Hacking your ride: Is Web 2.0 creating vulnerabilities to surface transportation?

Cedric Novenario



Traffic congestion during commuting hours (7:00 A.M. to 9:00 A.M. and 4:00 P.M. to 6:00 P.M.) is as much a guarantee as death and taxes. Sitting in traffic gridlock consumes valuable free time, adds pollutants to the air, and reduces overall quality of life.[1] Developers from the mobile application (app) world have created apps such as Waze and Google Maps that not only link traffic navigation software to near-real-time Global Positioning System (GPS) updates, but also to live, crowdsourced traffic information provided by fellow commuters; this information is designed to reduce traffic congestion and help commuters avoid traffic snarls or obstacles.[2] Mobile apps like Waze and Google Maps can be considered social navigation.

Unfortunately, there is little research regarding the impact of social media and social navigation (SMSN) specific to surface transportation security. Likewise, research evaluating the influence of SMSN on human or “user” behavior and the associated vulnerabilities to the transportation system is also lacking. Perhaps the impact of SMSN apps on surface transportation has not been explored in more depth because the focus has primarily been on transportation infrastructure—bridges, overpasses, highways—and transportation control systems. However, SMSN apps should be considered an integral part of the surface transportation system; the information that users contribute and distribute influences human behavior and the resulting behavior of the transportation system itself.

This thesis catalogs malign SMSN tools, tactics, and techniques that pose a security risk to surface transportation. It is hoped that this analysis may lead to a heuristic inquiry that could expose malign activities before they present a threat to the surface transportation system.

To address the threats that SMSN pose to the surface transportation system, this thesis provides a qualitative analysis of the system’s specific SMSN-related vulnerabilities by conducting a thorough and systematic review of academic journals, books, white papers, websites, and open-source information from popular social media and social navigation sites such as Twitter, Facebook, and Waze. Vulnerabilities/threats are cataloged by existing and known vulnerabilities, and potential malign uses of SMSN tools and tactics that have not yet been attempted. The data is further grouped into three categories: SMSN manipulation, social navigation manipulation, and use of SMSN for intelligence.

No conclusive evidence was found that social media is a direct threat to the surface transportation system. However, there is implied potential for social media’s exploitation by terrorist groups and individuals. Of most concern is that these groups or individuals will disseminate false information to control the narrative or behavior of social groups, or that they will use legitimate information as a source of intelligence. For example, when Twitter users post their sentiments regarding traffic conditions, malicious actors can use this tactical knowledge to attack the surface transportation system.

Researchers have discovered that social navigation applications, such as Waze and Google Maps, are vulnerable to Sybil and man-in-the-middle attacks.[3] A Sybil attack exploits trust vulnerabilities in web and mobile application platforms that depend on user interaction and crowdsourced information by disregarding terms of use agreements (which preclude the deliberate introduction of false information) through imposter identities.[4] These imposter identities can present false or alternative information that incorrectly guides users in a manner desired by the malicious actor. Waze, for example, will suggest alternate travel routes should the targeted route have a comparatively longer travel time.[5] Should the Sybil attack trigger traffic congestion, malicious actors can lure unsuspecting motorists into “kill boxes” to orchestrate an attack. While social media apps such as Waze and Google Maps are not typical platforms for terrorism, surface transportation does represent a soft target with high potential for large-scale casualties.[6] A Sybil attack on one of these apps could provide a new target vector for terrorists, rendering highway infrastructure or passenger vehicles an attractive soft target. This would be especially devastating in the United States, where motor vehicles are the predominant mode of travel, with potential attacks impacting tens of millions of urban commuters daily.[7]

In the near future, terrorist or criminal Sybil attacks could target autonomous vehicles, which are expected to communicate with transportation infrastructure to ensure efficient and safe traffic flow.[8] A Sybil or man-in-the-middle attack on the traffic infrastructure and/or vehicular network could communicate false vehicle characteristic information or false traffic infrastructure information, causing vehicle conflicts and accidents at intersections. Homeland security professionals must be prepared to address these vulnerabilities as the future of vehicle surface transportation becomes an increasingly interconnected network.



[1] This information is based on the author’s experience as a traffic and transportation engineer.

[2] “Crowdsourced Traffic Apps: Saving Commuters from Traffic Jam Torture,” Scratch, February 10, 2015, http://www.scratchmarketing.com/crowdsourced-traffic-apps/.

[3] Gang Wang et al., “Defending against Sybil Devices in Crowdsourced Mapping Services,” paper presented at MobiSys ‘16, Singapore, June 25–30, 2016; Meital Ben Sinai et al., Exploiting Social Navigation (Haifa, Israel: The Technion, 2014); Tobias Jeske, “Floating Car Data from Smartphones—What Google and Waze Know about You and How Hackers Can Control Traffic,” paper presented at Black Hat Europe, Amsterdam, March 12–15, 2013.

[4] “Terms of Use,” Waze, accessed July 14, 2016, https://www.waze.com/legal/tos; “Google Maps/Google Earth Additional Terms of Service,” Google, December 17, 2015, https://www.google.com/intl/ALL/help/terms_maps.html.

[5] Wang et al., “Defending against Sybil Devices,” 4

[6] Brian Michael Jenkins and Bruce R. Butterworth, Troubling Trends in Terrorism and Attacks on Surface Transportation: The Outlook is Grim, but People Still Have a Great Deal of Control (San Jose, CA: Mineta Transportation Institute, 2015), 2.

[7] Tom Huddleston, Jr. “These U.S. Cities Have the Worst Commute Times,” Fortune, March 3, 2016, http://fortune.com/2016/03/03/us-cities-average-commute-time/.

[8] Rupesh Gunturu, “Survey of Sybil Attacks in Social Networks,” Cornell University Library, accessed April 15, 2016, http://arxiv.org/pdf/1504.05522v1.pdf; “Vehicle-to-Infrastructure (V2I) Communications for Safety,” U.S. Department of Transportation, accessed July 12, 2016, http://www.its.dot.gov/factsheets/v2isafety_factsheet.htm.

No Comments

Post a Comment