You’ve seen traffic lights hacked in movies like Live Free or Die Hard or The Italian Job. If you are gamer, then you might have “hacked” traffic lights in the video game Watch Dogs to cause epic wrecks and allow you to escape the cops. But now security researchers have hacked traffic lights in real life and say it’s easy to do; a person only needs a laptop and wireless card operating on the same 5.8 gigahertz frequency as the wirelessly networked traffic lights, then he or she could access the entire unencrypted network.
Hacking traffic control systems was a topic presented at Def Con 22 by IOActive Lab’s Cesar Cerrudo. He said that after attending his talk, “Anyone will be able to hack these devices and mess with traffic control systems since there is no patch available.” He added, “I was able to access the sensor. I was able to see the configuration of them – if I wanted to I could have compromised them. I didn't do it.”
Well security researchers from the University of Michigan did hack nearly 100 wirelessly networked traffic lights and were able to change the state of the lights on command. They noted that they had permission from local road authorities first. During the Workshop on Offensive Technologies (WOOT) at USENIX Security 2014, the researchers presented "Green Lights Forever: Analyzing the Security of Traffic Infrastructure" (pdf). They discovered three major weaknesses in traffic infrastructure deployment and spelled out a few potential attacks.
A denial of service attack would stop normal light functionality, such as setting all the lights to red, to “cripple the flow of traffic” and cause general chaos for drivers. A subtle attack against the entire traffic infrastructure of a city would cause significant traffic congestion. An attacker might also choose to control the lights for personal gain such as making sure he or she hits all green lights along their route.
It may be unsettling, but not overly surprising, that all the devices studied by the Michigan researchers used the default credentials that came built into the device. Those are available on the Internet, so they provide “no security whatsoever.” Leaving defaults enabled are how people can easily hack road signs to say something like "Zombies ahead!"
There’s also no encryption, leaving the network accessible to everyone from attackers to bored teenagers. And it takes only one point of access to hack into the whole system.
The main components of wirelessly networked traffic lights are: Sensors that detect cars and inspect infrastructure. Those sensors are generally connected to traffic controllers that read the inputs and control light states. Those controllers, usually in a metal cabinet by the roadside, communicate with each other and a central server. Radios, operating at 900 MHz or 5.8 GHz, are frequently used for wireless communication in point-to-point or point-to-multipoint configurations. Then there’s malfunction management units (MMUs) that can override the controller if there are conflicting green lights and force traffic lights into a “known-safe configuration” like blinking red lights.
Regarding the controllers, the researchers wrote, "The controller runs the VxWorks 5.5 real-time operating system. The default build settings for this version of VxWorks leave a debug port open for testing purposes. This port is meant to be disabled for build environments but is so commonly left enabled that it has been marked as a vulnerability by ICS-CERT."
The Michigan researchers concluded:
The real problem, however, is not any individual vulnerability, but a lack of security consciousness in the field. A clear example can be seen in the response of the traffic controller vendor to our vulnerability disclosure. It stated that the company, “has followed the accepted industry standard and it is that standard which does not include security.”
The industry as a whole needs to understand the importance of security, and the standards it follows should be updated to reflect this. Security must be engineered into these devices from the start rather than bolted on later. Until these systems are designed with security as a priority, the security of the entire traffic infrastructure will remain at serious risk.