Criminals monkeying with traffic lights are a staple of cinema: the 1969 Italian Job and Luc Besson's Taxi are particularly fine examples. Now researchers have demonstrated that fact is much less glamorous – and simpler – than fiction.
In a paper [PDF] delivered to the USENIX Security 2014 conference this week, a team led by University of Michigan computer scientist Alex Halderman has found that some traffic signals and their controllers in the US can be hijacked in minutes.
Halderman and co claim this is possible from half a mile away with nothing more than a laptop and some radio broadcast equipment, since the electronics behind the lights communicate using almost no security checks.
To make matters worse, when the team approached the maker of the vulnerable traffic systems equipment, the academics were brushed off. The unnamed manufacturer apparently told the researchers that it "followed the accepted industry standard and it is that standard which does not include security," and thus plans no changes.
Traffic lights have evolved from simple mechanical timers of yesteryear: roadside signals these days are wired up to computers in boxes usually seen at traffic intersections. More recently, the lights communicate wirelessly with each other, with one light pole in particular – the root node in the network – connecting to a management server controlled by a human operator.
All the lights have a safety subsystem called a malfunction management unit (MMU). This has all the allowable light sequences hardwired into its circuit board, and the allowable timings for each state. If the unit receives a duff command to enter an unsafe state, the electronics fall back to blinking the red lamp until manually reset.
Thus, while it's not possible to force the lamps into weird combinations, such as red and green together, it's possible to cause congestion, or simply force the system into blinking-red mode to confuse drivers.
Getting into the control boxes physically to meddle with the system is always an option, but the team wanted to work entirely wirelessly. A Michigan traffic authority, operating just under 100 traffic lights spread over a large area of suburban sprawl, gave the team permission to investigate and they set to work.
"Don't mind us, just a friendly repair crew."
The traffic light network uses a mix of industry-standard radios using 5.8GHz and 900Mhz to communicate wirelessly. The 5.8GHz system gives relatively high data rates for point-to-point communications, while the 900MHz signal is good for non-line-of-sight signals.
The 5.8GHz channels were easy to hack, we're told: the kit uses a proprietary protocol based on 802.11 to communicate – the SSID can be identified by nearby computers but they cannot connect. However, simply plugging a similar radio system from the lights' manufacturer into, say, a laptop enables access to the traffic network, the researchers said.
The wireless packets exchanged between the stations are unencrypted. The team found that the username and password hadn't been changed from the factory defaults, the details of which are easily found online. Once in, the researchers had access to all equipment on the network.
The 900MHz radios were a slightly tougher nut to crack, since they use a frequency-hopping spread-spectrum system for communications and a proprietary communications protocol. However, again, purchasing compatible hardware solves that problem.
Once in range, the team needed to know a valid ID number to communicate with the network, and luckily that ID number is only 16 bits wide and thus can be brute-forced in minutes.
Once inside the network the team got to work on the central controllers, which were running the VxWorks 5.5 operating system. A now-patched flaw in the embedded OS left a debugging service enabled on the controller that would allow complete control of the system, and none of the traffic controllers in the sample group were patched. The debug access allowed arbitrary reads and writes to RAM, potentially letting the team direct the flow of traffic, ultimately.
The group also found they could open an FTP connection to the controller server and access it the old-fashioned way by using the default username and password. These credentials have been helpfully published online by the manufacturer.
Once inside the FTP site, the researchers found they could access configuration files to reset the timing systems on light changes – without tripping the MMU, of course. But the MMU did allow the all intersection lights to be set to red, which could be used as a safety feature by traffic authorities in emergency situations.
While this could cause chaos, the team noted that a more subtle criminal could work within the constraints of the MMU to influence traffic patterns to their advantage. Alternatively someone could create the ultimate car accessory; a radio that could green-light their entire trip.
"While other deployments may use different wireless radios or even wired connections between intersections we have no reason to believe there are any fundamental differences between the network we studied and other traffic signal systems," the researchers concluded.
"We believe that many traffic infrastructure devices created by various vendors and installed by various transportation departments will have similar security properties due to a lack of security consciousness in the entire field." ®