Communications are not encrypted, exposing data to interception

Apr 30, 2014 12:31 GMT  ·  By

At the upcoming Infiltrate conference in Florida, IOActive researcher Cesar Cerrudo will demonstrate that hackers can manipulate the vehicle traffic control systems used in 40 major cities in the United States. 

According to Wired, Cerrudo had found that hackers could use the magnetic sensors embedded in the street as an attack vector. The sensors feed data on traffic to access points and repeaters. These components then pass on data to traffic signal controllers.

The sensors are efficient because they’re easy to install and their battery lasts for 10 years. The information from these sensors is used for traffic lights and traffic information systems.

The solution is developed by Sensys Networks. The expert tested his findings on the Sensys Networks VDS240 wireless vehicle detection system. He managed to convince the company to sell him an access point for $4,000 (€2,900).

These access points can’t be purchased by anyone, but the researcher got the company to sell him one by claiming that he needed a unit to conduct some tests for a customer.

The problem, as the expert highlighted in a report sent to the DHS’s ICS-CERT, is that the wireless communication between the sensor and the access point is based on a protocol called the Sensys NanoPower Protocol, which doesn’t implement any security mechanism.

Communications are not encrypted, and the NanoPower Protocol could be reverse-engineered, the researcher noted. An attacker could disable or misconfigure the sensors, and manipulate the data that’s being sent by mimicking sensor information. This could lead to traffic disruptions, accidents and congestions.

Cerrudo has conducted his tests with a device from the vendor, but he highlights the fact that an attack could also be carried out without the original access point. An attacker could simply use a wireless transceiver. It would be a bit trickier because it would be more difficult to interpret the data, but it can be done.

With a regular wireless transmitter, the attacker would have to be within 150 feet (45 meters) from the sensor, but a powerful antenna increases the maximum distance to 1,500 feet (450 meters), maybe even a mile (1.6 kilometers) if a strong antenna is utilized.

The security expert has also conducted a test with a drone, managing to send data from over 600 feet (180 meters) in the air.

So will these issues be addressed? Apparently, not any time soon. New versions of the sensors developed by Sensys are a bit more secure since the firmware updates are encrypted.

It’s unlikely that the old ones will be replaced any time soon because that would require digging up the roadbed. Furthermore, Sensys representatives have told Wired that the DHS is “happy with the system.”

Cerrudo reported his findings to ICS-CERT, which got in touch with Sensys. The company has told ICS-CERT that the encryption mechanism was removed in the early stages of the development cycle based on customer feedback.

ICS-CERT has told the researcher that there’s nothing more it can do at this point. If there is evidence of vulnerabilities being exploited, the matter will be revisited.

Update. Cerrudo has published a blog post on this topic. Check it out for additional details!