Land Transport

Published on 03 Jun 2019

Updated on 08 Oct 2019

CyberSense is a monthly bulletin by CSA that spotlights salient cybersecurity topics, trends and technologies, based on curated articles and commentaries. CSA provides periodic updates to these bulletins when there are new developments.


OVERVIEW

In recent times, public transportation around the world, such as buses and rail systems, have faced cyber-attacks. The WannaCry ransomware campaign that swept across the world in May 2017 also affected the payment and bus routing systems in Germany and the UK. Fortunately, the control systems of the trains and buses were not affected then, but they remain a possible target.

land transport

In terms of private transportation, researchers have demonstrated on several occasions how it is possible for hackers to take over different aspects of a car’s operations, including the air conditioner, windshield wiper, the steering, and even the brakes. As more vehicles get outfitted with more electronic systems, also referred to as Electronic Control Units (ECU), they can also become targets that adversaries may remotely attack. Autonomous vehicle trials are expected to be run soon in the UK, and are already on-going in USA and Singapore. Cybersecurity would need to be as integral to the car’s design as seat-belts are today.

REPORTS

CARS WITH VULNERABLE DONGLE CAN BE HACKED VIA BLUETOOTH

Cyber security firm Argus has demonstrated that it can remotely disable the engine of a car using the Bosch Drivelog Connector OBD-II dongle. The researchers did so by injecting commands to the vehicle through the dongle, which was plugged into the car. The Bosch dongle lets a driver review the vehicle’s health and track mileage, among other functions. In certain countries such as the USA, insurance companies offer discounts to customers that install such devices in their cars, allowing the insurers to monitor their driving habits. Since these findings, Bosch has implemented a two-factor authentication (2FA) process to authenticate the mobile device issuing the commands, and is currently working on a firmware update for the affected dongle to patch the vulnerability.

An exclusion clause for cyber-attacks in many insurance policies means that a large part of the industry is not covered against cyber attacks.

Read on by clicking on the story below:


RANSOMWARE LOCKED UP SAN FRANCISCO PUBLIC TRANSPORTATION TICKET MACHINES

In November 2016, San Francisco’s Municipal Transportation Agency was hit by a ransomware attack, which took down ticketing systems at train stations and systems used to manage the city’s buses. Display screens at the affected stations showed a ransom message linked to ransomware families Mamba and HDDCryptor. Such malware had reportedly emerged in September 2016. The incident took two days to resolve, during which train passengers were allowed to ride for free, and bus drivers were provided with handwritten route assignments

Read on by clicking on the story below:


FOUR CYBER-ATTACKS ON UK RAILWAYS IN 2015

According to British cybersecurity firm Darktrace, the UK railway network was the victim of at least four cyber-attacks in 2015. Although the attacks did not result in any disruption per se, they demonstrated that attackers may have the ability to do so, Darktrace said in July 2016. Another cybersecurity company, Kaspersky Lab in Moscow, said it has discovered weaknesses in rail infrastructure which affect train safety. Kaspersky said hackers can get access not only to simple things like online information boards or in-train entertainment, but also to computer systems which manage the trains' operations.

Read on by clicking on the story below:


WATCHDOG FINDS AUSTRALIAN RAIL NETWORKS WIDE OPEN TO CYBER ATTACK

After conducting an audit of Industrial Control Systems for passenger train services, the auditor-general of Australian state of Victoria published a warning regarding the state’s public train network. The auditor-general discovered security vulnerabilities in train IT systems that exposed the transportation network to the threat of "extended or complete loss of train services". In the report published in Nov 2016, the auditor-general highlighted a number of shortcomings in securing the control systems of the train systems, including poor controls for identifying and responding to cyber security events, and lack of management oversight over control systems.

Read on by clicking on the story below:

UK PUBLISHES NEW CYBER SECURITY STANDARD FOR SELF-DRIVING CARS

A new cyber security standard for developing technology incorporated into self-driving cars was released by the British Standards Institute in Jan 2019. Working with academics and experts from leading businesses in the car industry including Jaguar Land Rover, Ford and Bentley, as well as the National Cyber Security Centre, and funded by the Department for Transport, the British Standards Institute formulated a cybersecurity plan for the next-generation of autonomous vehicles.

The automated vehicle market is forecast to be worth up to £52 billion by 2035, a value that would potentially be disrupted should manufacturers not devise an effective strategy against the attacks that continue to be one of the main threats facing autonomous technology.

Read on by clicking on the story below:


SOURCES INCLUDE: Ars Technica, Gov.UK, Sky News, The Age, HackRead, SAE International, FBI Internet Crime Complaint Center (IC3)