Smart Bus Systems Vulnerability Let Hackers Remotely Track and Control Vehicles

A newly discovered security flaw in leading smart bus systems threatens to expose passenger safety and fleet integrity. 

Researchers have identified a critical vulnerability CVE-2025-44179 in the remote management interface of several major transit providers’ onboard modems. 

Exploiting this weakness, attackers can both track the real-time location of buses and issue remote control commands to critical subsystems such as door operations, engine start/stop, and HVAC settings.

Key Takeaways
1. Embedded backdoors and unauthenticated API/SSH/Telnet access in bus modems.
2. MQTT credentials and unencrypted telemetry leak real-time GPS and operational data.
3. Mitigate by disabling insecure services.

Unauthorized Access via Telnet and SSH Backdoors

According to researcher Chiao-Lin Yu , the hard-coded credentials found in the firmware of onboard routers, similar to the “app:$1$/w1tlbIY” account found in HITRON CGNF-TWN modems. 

By initiating a simple Telnet handshake—telnet —an attacker can drop into a BusyBox shell:

Once inside, the adversary may escalate privileges via a hidden backdoor loop in the startup script:

This backdoor, originally intended for ISP diagnostics, permits arbitrary code execution (RCE) on the bus’s network gateway.

Modern smart buses rely on MQTT for telematics and remote diagnostics. Research shows that the same CA certificate and client credentials are deployed fleet-wide, allowing an attacker to subscribe to location topics:

By subscribing with default credentials (cms@mqtt / samepassword), a malicious actor can map bus routes in real time and predict arrival times, jeopardizing passenger privacy and operational schedules.

The flaw extends to the HTTP management API. An unauthenticated attacker may invoke the config.xgi endpoint to adjust critical parameters:

This API, lacking proper authentication controls, enables password resets for admin accounts and subsequent takeover of the vehicle’s CAN bus interface. Once inside, attackers could remotely command door actuators or disable brakes.

Mitigations

Transit agencies must immediately disable Telnet/SSH services on modems, enforce unique per-device credentials, and deploy firmware updates that remove hard-coded backdoors. 

Additionally, migrating MQTT streams to mutually authenticated TLS with distinct client certificates per device will thwart unauthorized subscriptions. 

Lastly, rigorous input validation on all XGI endpoints is essential to prevent command injection attacks.

As public transport evolves, ensuring the security of connected infrastructure is paramount. Without swift action, threat actors could not only jeopardize passenger safety but also disrupt entire urban transit networks.

Equip your SOC with full access to the latest threat data from ANY.RUN TI Lookup that can Improve incident response -> Get 14-day Free Trial