- Cyber Syrup
- Posts
- Remote Hacking Risks in Smart Buses: DEF CON Research Findings
Remote Hacking Risks in Smart Buses: DEF CON Research Findings
Recent research presented at the DEF CON 33 hacker convention has revealed significant cybersecurity risks in smart buses
In partnership with
CYBER SYRUP
Delivering the sweetest insights on cybersecurity.
Receive Honest News Today
Join over 4 million Americans who start their day with 1440 – your daily digest for unbiased, fact-centric news. From politics to sports, we cover it all by analyzing over 100 sources. Our concise, 5-minute read lands in your inbox each morning at no cost. Experience news without the noise; let 1440 help you make up your own mind. Sign up now and invite your friends and family to be part of the informed.
Remote Hacking Risks in Smart Buses: DEF CON Research Findings
Recent research presented at the DEF CON 33 hacker convention has revealed significant cybersecurity risks in smart buses — vehicles equipped with connected systems to improve safety, efficiency, and passenger experience. Chiao-Lin "Steven Meow" Yu from Trend Micro Taiwan and Kai-Ching "Keniver" Wang from CHT Security conducted the study, focusing on how these buses could be remotely hacked through insecure system design.
How Smart Bus Systems Work
Smart buses integrate two major categories of technology:
Advanced Public Transportation Services (APTS): GPS-based tracking, schedule management, real-time passenger information displays, and route optimization tools.
Advanced Driver Assistance Systems (ADAS): Collision warnings, lane departure alerts, speed limit indicators, traffic sign recognition, and driver/passenger monitoring systems.
Both systems depend on a machine-to-machine (M2M) router that also provides free passenger Wi-Fi. This shared network design became the root of the security issues uncovered.
Vulnerabilities and Attack Path
The researchers discovered that:
Router Authentication Could Be Bypassed
They gained administrative access to the on-board router with minimal effort.No Network Segmentation
Once inside the router, they could freely interact with APTS and ADAS systems.Critical Security Flaws
Command Injections: Allowing direct remote commands.
MQTT Backdoor: Enabling persistent remote access.
Weak or Default Passwords: Especially on onboard cameras.
Unencrypted Protocols: Making MITM attacks trivial.
Potential Real-World Attacks
If exploited, these vulnerabilities could allow hackers to:
Track Exact Bus Locations in real-time.
Hijack Onboard Cameras to spy on passengers and drivers.
Manipulate Passenger Displays to show false information.
Steal Personal Data from both drivers and passengers.
Send False Vehicle State Data to trigger emergency alerts or hide problems.
Disrupt Bus Operations by setting false “Out of Service” statuses.
For example, changing GPS coordinates could delay emergency response in an accident, while falsified RPM data could mask mechanical failures.
Broader Impact and Global Risk
While this study focused on buses in Taiwan, the vendor’s multilingual software support (Chinese, English, Japanese, Vietnamese) suggests these vulnerable systems may be in use internationally. This expands the risk beyond a single country.
Vendor Response
Yu and Wang attempted responsible disclosure to:
BEC Technologies – the U.S.-based router manufacturer.
Maxwin – the Taiwanese provider of intelligent transportation solutions.
Both companies reportedly did not respond, and the vulnerabilities remain unpatched.
Key Takeaways for Cybersecurity in Transportation
Segmentation is Critical: Passenger Wi-Fi and operational systems should never share the same network.
Authentication & Encryption: All protocols should require secure credentials and encrypted communication.
Regular Firmware Updates: Vendors must patch vulnerabilities promptly to reduce exploitation risks.
The research serves as a strong reminder that as public transportation systems become smarter, they also become more exposed to cyber threats if security is not prioritized from the start.