Smart city road sensors vulnerable to hacking, security experts warn

Road sensors that gather information about city traffic flow are at risk of being hacked — compromising the data gathered and processed by these sensors.

That’s according to field tests conducted by a Kaspersky Lab expert in Moscow which uncovered several security issues in smart city transport infrastructure.

The expert investigated a network of road sensors that gather traffic flow information such as the number of vehicles on the road, their type and average speed.

Among the security issues identified was:

  1. The name of the vendor was clearly printed on the sensor’s box, allowing the Kaspersky Lab expert to find more information online about how the device operates and what software it uses. On the vendor’s website the researcher found technical documentation explaining what commands could be sent to the device by a third party.
  1. Just walking near the device, the researcher was able to access it via Bluetooth as there was no reliable authentication process, Kaspersky Lab reported. Anyone with a Bluetooth-enabled device and software for discovering passwords via multiple variants (brute force) could connect to a road sensor in this way, the company warned.
  1. Next, using the software and technical documentation, the researcher was able to observe all data gathered by the device. He was also able to modify the way the device gathers new data, for example changing the type of vehicle recorded from a car to a truck, or changing the average traffic speed.

Decisions about future road projects and transport infrastructure planning can be made based on this information, so if the data is compromised it could potentially cause millions in losses to the city.

Denis Legezo, security researcher in Kaspersky Lab’s Global Research and Analysis Team, said: “Without the data gathered by these sensors, actual traffic analysis and subsequent city transport system adjustments would not be possible.

“These sensors can be used in the future to create a smart traffic light system and also to decide what kind of roads should be built, and how traffic should be organised, or reorganised, in what areas of city.

“All these issues mean that the work of sensors and the quality of data gathered by them should be accurate and stable. Our research has shown that it is easy to compromise the data. It is essential to address these threats now, because in the future this could affect a bigger part of city’s infrastructure.”

To address the issues raised by the research, Kaspersky Lab recommends:

  • Removing or hiding the vendor’s name on the device, as this could help an attacker to find tools online for hacking the device;
  • Changing the default names of the device and disguising the vendor’s MAC addresses if possible;
  • Using two steps of authentication on devices with Bluetooth connectivity and protecting them with strong passwords; and
  • Cooperating with security researchers to find and patch vulnerabilities.

Sign up to our newsletter

Meet our experts