Hacking and manipulating traffic sensors

HITBSecConf2019 - The 10the annual HITB Security Conference in The Netherlands - Trainings, Conference track and Haxpo exhibition. Register now.

With the advent of the Internet of Things, we’re lucky to have researchers looking into these devices and pointing out the need for securing them better. One of these researchers is Kaspersky Lab’s Denis Legezo, who took it upon himself to map the traffic sensors in Moscow and see whether they could be tampered with.

traffic sensors

The answer to that question is yes, they can be manipulated, and consequently lead to poor traffic management and annoyance at best, and at worst situations that endanger both drivers and pedestrians.

The research

His research started with a reconnaissance phase in which he searched for information about the sensors in use – models, identifiers, communication protocols used, technical documentation, sales-oriented documents, software used for working with the devices, etc.

The collected information helped him to write a scanner to search for these specific devices, and he deployed it while wardriving around the city. Among the things he discovered is that one of the sensor models installed in Moscow uses Bluetooth for data communication.

“The openness shown by the manufacturers to installation engineers, their readiness to give them access to tools and documents, automatically means they are open to researchers,” he says.

“After selecting any of the identified sensors, you can install the device configuration software supplied by the vendor on your laptop, drive to the location (the physical address saved in the database), and connect to the device.”

He also discovered that anyone can install new firmware on the device via a wireless connection designated for servicing purposes. He found the manufacturer’s firmware online, but the code didn’t mean much to him as he didn’t know the architecture of the controllers in the device.

He got that information from an engineer who used to work for the manufacturer, and would have likely found out from the same source what kind of encryption was used to protect the firmware, but decided against it as he didn’t have a device to test the modified firmware.

But modifying the firmware is not necessary to make an impact – using the manufacturer’s software for configuring the devices and sending commands to them is much easier.

“After establishing a connection to the traffic sensor using the manufacturer’s software, the commands are no longer a secret – they are visible using a sniffer,” he noted.

“To sum up, a car driving slowly around the city, a laptop with a powerful Bluetooth transmitter and scanner software is capable of recording the locations of traffic sensors, collecting traffic information from them and, if desired, changing their configurations.”

Potential solutions

So what can be done to make this type of attack more difficult (if not impossible)?

Legezo advises using non-standard names and identifiers, and adding proprietary authentication on top of the standard protection implemented in well-known protocols.

He praised the manufacturer for how the firmware is protected, and for sharing publicly information about the devices.

“Personally, I agree with the manufacturer and respect them for this, as I don’t think the ‘security through obscurity’ approach makes much sense these days; anyone determined enough will find out the command system and gain access to the engineering software,” he explained.

“In my view, it makes more sense to combine openness, big bounty programs and a fast response to any identified vulnerabilities, if for the only reason that the number of researchers will always be bigger than the number of employees in any information security department.”