Hacks on widely used traffic control gear could cause gridlock and chaos

Widely used gear in the US and abroad vulnerable to low-cost attacks.

by Dan Goodin - Apr 30 2014, 5:14pm EDT

Sensys Networks

Hacks that allow spies, villains, or terrorists to manipulate traffic signals may seem like the exclusive province of action movies, but a well-known security researcher says they're not as far-fetched as many people may think.

Cesar Cerrudo of security penetration testing firm IOActive said he has identified more than 50,000 devices in New York, Washington DC, Los Angeles, and cities in at least seven countries around the world that can be hacked using inexpensive gear that's easy and—at least in the US—legal to obtain and operate. The equipment Cerrudo used included a drone flying at heights of 650 feet and radio hardware that sells for $100. With more sophisticated transmitters, antennas, and other hardware, he said an attacker could be as far away as two miles from the targeted signals.

In a blog post published Wednesday, he wrote:

By exploiting the vulnerabilities I found, an attacker could cause traffic jams and problems at intersections, freeways, highways, etc. It's possible to make traffic lights (depending on the configuration) stay green more or less time, stay red and not change to green (I bet many of you have experienced something like this as a result of driving during non-traffic hours late at night or being on a bike or in a small car), or flash. It’s also possible to cause electronic signs to display incorrect speed limits and instructions and to make ramp meters allow cars on the freeway faster or slower than needed.

These traffic problems could cause real issues, even deadly ones, by causing accidents or blocking ambulances, fire fighters, or police cars going to an emergency call.

The attacks are made possible by traffic control devices that can be monitored or tampered with by unauthorized parties who are nearby. Elsewhere in the post, Cerrudo wrote:

The vulnerabilities I found allow anyone to take complete control of the devices and send fake data to traffic control systems. Basically anyone could cause a traffic mess by launching an attack with a simple exploit programmed on cheap hardware ($100 or less). I even tested the attack launched from a drone flying at over 650 feet, and it worked! Theoretically, an attack could be launched from up to 1 or 2 miles away with a better drone and hardware equipment; I just used a common, commercially available drone and cheap hardware. Since it seems flying a drone in the US is not illegal and anyone will be able to get drones on demand soon, I would be worried about attacks from the sky in the US. It might also be possible to create self-replicating malware (worm) that can infect these vulnerable devices in order to launch attacks affecting traffic control systems later. The exploited device could then be used to compromise all of the same devices nearby.

Cerrudo omitted the maker of the traffic devices and the techniques for carrying out the attacks. According to an article published by Wired, however, the manufacturer is Sensys Networks. The hack works by monitoring the radio signals sent and received by sensors that measure environmental variables such as the amount of traffic at an intersection and the travel speeds of vehicles in the area. The proprietary radio protocol communicates with no encryption, making it possible for people to monitor or tamper with the signal contents, which are used to determine whether a traffic light should stay green or turn red, display a particular message, or alert authorities to a potential emergency.

Traffic control systems are only the latest devices shown to be vulnerable to hacks that could compromise public safety. Two weeks ago, IOActive demonstrated how mission-critical satellite communications used by Western militaries and international aeronautics and maritime systems were also open to attacks. And as long ago as 2007, researchers demonstrated a hack for spoofing travel information messages displayed on satellite navigation systems used by Italian drivers.

Cerrudo said he alerted the device manufacturer through ICS-CERT, which is connected to the US Department of Homeland Security. He said the company "said they didn't think the issues were critical nor even important." One vulnerability, he added, was reported as fixed on newer versions of the device, a move that saddles cities and states that have vulnerable gear in place with the considerable cost of ripping out old devices and installing new ones.

"I tried several times to make ICS-CERT and the vendor understand that these issues were serious, but I couldn't convince them," Cerrudo wrote. "In the end I said, if the vendor doesn't think they are vulnerable then OK, I'm done with this; I have tried hard, and I don't want to continue wasting time and effort."

Listing image by Horia Varlan.