Enhancing Cybersecurity in Public Transportation
"Cybersecurity is a significant concern in all industries. Given the rapid adoption of technology in the area of automated and connected vehicles, transportation infrastructure is a particularly attractive target."
Principal Investigators: Sean Barbeau, Jay Ligatti
Research Assistants: Maxat Alibayev, Kevin Dennis
FDOT Project Number: BDV25-977-51
Enhancing Cybersecurity in Public Transportation was the first project I was part of, and it was an absolutely wonderful experience. The goal of this project was to improve the cybersecurity of public transportation systems in Florida. The project was a collaboration between the USF Center for Urban Transportation Research (CUTR) and the CSE Dept., and was sponsored by the Florida Department of Transportation (FDOT).
Publications
Cybersecurity Vulnerabilities in Mobile Fare Payment Applications: A Case Study. Kevin Dennis, Maxat Alibayev, Sean Barbeau, and Jay Ligatti. Transportation Research Record (TRR), September, 2020. https://doi.org/10.1177/0361198120945982
Enhancing cyber-security in public transportation. Jay Ligatti, Kevin Dennis, Maxat Alibayev, Sean Barbeau. Intelligent Transport, Volume 03, Issue 03, September 2019
Cybersecurity in Public Transportation: A Literature Review. Kevin Dennis, Maxat Alibayev, Sean Barbeau, and Jay Ligatti. Proceedings of the 98th Transportation Research Board Annual Meeting (TRB), January, 2019.
Presentations
Enhancing Cybersecurity in Public Transportation. Talking Headways: A Streetsblog Podcast, "Episode 272: It Came from TRB! Poster Session Part 1", (Feb 20, 2020)
Cybersecurity Vulnerabilities in Mobile Fare Payment Applications: A Case Study. Safety and Security in Rail Transit, 98th Transportation Research Board Annual Meeting (TRB). (Washington D.C., 2020) [Slides]
Cybersecurity in Public Transpiration: A Taxonomy [Poster Session]. 98th Transportation Research Board Annual Meeting (TRB). (Washington D.C., 2020)
Vulnerabilities in Mobile Fare Payment Applications [Poster Session]. 2019 CUTR Student Poster Competition (Tampa, FL, 2019)
Enhancing Cybersecurity in Public Transportation. Federal Transit Administration (FTA) Transit Standards Working Group Meeting (Tampa, FL, 2019)
Enhancing Cybersecurity in Public Transportation. Center for Urban Transportation Research Safety & Operations Summit and Florida Public Transportation Association (FPTA) ProfessionalDevelopment Workshop (Tampa, FL, 2019)
Cybersecurity in Public Transpiration: A Taxonomy [Poster Session]. 97th Transportation Research Board Annual Meeting (TRB). (Washington D.C., 2019)
Video from the 2019 CUTR Transportation Achievement Awards Event
While working on the "Enhancing Cybersecurity in Public Transportation" project, I was selected as the National Center for Transit Research (NCTR) Student of the Year.
2020 CUTC Awards Banquet and Winter Meeting
Working Groups and Workshops
As part of the project, we hosted 10 working group meetings and 3 workshops. The working group meetings brought together members from different agencies to discuss relevant security issues in transportation, and included experts from the Florida Department of Transportation, Jacksonville Transportation Authority, and HNTB. A full list of participants can found in the final report.
The first workshop introduced students to Android application analysis for mobile fare payment applications. Students were provided an Android virtual machine and shown modern tools to reverse engineer applications.
The second workshop for students focused on a traffic cabinet donated to CUTR by the City of Tampa. Students were allowed to poke around in the cabinet and change the settings on the controller.
The final workshop brought together faculty from various Florida universities to present their research on transportation security. The guest speakers were paid $1,000 to attend and present their research. This event was my first time planning an event of this scale, and introduced me to the complicated process of university funding.
Maxat presenting at the traffic cabinet workshop
Traffic cabinet donated to CUTR by the City of Tampa
Network diagram of the traffic cabinet testing lab
Maxat and I posing with the traffic cabinet on the day it arrived
Mobile Fare Payment Application Vulnerability
While I prepared to give the presentation of mobile fare payment applications at the student workshop, I discovered a vulnerability in a publicly available application in Florida. This vulnerability allowed an attacker to access information about other users due to a missing validation in the app's API. The particular endpoint checked that a valid session token was provided but, unlike the other endpoints, did not verify that this session was for the user whose data was requested.
The attacker could access information such as the victim's visited stops, license plate, and the last 4 digits of the used credit card. Wait, why does a mobile fare app have license plates? The application was actually a parking application developed by a third party vendor that was repurposed as a transit application. The underlying database supported both applications, allowing the transit API to access the parking data as well.
The vulnerability was disclosed to the agency in October, 2018, and was found to be patched by further testing in December, 2018.
Compromised USF account displayed in the MyJTA application
The parker history API used by a transit, parking, and malicious user
Literature Review and Survey
The first two tasks were to create a literature review and to perform a survey of transit agencies to determine their security posture. I handled most of the writing for the literature review and the IRB application for the survey. The literature review was later accepted for presentation at 2019 Transportation Research Board conference.
Sean and I at the 2019 TRB
Taxonomy
The third task was to develop a taxonomy of transit technologies based on the following dimensions: deployment, liabilities, transportation modes, and responsible parties. This was my first time using LaTeX, which was used to generate all of the figures seen in the report. Maxat and I then wrote the report, which was heavily informed by the results of the literature review and survey.
Electronic ticketing and fare payment, taken from the larger taxonomy