Traffic sensors easily hacked, says Kaspersky
Researcher shows how smart traffic sensors can be hacked and data amended
Many smart city sensors used to collect data can be easily accessed and exploited, according to new research by Kaspersky Lab.
The security company found that traffic sensors that have been deployed across Moscow and other Russian cities to monitor traffic intensity can be hacked, and the data they collect can be stolen or sensor parameters modified.
In a post on Kaspersky's SecureList blog, researched Dennis Legezo discussed how wireless connections to sensors can be detected and hacked.
"A car driving slowly around the city, a laptop with a powerful Bluetooth transmitter and scanner software is capable of recording the locations of traffic sensors, collecting traffic information from them and, if desired, changing their configurations," Legezo said.
In the case of the Moscow traffic network, city authorities are using sensors mounted on lamp posts and similar to record the size and speed of vehicles to gauge peak periods of traffic, and to transmit this data to a unified traffic control centre.
Legezo said that manufacturer's logos and labels on the outside of the sensor boxes allows a would-be hacker to identify the make and model of sensor just by looking. Documentation about each sensor is widely available on manufacturer websites, and in some cases software is also available.
In field testing Legezo used this information to identify the communications protocols used by each sensor, and to then access their firmware or software memory. Software could then be exploited to steal data, or reconfigure the sensors to change the data being collected. By writing a software scanner to find devices, it was possible to automatically identify and access any sensors within wireless signal range.
While firmware encryption made this method of exploit less useful, Legezo said that software modification meant that data could easily be copied, or the data collected could be changed.
"To sum up, I wouldn't say that traffic stats are a major secret, but tampering with sensor configurations could affect their validity. And that data could be used as a basis for controlling ‘smart' traffic lights and other traffic equipment," he noted.
Kaspersky said it had notified the Moscow authorities of the vulnerability in November last year.