Smart Buses Flaws Expose Vehicles to Tracking, Control, and Spying

Researchers at Trend Micro Taiwan and CHT Security have uncovered a alarming flaw in the onboard and remote systems of smart buses, exposing them to tracking, control, and spying. The vulnerabilities, which were presented during the DEF CON hacker conference last week, have left bus operators and authorities with a pressing concern for cybersecurity.

The researchers began their investigation after spotting free passenger Wi-Fi on one of the buses. They soon discovered that the same M2M (Machine-to-Machine) router was powering both the Wi-Fi network and critical in-vehicle systems such as Advanced Public Transportation Services (APTS) and Advanced Driver Assistance Systems (ADAS). APTS is a centralized system that manages GPS tracking, passenger/operator interfaces, route scheduling, and bus stop panels, all of which are linked to a central server. ADAS, on the other hand, uses sensors, cameras, radar, and LiDAR to aid driver safety with features such as collision warnings, lane alerts, speed and sign recognition, and driver/passenger monitoring.

The researchers found that the lack of network segmentation in the bus system made it vulnerable to cyber attacks. They demonstrated how to bypass the router's authentication and access APTS and ADAS due to this oversight. This allowed them to remotely target vulnerable buses, track locations, access cameras with weak passwords, alter displays, steal data, and breach company servers.

A detailed analysis of the environment revealed multiple vulnerabilities, including an MQTT (Message Queuing Telemetry Transport) backdoor that allows remote attackers to access the bus systems. The researchers also discovered that hackers could steal and alter GPS, RPM, and speed data, triggering false alerts and impacting operations.

Despite their efforts to contact the router maker BEC Technologies and Taiwan's Maxwin, the companies remained unresponsive. As a result, the flaws remain unpatched, leaving bus operators and authorities with a significant risk of cyber attacks on their vehicles.

Risks from Insecure Onboard and Remote Components

The discovery of these vulnerabilities highlights the risks associated with insecure onboard and remote components in smart buses. APTS, which manages GPS tracking, passenger/operator interfaces, route scheduling, and bus stop panels, is a centralized system that can be accessed remotely by hackers.

ADAS, on the other hand, uses sensors, cameras, radar, and LiDAR to aid driver safety with features such as collision warnings, lane alerts, speed and sign recognition, and driver/passenger monitoring. However, if these systems are compromised, it could have serious consequences for road safety.

Furthermore, the use of weak passwords and lack of network segmentation in smart bus systems makes them vulnerable to cyber attacks. This is particularly concerning given the presence of cameras and other sensors that can be accessed remotely by hackers.

Conclusion

The discovery of these vulnerabilities in smart buses highlights the need for bus operators and authorities to prioritize cybersecurity. The risks associated with insecure onboard and remote components are significant, and it is essential to take steps to address them before they can be exploited by cyber attackers.

In conclusion, the flaws in smart bus systems expose vehicles to tracking, control, and spying. It is crucial for bus operators and authorities to take immediate action to patch these vulnerabilities and ensure that their systems are secure from cyber attacks.