After some internal evaluation and a journalists inquiry on the possibility of chinese state actors having access to camera footage, Muncipality the Hague decided to do a security test focused on an APT threat on their traffic camera infrastructure. During the session we will show how the team approached this project, how some of the cinematic scenarios of causing traffic jams and using the camera's for espionage were possible in real life and what lessons were learned from the project.

The session will start with providing a bit of context on why the project was started, what was already going on at that time and why the muncipality of the Hague had further questions for which they needed a hacking team.We then discuss how we approached the project in a complex environment, where APT threats are involved and how that changes how you assess certain systems and features.The core of the presentation focuses on disclosing the actual vulnerabilities found within the systems, how we went through the full cyber kill chain within the environment and what that actually means in the physical realm if this had been exploited with malicious intent. Finally we end the presentation with some details on how the discovered issues were addressed and what general lessons can be learned from this project that could also be applicable for other similar environments.

Licensed to the public under https://creativecommons.org/licenses/by/4.0/about this event: https://program.why2025.org/why2025/talk/RJTUR8/