Antoinette Hodes, evangelist & Global Solution Architect, Office of the CTO at Check Point Software runs through the security risks of smart buses
In the age of smart cities, buses have evolved beyond basic transportation and transformed into advanced, high-tech mobile hubs known as ‘smart buses’. The Internet of Things (IoT) has played a pivotal role in this process by enabling real-time tracking, predictive maintenance, improved passenger safety, seamless fare collection, and enhanced vehicle-to-everything (V2X) communication, streamlining operations and passenger experience. However, while these new innovations are considered a major leap forward in public transportation, increased connectivity also brings heightened risks.
IoT devices were not initially built with a security-first mindset. As a result, they lack the necessary controls to defend against potential cyberattacks effectively. Additionally, public Wi-Fi presents a hidden risk, as these networks are often vulnerable to attacks that allow hackers to intercept data or inject malware.
On buses, this could enable attackers to access onboard systems, jeopardising passenger safety and privacy. Without robust encryption and security measures, Wi-Fi becomes an easy entry point for cyber criminals to steal personal data or intercept sensitive information. Therefore, given that transportation is a key part of Critical National Infrastructure (CNI), it has become crucial for organisations operating within the sector to implement the necessary measures to secure the future of smart transportation. But how?
Risks and challenges of securing connected transit systems
Securing connected transit systems presents a range of challenges due to their complexity and the constant need to protect sensitive data while ensuring seamless operations. Smart buses rely heavily on IoT for functions such as passenger tracking, route optimisation, and in-bus entertainment, making them vulnerable to cyberattacks due to inherent weaknesses in their systems. These vulnerabilities include weak passwords, insecure network protocols, outdated software, and poor device management, which can lead to data breaches, service disruptions, and even physical harm.
For instance, a recently discovered vulnerability in buses’ communication networks highlighted the insecurity of devices like GPS, telematics, and entertainment systems. Hackers could exploit these weaknesses to access sensitive data or take control of the vehicle, potentially manipulating critical functions like steering, braking, or transmission through compromised telematics gateways connected to the internal network (CAN bus). This underscores the catastrophic consequences of a cyberattack on a smart vehicle via an IoT vulnerability.
Additionally, another challenge in securing smart transportation lies in the lack of consistent global standards for IoT security. Regulatory gaps further exacerbate the issue, as security requirements vary across regions, resulting in inconsistent protection. However, this should not deter the transportation sector from proactively securing its IoT systems. Understanding the IoT threat landscape and addressing vulnerabilities will help eliminate potential entry points for malicious actors.
Threats and tactics targeting public transportation systems
Cyber criminals are targeting public transportation systems through various different methods, including firmware manipulation, which can lead to data theft or service disruptions. Other techniques used by threat actors include traffic sensor manipulation, where unauthorised individuals hijack sensors to falsify data, leading to altered traffic light sequences and route disruptions.
Furthermore, another growing concern is supply chain attacks, where hackers target trusted software vendors to insert backdoors, creating hidden vulnerabilities within transportation systems. This highlights the critical need for unified security standards and proactive monitoring to safeguard not only the technology but the entire infrastructure from evolving cyber threats.
The consequences of such breaches are significant. Cyber criminals may gain access to sensitive passenger data and payment information, resulting in identity theft and financial losses. Operational disruptions can delay services and jeopardise passenger safety. In severe cases, attackers may infiltrate communication systems, manipulate navigation, or take control of critical functions, posing serious safety risks.
Proactive cybersecurity for the future of connected mobility
As smart transportation continues to evolve, cybersecurity must be prioritised to protect operations and passenger safety. IoT gateways serve as the first line of defense, securing communication between telematics, ticketing, and GPS systems without compromising performance. These hardened gateways prevent unauthorised access to critical data and infrastructure, safeguarding real-time operations from cyber threats. Ensuring that only authorised devices interact with the system reduces the risk of breaches and lateral movement.
To enhance cyber resilience, smart bus systems should adopt three key security principles: network segmentation to isolate critical assets, least-privilege access controls, and a Zero Trust architecture that verifies every connection. Maintaining security throughout the vehicle’s lifecycle also requires regular updates, continuous monitoring, and effective incident detection.
These proactive measures are essential for ensuring safe, uninterrupted service while protecting infrastructure and passenger data from evolving cyber threats. A robust, system-wide approach to IoT security is not optional; it is a foundational requirement for securing the future of connected mobility.
Antoinette Hodes is a Global Solutions Architect, specialising in IoT, and serves as an Evangelist with the Check Point Office of the CTO. She has worked as an engineer in IT for over 25 years and is an experienced security solutions architect in the cyber security industry.
There’s plenty of other editorial on our sister site, Electronic Specifier! Or you can always join in the conversation by commenting below or visiting our LinkedIn page.