Hacking traffic light systems, it’s so easy

Pierluigi Paganini August 22, 2014

A new study conducted by security researchers at the University of Michigan demonstrated that it is easy to hack traffic light systems.

Hacking Traffic lights is a serious menace for the population, many individuals believe that it is possible only in the movies, but unfortunately is a scaring reality.

In May I anticipated you an interesting study conducted by security expert Cesar Cerrudo, CTO at IOActive, which investigated on the security of components within control systems for traffic lights and electronic signs in different cities around the world discovering an alarming reality. The researcher has discovered several systems vulnerable to a number of cyber attacks, for example spreading a malware within a network of similar systems.
A new study conducted by security researchers at the University of Michigan, led by computer scientist J. Alex Halderman, demonstrated that it is very easy to hack traffic light systems without any particular knowledge, an attacker just needs a laptop and a specific radio system.
The researchers issued a paper to describe the exploitation of security vulnerabilities in traffic light systems, the team very easily and very quickly obtained the control of the system of at least 100 traffic signals in an unnamed Michigan city from a single point of access, a local road agency.
traffic lights hacking 2

‟We investigate a networked traffic signal system currently deployed in the United States and discover a number of security flaws that exist due to systemic failures by the designers. We leverage these flaws to create attacks which gain control of the system,and we successfully demonstrate them on the deployment in coordination with authorities. OOur attacks show that an adversary can control traffic infrastructure to cause disruption, degrade safety, or gain an unfair advantage,” 

The vulnerabilities we discover in the infrastructure are not a fault of any one device or design choice, but rather show a systemic lack of security consciousness,” states the paper.

The experts identified three major weaknesses in the national traffic systems which potentially allow anyone to hack the traffic lights network:
  • unencrypted radio signals,
  • the use of factory-default usernames and passwords, and
  • a debugging port that is easy to attack
As explained by the experts the use of wireless radio transmissions (a combination of 5.8GHz and 900MHz radio signals) is very common for traffic light systems, this choice allows to reduce the costs of installation and maintenance of the networks.
The 900MHz links used in the traffic light systems implement “a proprietary protocol with frequency hopping spread-spectrum (FHSS),” but the 5.8GHz version of the proprietary protocol is similar to 802.11n.
“The proprietary protocol is similar to 802.11 and broadcasts an SSID which is visible from standard laptops and smartphones but cannot be connected to. In order to properly connect, a slave radio must use the proper protocol and know the network SSID. The wireless connections are unencrypted and the radios use factory default usernames and passwords. The configuration software for these radios accepts customized credentials but assumes that the same username and password are used across all
radios on the network.” states the paper.
Anyone with a laptop and a radio system operating on the same frequency as the networked traffic light (5.8 GHz) could access the network because the communication is not encrypted.
The researchers demonstrated to be able to infiltrate the networks of control traffic light systems, once gained the access they were able to communicate with controllers that run VxWorks 5.5 version. This version unfortunately by default has a debug port using for for testing, and researchers exploited it.

By sniffing packets sent between the controller and this program, we discovered that communication to the controller is not encrypted, requires no authentication, and is replayable. Using this information, we were then able to reverse engineer parts of the communication structure,” the paper reads.

Once again an unprotected communication allowed the researchers to reverse engineer the protocol used in the communication, once controlled the debug port the experts were able to send commands to control lights or alter the timing of neighboring intersections.

Various command packets only differ in the last byte, allowing an attacker to easily determine remaining commands once one has been discovered. We created a program that allows a user to activate any button on the controller and then displays the results to the user. We also created a library of commands which enable scriptable attacks. We tested this code in the field and were able to access the controller remotely.

The researchers also demonstrated that a bad actor could perform denial-of-service (DoS) attack on controlled intersections causing the block of traffic lights.
The researchers suggest manufacturers and operators to improve the security of traffic light systems using encrypted communication and not using default credentials.

While traffic control systems may be built to fail into a safe state, we have shown that they are not safe from attacks by a determined adversary,” the paper concluded.

The problem is that Traffic Light systems are just a sample of IoT (Internet of Things), many other similar systems are daily adopted by each of us and all these systems are vulnerable.

Pierluigi Paganini

(Security Affairs – Traffic light systems, hacking)  

you might also like

leave a comment