.... 

Transport infrastructure in modern cities typically includes an array of traffic and road sensors, cameras, and even smart traffic light systems. Data from these devices is gathered in real time and used to manage traffic flows and other functions via real-time road traffic maps, as well as being collated for future planning decisions.

The Kaspersky team found that the name of the vendor was clearly displayed on a sensor's box. Technical documentation, including information on what commands could be sent to the device by a third party, was readily available from the vendor's web site.

No authentication was required to communicate with the Bluetooth-enabled device. "Anyone with a Bluetooth-enabled device and software for discovering passwords via multiple variants (brute force) could connect to a road sensor in this way," the Kaspersky team discovered.

Using specialist software and technical documentation, the researcher was able to observe all data gathered by the device. He was able to modify the way the device gathers new data: for example, changing the type of vehicle recorded from a car to a truck or changing the average traffic speed. As a result, all newly gathered data was misleading garbage.

Decisions about future road construction and transport infrastructure planning are made based on information from sensors. So as well as the immediate risk of traffic jams, there's a bigger, longer-term problem if the integrity of collected data isn't assured.

"Without the data gathered by these sensors, actual traffic analysis and subsequent city transport system adjustments would not be possible," said Denis Legezo, a security researcher at Kaspersky Lab.

.....