I am frustrated with Sensys Networks (vulnerable devices vendor) lack of cooperation, but I realize that I should be thankful. This has prompted me to further my research and try different things, like performing passive onsite tests on real deployments in cities like Seattle, New York, and Washington DC. I’m not so sure these cities are equally as thankful, since they have to deal with thousands of installed vulnerable devices, which are currently being used for critical traffic control.
The latest Sensys Networks numbers indicate that approximately 200,000 sensor devices are deployed worldwide. See http://www.trafficsystemsinc.com/newsletter/spring2014.html. Based on a unit cost of approximately $500, approximately $100,000,000 of vulnerable equipment is buried in roads around the world that anyone can hack. I’m also concerned about how much it will cost tax payers to fix and replace the equipment.
One way I confirmed that Sensys Networks devices were vulnerable was by traveling to Washington DC to observe a large deployment that I got to know, as this video shows:
When I exited the train station, the fun began, as you can see in this video. (Thanks to Ian Amit for the pictures and videos.)
Disclaimer: no hacking was performed. I just looked at wireless data with a wireless sniffer and an access point displaying it graphically using Sensys Networks software along with sniffer software; no data was modified and no protections were bypassed. I just confirmed that communications were not encrypted and that sensors and repeaters could be completely controlled with no authentication necessary.
Maybe the devices are intentionally vulnerable so that the Secret Service can play with them when Cadillac One is around. 🙂
As you can see, Washington DC and many cities around the world will remain vulnerable until Sensys Networks takes action. In the meantime, I really hope no one does hack these devices causing traffic problems and accidents.
I would recommend a close monitoring of these systems, watch for any malfunction, and always have secondary controls in place. These types of devices should be security audited before being used to avoid this kind of problems and to increase their security. Vendors should also be required, in some way, to properly document and publish the security controls, functionality, and so on, of their products in order to quickly determine if they are good and secure.
See you at DEFCON!