planning can be made based on this information. If the data is compromised it can cause millions in losses to the city.
In particular, if fraudulent access to the transport infrastructure is gained, the following may occur:
* The data gathered by road sensors may be compromised in an attempt to sabotage it or resell it to third parties;
* Modification, falsification and even deletion of critical data;
* Demolition of the expensive equipment; or
* Sabotage the work of the city authority’s services.
Recent research by a Kaspersky Lab expert in Moscow was conducted on a network of road sensors that gather traffic flow information – in particular the quantity of vehicles on the road, their type and average speed. This information is transferred to the city authority’s command center. City traffic authorities receive the information and use it to support and update a real-time road traffic map. The map, in turn, could then serve as a source of data for city road system construction or even for automating traffic light system controls.
The first security issue discovered by the researcher, was the name of the vendor clearly printed on the sensor’s box. This crucial information helped the Kaspersky Lab expert to find more information online about how the device operates, and what software it uses. The researcher discovered that the software used to interact with the sensor, as well as technical documentation, were all available on the vendor’s website. In fact, the technical documentation explained very clearly what commands could be sent to the device by a third party.
Just walking near the device, the researcher was able to access it via Bluetooth as no reliable authentication process was implemented. Anyone with a Bluetooth-enabled device and software for discovering passwords via multiple variants (brute force) could connect to a road sensor in this way. But what to do next?
Using the software and technical documentation, the researcher was able to observe all data gathered by the device. He was able to modify the way the device gathers new data: for example changing the type of vehicle recorded from a car to a truck, or changing the average traffic speed.  As a result all newly-gathered data was false and not applicable to the needs of the city.
“Without the data gathered by these sensors, actual traffic analysis and subsequent city transport system adjustments would not be possible,” says Denis Legezo, security researcher at Kaspersky Lab’s GReAT.
“These sensors can be used in the future to create a smart traffic light system and also to decide what kind of roads should be built, and how traffic should be organised, or reorganised, in what areas of the city. All these issues mean that the work of sensors and the quality of data gathered by them should be accurate and stable. Our research has shown that it is easy to compromise the data. It is essential to address these threats now, because in the future this could affect a bigger part of the city’s infrastructure.”
Kaspersky Lab recommends several measures to help prevent a successful cyberattack against transport infrastructure devices. These include:
* Remove or hide the vendor’s name on the device, as this could help an attacker to find tools online for hacking the device;
* Change the default names of the device and disguise the vendor’s MAC addresses if possible;
* Use two steps of authentication on devices with Bluetooth connectivity and protect them with strong passwords; and
* Co-operate with security researchers to find and patch vulnerabilities.