Remember that scene from the Italian Job remake where the Napster (Seth Green) hacks into LA’s traffic control center and changes all the traffic lights to suit their getaway plan? Turns out that it’s not too difficult to pull that off.
In an experiment called “Green Lights Forever: Analyzing the Security of Traffic Infrastructure” conducted in 2014 by the Electrical Engineering and Computer Science Department at the University of Michigan, researches found that there were some glaring security holes in the road agency’s traffic infrastructure deployment. Their results have been getting new attention thanks to this recent Boing Boing article.
These holes included the accessibility of the network to hackers due to the lack of encryption, devices on the network lacking secure authentication because of the use of default usernames and passwords, and that the traffic controller is vulnerable to known exploits.
With the permission of a road agency in Michigan, the researchers targeted the wireless control systems at each intersection and were able to gain access to the radios, controller and video camera via an Ethernet connection.
As the study explains:
The system we investigated uses commercially available radios that operate on the ISM band at either 5.8 GHz or 900 Mhz. Figure 3 shows an example of the network topology. One intersection acts as a root node and connects back to a management server under the control of the road agency. Intersections often have two radios, one slave radio to transmit to the next intersection towards the root and one master radio to receive from one or more child nodes beyond it. All devices form a single private network and belong to the same IP subnet.
As with the 5.8 GHz radios, the connections between 900 MHz radios are unencrypted and the radios use default usernames and passwords. The configuration software for these radios assumes the default username and password will be used. If they are modified, the software is no longer able to connect to the device.
At an intersection, the radios, controller, and video camera connect to a commercial switch via an Ethernet connection. The switch does not implement any security features and utilizes its default username and password.
Once a potential hacker gains access to a traffic light, he or she can change the light timing, make the lights super short or super long or freeze them permanently. If they robbed a bank and needed their getaway free and open with green lights, they could do that. If they needed to slow down a police chase by getting them stuck in a sea of red lights, they could do that.
Luckily, the lights do have a fail-safe device where that won’t allow a potentially dangerous configuration, like a four-way green.
From the same study:
Denial of Service A denial of service attack in this context refers to stopping normal light functionality. The most obvious way to cause a loss of service is to set all lights to red. This would cause traffic congestion and considerable confusion for drivers. Alternatively, the attacker could trigger the MMU to take over by attempting an unsafe configuration. This would cause the lights to enter a safe but suboptimal state. Since this state can be triggered remotely, but cannot be reset without physical access to the controller, an adversary can disable traffic lights faster than technicians can be sent to repair them. These attacks are overt and would quickly be detected by road agency personnel, who would be left with the recourse of disabling network connections between intersections.
Traffic Congestion More subtly, attacks could be made against the entire traffic infrastructure of a city which would manipulate the timings of an intersection relative to its neighbors. The effect would be that of a poorly managed road network, causing significant traffic congestion but remaining far less detectable than overt actions. This type of attack could have real financial impacts on a community. One study by the city of Boston calculated that simply reconfiguring the timings of 60 intersections in one district of the city could save $1.2 million per year in person-hours, safety, emissions, and energy costs
This is all extremely interesting, especially while we’re on the subject of car hacking. While remote car hacking is still unlikely and rare, it doesn’t seem like there is much stopping them from accessing the traffic lights that govern your car.
Then what happens when your car is communicating with the traffic light that’s been hacked by the hacker? Then what?