I will keep this article brief as I still owe a full disclosure article walking through what was covered in my Phrack Article ‘Roadside to Everyone (R2E) Phase 1: Physical & Local Vulnerabilities in (C)V2X RSUs’ LINK. This will include more pictures, some deeper explanations of the vulnerabilities, etc.
For now I just wanted to put something out to state how relieved I am that my research is public. I put a lot of resources independently into this project and the results are beyond what I expected.
Although I was not able to open a line of communication to Kapsch TrafficCom AG/Kapsch Group prior to disclosure (which I did wait far longer then the recommended 3 months), they ended up reaching out to me as soon as the article went live on Phrack.
I ended up having a meeting with the CISO, the Director of Product Management for Connected Vehicles and a US facing employee in their legal department.
Although I entered the conversation unsure if it would be tense or adversarial, it ended up being relatively constructive, informative and as pleasant as I could expect.
Some topics especially are important to note because they were unexpected. I saw a genuine interest in them trying to figure out where my attempts to contact might’ve fallen through the cracks and what they can set up so that future researchers have a path to getting into contact with their security team. Although I now have a line of communication where I can reach out, I’m glad to see that they’d like to give the opportunity for those following responsible disclosure a clear path to do that.
Although I don’t have an update on this as of the writing of this article, if they end up publishing a security.txt LINK or similar and letting me know about it I will update this article and include it HERE.
Another concern point was how I acquired these RSUs which is something that comes up often in my experience with vendors. This is something I will cover in my write-up about these units on here, but to be brief, all of the RSUs I acquired were via Ebay. It turns out the Flea Market Supply Chain Attack strikes again. (Article coming early 10/25 covering what that is, the risk, impact, resolving this issue, and why I’ve coined the term).
Additionally, I briefly went over some of the contents of my paper and was happy to answer their questions. They seemed receptive and professional even if they stated they may disagree with some of my conclusions which is perfectly understandable. It would be unsurprising if some of these disagreements came up if they choose to release a statement, which is also perfectly understandable.
Some things I was requested to mention, that the state of the RSUs I have acquired for my research are not in production ready deployment mode, nor are they the latest models. What the state of the physical & local security posture is in the latest models when they are in a default off the shelf (as some of these were, or post-deployment as others were), I hope to eventually be able to test and do research on. Lastly, that a lot (if not basically all) of the functionality and services these units run flow through their cloud infrastructure. As an independent researcher, that is obviously out of scope.
A public statement from Kapsch Group regarding this research was mentioned but as of the writing of this article, I have no insight into if that is going to happen (or if it did and I missed it). If they do end up putting out a statement and I am aware of it, I will update this article and link it HERE.
Ultimately, Phase 2 of my research into these units is currently paused although I have done some work towards it. I also found a few instances of stored cleartext passwords that was not included in Phase 1 but at this time, with just that, I’m just leaving it as is.
If I do end up picking up Phase 2, I am glad to have a line of communication to Kapsch directly.
Timeline:
- Initial Purchase of First RSU Model 9260 – 11/2024
- First purchase of RSU Model 9160 – 12/2024
- Attempted to open line of communication via the contact form of Kapsch Trafficcom AG – ~12/2024
- Submitted vulnerabilities to MITRE to have CVE numbers assigned – 02/26/2025
- Attempted to open line of communication via job application – 03/2025
- Attempted to reach out again via the contact form of Kapsch Trafficcom AG – 06/2025
- Phrack Article covering my research published – 08/2025
- CVEs Published – 08/2025
- Kapsch Group CISO reached out to me about my paper in Phrack – 08/2025
- Kapsch Group meeting with CISO, Director Product Management Connected Vehicles, and US facing employee in their legal department – 08/2025
END TRANSMISSION