At a recent hacker convention, a team of cybersecurity researchers demonstrated a concerning new threat to public transportation. Their findings revealed that “smart buses,” which are equipped with various digital systems to improve efficiency and safety, are susceptible to remote hacking. The investigation began when the team noticed that the free Wi-Fi offered to passengers was connected to the same machine-to-machine router that manages critical vehicle systems. This shared network created a significant entry point for potential attackers. By bypassing the router’s weak authentication, the researchers gained access to the bus’s entire system.
How Hackers Can Manipulate Bus Systems
Once inside the network, the researchers discovered they could exploit several vulnerabilities, including command injection flaws and a backdoor in the messaging protocol. These weaknesses allowed them to perform a variety of malicious actions. They could track the bus’s exact GPS location, access onboard camera feeds with easily guessable default passwords, and even manipulate on-board displays. The researchers also found they could obtain sensitive passenger and driver information and potentially access the transportation company’s central servers, creating a major data breach risk.
FCRF Launches India’s Premier Certified Data Protection Officer Program Aligned with DPDP Act
Threat to Safety and Operations
The implications of these security flaws go beyond simple data theft. The researchers demonstrated how an attacker could change a bus’s GPS location, which could delay emergency response in the event of an accident. They could also falsify engine speed data to hide real mechanical problems or trigger false emergency alerts. By manipulating vehicle status data, a hacker could set a bus to “out of service,” disrupting schedules and causing widespread operational chaos. The researchers noted that the communication protocols in use were unencrypted and lacked authentication, making them vulnerable to Man-in-the-Middle (MITM) attacks where content could be directly modified or forged.
A Call for Urgent Action
The research was conducted on buses in Taiwan, but the team warned that the vulnerable systems, provided by a U.S.-based technology vendor, are likely used in other countries as well. The vendor’s products offer multiple language options, suggesting a global reach. The researchers attempted to responsibly disclose their findings to the affected vendors, including the router maker BEC Technologies and intelligent transportation solutions provider Maxwin. However, they received no response, and the vulnerabilities reportedly remain unpatched. A cybersecurity initiative has since published advisories detailing the flaws, highlighting the urgent need for a security update to protect millions of commuters worldwide.
