In this article we will learn about Hacking traffic light systems.
What is Hacking traffic light systems?
Traffic light systems security issues:
We often see movie scenes where hackers are able to hack into traffic light control systems with disastrous consequences, unfortunately we must be aware that threat actors are indeed capable of causing serious problems to these complex infrastructures.
Traffic lights were originally designed as stand-alone systems, but as technology has advanced, they have evolved into more complex, interconnected systems. Modern traffic controllers are able to perform multiple time schedules, communicate in real time with a large number of network sensors and process the collected information to manage traffic flows in the most efficient way.
Coordinated traffic signal systems provide great benefits in terms of time wastage, environmental impact and public safety, but to connect them, public administrations must spend a lot of effort to ensure effective connection to the metropolitan geographical distribution. Wireless networks were the optimal choice for reducing interconnection costs and quickly implementing an interconnected network of traffic light control systems. However, these improvements have raised serious questions regarding the security of the overall architectures, components of traffic light systems are now remotely accessible and wirelessly connected, which has serious security implications.
Cesar Cerrudo … hacking traffic lights and electronic signs around the world
Cesar Cerrudo, Chief Technology Officer of IOActive, is one of the cyber experts who conducted a study to examine the level of security of components of control systems for traffic lights and electronic signs in various cities around the world. Cesar Cerrudo has analyzed the architecture of traffic light systems installed in many countries, including the United States, Great Britain, Australia, China, and Canada.
A researcher has discovered a disturbing scenario, several devices in traffic light systems are vulnerable to a number of cyber attacks, vulnerabilities in these architectures could be exploited to cause a denial of service or spread malware in the network connected to these systems.
Electronic signs and traffic light systems are controlled by automated systems that could be targeted by threat actors just like any other device.
Cerrudo presented the results of his research at the Infiltrate Security conference, illustrating the details of the security flaws discovered and the components affected by such vulnerabilities that an attacker could exploit with the right device at the right distance.
“The vulnerabilities I found allow anyone to take complete control of the devices and send fake data to traffic control systems. Basically anyone could cause a traffic mess by launching an attack with a simple exploit programmed on cheap hardware ($100 or less),” explained Cerrudo in a blog post.
Cerrudo also imagined a possible attack vector for the attacks against traffic light systems, bad actors could use a commercially available unmanned vehicle to hack the vulnerable devices. The research demonstrated that equipping a drone with a powerful antenna it is possible to interfere with traffic light systems from more than 600 feet in the air, it’s clear that the range could be extended to a mile with a stronger antenna.
The hacker explained that a bad actor could be able to conduct the attack using a wireless transmitter of variable size, with a USB stick receiver attacker could intercept data from 150 feet away, a distance that could be easily extended to 1,500 feet using a greater antenna.
Related article:Ethical Hacking Interview Questions 2023
“I even tested the attack launched from a drone flying at over 650 feet, and it worked! Theoretically, an attack could be launched from up to 1 or 2 miles away with a better drone and hardware equipment, I just used a common, commercially available drone and cheap hardware. Since it seems flying a drone in the US is not illegal and anyone will be able to get drones on demand soon, I would be worried about attacks from the sky in the US.”
To better understand the possible impact of a cyber attack against a traffic light system, let’s consider the statistics proposed in the post:
“In 2012, there were an estimated 5,615,000 police-reported traffic crashes in which 33,561 people were killed and 2,362,000 people were injured; 3,950,000 crashes resulted in property damage only.” US DoT National Highway Traffic Safety Administration: Traffic Safety Facts
“Road crashes cost the U.S. $230.6 billion per year, or an average of $820 per person”Association for Safe International Road Travel: Annual US Road Crash Statistics
Security of vital infrastructure is a critical goal for every cyber strategy, governments must seriously consider the possible risks related to cyber attacks and traffic light systems are considered a privileged target.
“This should be another wake up call for governments to evaluate the security of devices/products before using them in critical infrastructure, and also a request to providers of government devices/products to take security and security vulnerability reports seriously.” said Cerrudo.
Cerrudo started its analysis evaluating the architectures of traffic light systems and discovered that in 40 US cities, including San Francisco, Los Angeles, New York City, Washington DC and also in other nine countries were installed vulnerable controllers Sensys Networks wireless vehicle detection systems.
Figure 3 – Sensyn Architecture (Slide)
The company has installed its systems in 40 states and has a network of more than 50,000 sensors operating in 10 countries, including the UK, China, Canada, Australia and France.
Vehicle detection systems consist of magnetic sensors hidden in roadways that collect information about traffic flow and transmit it wirelessly via the proprietary Sensys NanoPower Protocol to nearby access points and repeaters, which then send the data to traffic signal controllers.
Figure 4 – Sensys sensor
A threat actor could hit the system described, and in particular the information exchanged, because the protocol used lack of authentication mechanisms and data sent aren’t encrypted. Theoretically, an attacker could sniff the traffic, reverse engineer the protocol and replace information with fake data.
“it was found that all communication is performed in clear text without any encryption nor security mechanism. Sensor identification information (sensorid), commands, etc. could be observed being transmitted in clear text. Because of this, wireless communications to and from devices can be monitored and initiated by attackers, allowing them to send arbitrary commands, data and manipulating the devices.”
Anyway, sensors are just a component of the overall architecture, it it necessary to submit the information in the correct way to trick control traffic light systems into thinking that the actual traffic flow is different from the real one.
Cesar Cerrudo made his tests in principal US cities, including Seattle, New York, and Washington and DC, and the situation was always the same.
Another security issue noticed by the researcher Cesar Cerrudo is related to the possibility to alter the firmware running on the sensors. The code is not not digitally signed and is not protected by any security mechanism, this circumstance led the experts to think that a threat actor could access the firmware and modify it to alter the configuration and the behavior of the devices.
An attacker for example, could hack the sensor in order to provide fake data or just to transmit data on a different radio channel. In both cases, as highlighted by Cerrudo, it would be very hard to detect a potential attack and identify the compromised sensor.
The attacks explained by Cesar Cerrudo could cause serious problems to the tragic flaw, an attacker could manipulate the transition times of traffic lights creating traffic jams and other problems, and such attacks are quite impossible to discover in a short time.
“These traffic problems could cause real accidents, even deadly ones by cars crashing or by blocking ambulances, fire fighters, or police cars going for an emergency call,” said Cerrudo.
The hacking tools
The Researcher Cesar Cerrudo explained that is not necessary an expensive instrumentation to hack control traffic light systems, he explained that an attacker could use a small specialized equipment to do it. To build a lab for his tests the researchers purchased an access point from Sensys Networks at a cost of about $4,000.
Of course, such kind of access points isn’t available to the public and the researchers have obtained it for testing purposes by telling the vendor he was evaluating it for one of his clients.
“There’s a huge volume impact here,””The vulnerabilities I found allow anyone to take complete control of the devices and send fake data to traffic control systems. Basically anyone could cause a traffic mess by launching an attack with a simple exploit programmed on cheap hardware ($100 or less).”said Cerrudo.
The access point acquired by the researcher is compatible with all the sensors used by the Sensys to monitor the streets worldwide. The access point intercepts data sent by sensors, for this reason he placed it in a backpack or on his car dashboard during the experiments conducted in the streets of different cities, including Seattle, New York, and Washington, DC.
Figure 5 – Sensyn Access Point
Anyway, an attacker could intercept the data even without a Sensys access point, he could simply intercept the exchanged data using a wireless transceiver, but this process is more complicated without knowing the proprietary protocol used. A protocol-aware threat actor could intercept data sent by sensors to access points that includes configuration information about the devices, such as the sensors’ unique IDs.
“Without an access point and software, you can sniff the wireless data, but it will be hard to understand what everything means,” “You need an access point to learn how the system works, but after you learn it, you won’t know, you don’t need an access point anymore, because you can make your own device.” Cerrudo said.
As the researcher explained, a reasonable improvement in the overall security of traffic light system networks could be achieved by encrypting communication between sensors and access points. As described in the study, an attacker could also intentionally modify the sensors’ firmware or their configuration data, for this reason, Cerrudo’s next proposal is to prevent unauthorized users from accessing the firmware.
Cerrudo reported the security flaw to the ICS-CERT division in July and was told, according to the researcher, that the lack of encryption for communications was not a bug but a design choice requested of Sensys Networks by city entities.
“The ability to encrypt wireless information was removed early in the product life cycle based on customer feedback,” “There was nothing damaged on the system because we did not intend for wireless information to be protected. ” explained an unidentified Sensys employee to ICS-CERT.
Sensys also added that firmware updates for the sensors are now encrypted using AES, a measure implemented to prevent reverse engineering of their source code to find out which bug they are fixing, information that could help an attacker create specific exploits.
However, Cerrudo noted that firmware updates are only encrypted for new versions of sensors, devices already deployed on the streets are not able to update firmware using encrypted updates. This means that old versions of the sensors must be removed from the roads and replaced with new ones that support encrypted updates.
“[W]hile code signing/firmware encryption may be required on older ground sensor models, newer hardware versions have this option, but older versions cannot be updated without a replacement (eg,” ICS-CERT wrote to Cerrud.
“If you can provide details about a vulnerability that is being exploited in this or other products, ICS-CERT will re-examine the issue at that time,” said Matthew Kress-Weitenhagen, vulnerability coordinator for ICS-CERT.
According to Cesar Cerrud, ICS-CERT’s stance on the reported bug is troubling, CERT actually accepted a statement from Sensys Networks that it does not consider the security issues to be flaws because the systems were not accessible over the Internet.
The justifications, says Cerrudo, “are mostly nonsense. As if the ICS-CERT guys don’t understand and buy what the seller says. But I made it clear to CERT that there was no encryption or authentication and that anyone could take over the sensors.
“[It’s funny] how they get all this information affecting the national infrastructure and end up with no solution,” he says.
Networks of traffic light systems are not only used to regulate the flow of traffic, sensors can also be used to count vehicles in a certain part of the city or to monitor the movement of vehicles by detecting the same vehicle with different sensors placed in different positions. in the metropolitan area. This data could allow bad actors or governments to track specific vehicles infringing on users’ privacy.
According to information released by Sensys, it has deployed more than 1,300 wireless sensors in Washington, DC to collect data on traffic speed, vehicle count and occupancy to “optimize real-time congestion management and emergency response.” But the city is where the US president lives, so there is speculation that such systems could be upgraded to be integrated into a surveillance system that also includes data from cameras located in the city and any other information from various sources related to local population.
For this reason, I think we need to be aware that such a system could pose a serious threat to privacy and security in the event of cyber attacks.
Hacking Traffic light systems is an even more discussed argument among security experts, which is becoming very popular among ordinary people thanks to the film industry.
A study conducted by security researchers at the University of Michigan, led by computer scientist J. Alex Halderman, refuted Cesar Cerrud’s findings. According to a number of researchers, it is very easy to hack traffic light systems.
A team of experts explained how bad actors can hit traffic light networks without special knowledge, even in this case a laptop and a specific radio system are enough.
Figure 6 – Traffic interception scheme
As shown in the image above, a modern traffic interceptor consists of the following components:
- Sensors for car detection and infrastructure control.
- Controllers to receive data from sensors and control lighting states, for example according to different policies, in a fully automated way based on information provided in real time by sensors.
- Communication channels that can be linked by optical or electrical means or wirelessly.
- A Malfunction Management Unit that manages potential conflicts through hardware-level security
- Mechanisms, practically ensures that the lights are always in valid condition.
The researchers published a paper that describes the experiments performed, the techniques implemented to exploit security vulnerabilities in the traffic light and recording systems.
In particular, in a live test, experts very easily and very quickly gained control of a system of at least 100 traffic signals in an unnamed city in Michigan from a single access point, the local highway agency.
“We examine the networked traffic signal system currently deployed in the United States and discover a number of safety flaws that exist due to systemic design failures. We use these flaws to create attacks that gain control of the system and successfully demonstrate them for deployment in coordination with the authorities. Our attacks show that an adversary can control the transport infrastructure and cause disruption, reduce security or gain an unfair advantage.”
“The vulnerabilities we discover in infrastructure are not the fault of any device or design choice, but rather show a systemic lack of security awareness,” the paper said.
Experts have identified three major weaknesses in the nation’s transportation systems that potentially allow anyone to hack traffic light networks:
- Unencrypted radio signals.
- Devices on the network lack secure authentication.
- Traffic Controller is vulnerable to known exploits.
As explained by the experts, the use of wireless radio transmissions (a combination of 5.8 GHz and 900 MHz radio signals) is very common for traffic light systems, this option allows to reduce the cost of installation and maintenance of networks.
The 900MHz links used in traffic light systems implement a “proprietary frequency hopping spread spectrum (FHSS) protocol”, but the 5.8GHz version of the proprietary protocol is similar to 802.11n.
“The proprietary protocol is similar to 802.11 and broadcasts an SSID that is visible from standard laptops and smartphones but cannot be connected to. In order for the slave radio to connect correctly, it must use the correct protocol and know the SSID of the network. Wireless connections are unencrypted and radios use factory default usernames and passwords. The configuration software for these radios accepts customized logins, but assumes that the same username and password are used on all
radios in the network,” the paper states.
Anyone with a laptop and a radio system operating on the same frequency as the network beacon (5.8 GHz) can access the network because the communication is not encrypted.
The researchers demonstrated that they were able to infiltrate traffic light control systems networks, once they gained access, they were able to communicate with the control units running VxWorks version 5.5. Unfortunately, this version has a debug port by default that is used for testing, and the researchers took advantage of that.
“By sniffing the packets sent between the driver and this program, we found that the communication with the driver is not encrypted, requires no authentication, and can be replayed. Using this information, we were then able to retroactively analyze parts of the communication structure,” the newspaper writes.
Once again, the unprotected communication allowed the researchers to reverse engineer the protocol used in the communication, once they controlled the debug port, the experts were able to send commands to control lights or change the timing of neighboring intersections.
“Different command packets differ only in the last byte, allowing an attacker to easily determine the remaining commands once one has been discovered. We have created a program that allows the user to activate any button on the controller and then display the results to the user. We’ve also created a library of commands that enable scriptable attacks. We tested this code in the field and were able to access the controller remotely.”
The researchers also demonstrated that a bad actor, once infiltrating a network, can perform a wide variety of attacks, including:
- A denial-of-service (DoS) attack on controlled intersections that could cause traffic congestion. As the researchers explained, the attackers could set all the lights to red or trigger the MMU to take over by attempting an unsafe configuration, the latter case being serious because they need physical intervention by personnel to restore normalcy.
- Traffic congestion manipulating the timing of an intersection relative to its neighbors with an impact on the entire transportation infrastructure. Such attacks have a significant financial impact on the target community, as evidenced by numerous studies.
- Driving the lights for personal gain, as the researchers explained, “the lights could be changed to red in coordination with another attack to cause traffic congestion and slow the response of an emergency vehicle.”
The studies presented in this post demonstrate that traffic control systems are vulnerable to cyber attacks, fortunately, it is possible to improve the security of traffic light control system components and internal interconnections to prevent major incidents. We have seen that an attacker can launch a denial of service attack or cause a traffic jam as a diversification measure in a more sophisticated attack.
As noted by all the actors who participated in such interesting studies, the main problem is the lack of awareness of the security of the cyber threat, experts emphasized that the vendors of traffic controllers did not properly handle the disclosure of vulnerabilities by the security community. Companies only ensure compliance with actual industry standards that do not adequately address security concerns.
The next generation of traffic control systems must be built with security in mind from design, and fortunately governments understand the criticisms of such environments and the risks of major attacks.
The researchers suggest manufacturers and operators improve the security of traffic light systems by using encrypted communication between infrastructure components, digitally signing the firmware running on each component to prevent software modifications, and not using default credentials.
Let me close with a thought, traffic light systems are just one example of the larger Internet of Things family, many other devices we use every day have similar vulnerabilities that actors are increasingly targeting.