By Jason Yuan (VicOne) & Steven Yu (Trend Micro)
Public transport fleets are rapidly adopting advanced driver assistance systems (ADASs), cloud dispatch platforms, and “smart city” integrations to deliver more seamless rider experiences. Yet a recent demo at DEF CON 33 exposed how fragile this connected infrastructure can be. Security researchers Chiao-Lin Yu of Trend Micro Taiwan and Kai-Ching Wang of CHT Security framed it plainly: anyone connecting to the bus’s free Wi-Fi could gain access to its on-board systems, including those tied to control functions.
This isn’t a one-off stunt as it mirrors the current technology stack powering modern vehicle fleets. While software-defined vehicles (SDV) and vehicle-to-everything (V2X) promise agility and smarter cities, the reality is very different. Many fleets still rely on legacy web servers, default credentials, plaintext protocols, and flat, unsegmented networks – creating conditions where real cybersecurity risks emerge.
Seamless convenience vs hidden costs
Smart cities have made modern buses more predictable. Stops display live arrivals on bright digital screens. Journey-planner apps track vehicles on a map with accurate estimated time of arrivals (ETAs). Dispatchers monitor fleets in real time, adjust schedules, and send announcements. On-board tablets sync routes and driver relief points, while cameras upload video clips, and passenger counters feed demand models that help reshape future timetables.
The entire transit experience feels seamless because the vehicle never travels alone. It is part of a connected ecosystem: a web of roadside screens, public APIs, depot systems, and vendor clouds that exchange a constant flow of position, health, and status data.
Underneath that convenience is a simple pattern: an in-vehicle router aggregates GPS, diagnostics, cameras, and passenger systems, then sends data over cellular networks to city and vendor backends. These backends distribute the same feed to multiple consumers: the real-time API in apps, the arrival board on the curb, the analytics stack in the depot, and even the contractor maintaining the cameras. A handful of protocols and web services tie all these together, often replicated across hundreds of vehicles and dozens of integrators, each with their own portals and management consoles.
The hidden cost is that much of this infrastructure was built during the last decade’s IoT boom and still carries many of its old habits:
- Flat, unsegmented networks. Passenger Wi-Fi traffic often runs on the same network as critical vehicle systems, an architecture that attackers can exploit.
- Web consoles transmitting data in plaintext. Sensitive information, including credentials, may be exposed without encryption.
- Default credentials persist after deployment. Accounts or systems are deployed without changing factory-set usernames and passwords.
- Temporary debug paths become permanent interfaces. Testing interfaces are often left enabled, creating hidden entry points.
- Gateways behaving like power strips for data. Instead of enforcing authentication and policy, they pass through all traffic without proper checks.
None of these are visible from the sidewalk or the app. The experience feels seamless precisely because the internal boundaries are porous.
This is the contradiction at the heart of modern smart-city transit: sophisticated systems deliver the convenience people expect, but too often they are built on top of 2010s-era security mistakes. The same data “pipes” or digital pathways that carry information across systems, powering ETAs and live maps, can also carry forged locations, leaked identifiers, and unauthenticated commands. And when a city’s mobility depends on those pipes, fragility stops being a nuisance and becomes an operational risk.
From Wi-Fi to full control
Starting from the bus’s guest Wi-Fi, they followed a straightforward attack sequence. First, they enumerated the local router at 192.168.0.254, and used CVE-2022-45956, an 2022 n-day vulnerability, to bypass its web authentication. From there, they pulled credentials from the router’s configuration pages, opened SSH access, and abused a built-in utility to execute commands. Weak passwords on connected cameras and a vendor system, combined with plaintext services and browsable directories on an ADAS backend, turned each hop into a short, repeatable step.
Figure 1. Attack chain mapping of the demo, illustrating how the researchers pivoted from the bus’s guest Wi-Fi network to gain broader access and compromise critical systems
In their demo, the attacker in a single bus ride was able to watch live camera feeds, retrieve GPS from the Message Queueing Telemetry Transport (MQTT) broker, browse backend fleet and route pages, decode vehicle status data from plaintext Advanced Public Transportation System (APTS), and log into a vendor’s remote server – all from the guest Wi-Fi network.
Securing smart transit systems
The researchers’ findings remind us that the same “digital pipes” that carry the data powering live ETAs, route updates, connected services, and other conveniences must also have trust. And in the current systems, that trust flows a little too casually.
The good news is that addressing these issues doesn’t require moon-shot research or a complete five-year overhaul. It’s mostly about rethinking assumptions and adopting a zero-trust mindset – building with the expectation that no user, device, or network is inherently trusted. Every interaction with these systems must be verified, and the data driving operations should be treated as safety-critical, not merely informative.
Design for abuse, and not just for failure, is the mindset shift that is needed. For example, arrival boards and journey-planner apps were designed to withstand outages and spotty network coverage; now they must also resist deliberate manipulation. This shift reframes familiar priorities:
- Identity is no longer a mere login screen. It becomes a property of devices and messages themselves.
- Integrity stops being a transport checkbox. It becomes a cryptographic guarantee that follows the data payload into analytics and dispatch systems.
- Segmentation is no longer just a topology diagram. It must be an enforced boundary ensuring that a passenger network can never see a management surface.
Procurement is where this cultural shift becomes tangible. Certifications and feature lists are helpful, but they don’t guarantee the properties that transit systems actually depend on. Fleet operators and other industry stakeholders should require vendors to provide specific behaviors in testing labs before deployment, such as unique, hardware-bound credentials, mutual authentication for brokers, no diagnostic endpoints capable of executing shell commands, no plaintext admin surfaces, reproducible software bill of materials (SBOMs), and fast security patch service level agreement (SLAs).
Securing smart transit systems isn’t about rebuilding everything from scratch. It is about hardening the “digital pipes” and validating every connection and data flow. By adopting secure-by-design principles and treating transit data as safety-critical, smart cities can strengthen the seamless transit convenience riders love while staying ahead of the evolving threat landscape.
The DEF CON bus hack demo underscores the importance of these measures and highlights the need for automotive cybersecurity tools that detect vulnerabilities before attackers exploit them. The xZETA, VicOne’s vulnerability and SBOM management solution, provides smart transit and fleet operators with deep visibility into emerging threats or zero-days and known vulnerabilities such as CVE-2022-45956, the n-day used in the demo.
