290/68 Wednesday, August 13, 2025
Cybersecurity researchers Chiao-Lin “Steven Meow” Yu from Trend Micro Taiwan and Kai-Ching “Keniver” Wang from CHT Security revealed at the DEF CON hacker conference that they discovered critical vulnerabilities in Smart Bus systems. These flaws could allow attackers to remotely track vehicle locations, control systems, or surveil the interior of the buses. The vulnerabilities stem from insecure designs in both the onboard systems and remote management platforms.
The research began when the team investigated the cybersecurity posture of Smart Buses after noticing that the vehicles provided free passenger Wi-Fi. They found that the same M2M router was being used for both public internet access and connections to critical internal systems—including the Advanced Public Transportation Services (APTS) and Advanced Driver Assistance Systems (ADAS). APTS handles GPS tracking, route scheduling, electronic display boards, and real-time passenger systems, while ADAS utilizes cameras, sensors, radar, and LiDAR for collision warnings, lane detection, traffic sign reading, and monitoring driver and passenger behavior. The use of a shared network without clear segmentation was identified as a serious security risk.
The researchers demonstrated how attackers could bypass authentication on the router to gain direct access to both APTS and ADAS. This could allow them to track bus locations, access CCTV feeds with weak passwords, alter information on digital displays, steal data, breach company servers, and manipulate GPS data, engine RPM, or vehicle speed to trigger false alerts. Additionally, they uncovered an MQTT backdoor vulnerability that could enable full remote control of the vehicle.
Despite notifying router manufacturer BEC Technologies and Taiwanese company Maxwin, the researchers reported receiving no response, and as of now, the vulnerabilities remain unpatched.
