A recent study has uncovered significant cybersecurity risks associated with free Wi-Fi services on smart buses, which utilize a single machine-to-machine (M2M) router that supports both passenger internet and critical vehicle systems.

The vulnerabilities arise from the shared M2M router, which powers both the free Wi-Fi and essential in-vehicle controls, making them susceptible to remote compromises.

Researchers Chiao-Lin "Steven Meow" Yu from Trend Micro and Kai-Ching "Keniver" Wang from CHT Security presented these findings at the DEF CON conference, highlighting the potential for hackers to remotely track, control, and spy on buses.

The implications of these vulnerabilities are severe; attackers could manipulate GPS data, access camera feeds, alter display information, and disrupt bus operations, potentially causing emergency response delays.

The study revealed that the protocols used for these systems lack proper encryption and authentication, making them vulnerable to Man-In-The-Middle (MITM) attacks.

Researchers demonstrated how weak authentication measures allowed them to bypass router security, gaining access to Advanced Public Transportation Services (APTS) and Advanced Driver Assistance Systems (ADAS) functionalities due to inadequate network segmentation.

Among the vulnerabilities identified was an MQTT backdoor, which grants attackers remote access to bus systems, alongside command injection flaws that could provide full control over operations.

While the research was conducted on buses in Taiwan, the vulnerabilities are likely to be present in other countries due to the widespread availability of the vendor's systems.

Attempts to notify router manufacturers BEC Technologies and Maxwin about these critical flaws went unanswered, leaving the issues unaddressed and unpatched.

The findings underscore the risks stemming from insecure onboard and remote components, particularly due to the shared nature of the network used by both passenger services and vehicle controls.

APTS includes vital features such as GPS tracking and route scheduling, while ADAS enhances driver safety through various sensors and monitoring systems, both of which are at risk due to these vulnerabilities.

This research serves as a stark reminder of the need for improved cybersecurity measures in public transportation systems to protect against potential hacking threats.