9/28/2016Researchers Find Speed Cameras Vulnerable To Hacking
Computer security firm exposes the ease with which speed cameras and red light cameras can be compromised over the Internet.
Researchers earlier this month announced they had uncovered security vulnerabilities in the speed camera models used in several countries. According to Vladimir Dashchenko and Denis Makrushin from Kaspersky Lab, these devices can be easily manipulated. The results were published in a security conference paper about the security hazards in smart cities.
"We found speedcam IP addresses by pure chance," Dashchenko and Makrushin wrote in their paper.
The Russian researchers were using the Shodan search engine to explore the security implications of the "smart city" fad. They hypothesized that the rush to deploy high-tech, "Internet of things" devices to improve the municipal infrastructure often meant that security was left behind. Although the report does not disclose which company's speed cameras were vulnerable, a simple search on Redflex turns up the IP addresses for the red light cameras in, for example, Chesapeake, Virginia.
"You are accessing a Redflex Traffic Systems, Inc. information system," is the message displayed to anyone attempting to log in. "Use of this system may be monitored, recorded and subject to audit. Improper or unauthorized use or access of this information system is prohibited and subject to official sanctions including termination, or criminal and civil penalties. Use of this information system indicates consent to monitoring and recording."
The stern warnings were not backed up with actual security measures, as the researchers found little problem in accessing systems from the unnamed manufacturers.
"We decided to check that passwords were being used," Dashchenko and Makrushin wrote. "Imagine our surprise when we realized there was no password and the entire video stream was available to all Internet users. Openly broadcast data includes not only the video stream itself, but additional data, such as the geographical coordinates of cameras, as well."
The lack of security measures extended to the routers and other equipment installed to support the automated ticketing machines. Lazy administrators often neglect to set passwords on the devices when they are first installed, which opens the internal networks used by the cameras to access from anywhere.
"Even in not so smart cities, those devices are already processing gigabytes of citizens' data and unfortunately are not always secure enough to defend against third parties set on manipulating them," the researchers explained.
Most troublingly, Dashchenko and Makrushin accessed systems that allowed speed camera settings to be changed, opening a number of possibilities for mischief. This can even lead to setting up dangerous felony traffic stops for motorists who have done nothing wrong.
"A criminal can get access to a database of vehicles registered as stolen and can add vehicles to it or remove them from it," the researchers explained. "We have notified the organizations responsible for operating speed cameras in those countries where we identified the above security issues."
Kaspersky Lab sells security consulting services, so it is not a surprise that the report recommends a full-scale security audit, penetration testing and other measures to harden the systems against unauthorized access. Above all, the report recommends the obvious step of not assigning external IP addresses to photo ticketing machines so that they are not visible on the public Internet.
A copy of the report is available in a 500k PDF file at the source link below.