Smart city's transport infrastructure is hackable!

If the data of the smart transport monitoring system is compromised, it can cause millions in losses to the city.

Soma Tah
New Update

BANGALORE, INDIA: Transport infrastructure in a modern megalopolis represents a very complicated system, containing different sorts of traffic and road sensors, cameras, and even smart traffic light systems. All the information gathered by these devices is delivered and analyzed in a real-time by the special city authorities. Decisions about future road constructions and transport infrastructure planning can be made based on this information.


But, if the data is compromised it can cause millions in losses to the city. For example, if fraudulent access to the transport infrastructure is gained, the following may occur:

  • The data gathered by road sensors may be compromised in an attempt to sabotage it or resell it to third parties;
  • Modification, falsification and even deletion of critical data;
  • Demolition of the expensive equipment;
  • Sabotage the work of the city authority’s services.

Where's the loophole?


A recent research by a Kaspersky Lab expert in Moscow was conducted on a network of road sensors that gather traffic flow information - in particular the quantity of vehicles on the road, their type and average speed. This information is transferred to the city authority’s command center. City traffic authorities receive the information and use it to support and update a real-time road traffic map. The map, in turn, could then serve as a source of data for city road system construction or even for automating traffic light system controls.

The first security issue, discovered by the researcher, was the name of the vendor clearly printed on the sensor’s box. This crucial information helped the Kaspersky Lab expert to find more information online about how the device operates, what software it uses etc. The researcher discovered that the software used to interact with the sensor, as well as technical documentation, were all available on the vendor’s website. In fact, the technical documentation explained very clearly what commands could be sent to the device by a third party.

Just walking near the device, the researcher was able to access it via Bluetooth as no reliable authentication process was implemented.


Using the software and technical documentation, the researcher was able to observe all data gathered by the device. He was able to modify the way the device gathers new data: for example changing the type of vehicle recorded from a car to a truck, or changing the average traffic speed. As a result all newly gathered data was false and not applicable to the needs of the city.

“It is essential to address these threats now, because in the future this could affect a bigger part of city’s infrastructure”, said Denis Legezo, Security Researcher, Global Research and Analysis Team (GReAT), Kaspersky Lab.

Measures needed to be taken

Kaspersky Lab recommends several measures to help prevent a successful cyber attack against transport infrastructure devices. These include:

  • Remove or hide the vendor’s name on the device, as this could help an attacker to find tools online for hacking the device;
  • Change the default names of the device and disguise the vendor’s MAC addresses if possible;
  • Use two steps of authentication on devices with Bluetooth connectivity and protect them with strong passwords;
  • Cooperate with security researchers to find and patch vulnerabilities.