It's Easy To Hack Traffic Lights

← Back to Stories (view on slashdot.org)

It's Easy To Hack Traffic Lights

Posted by Soulskill on Friday August 22, 2014 @12:47AM from the looking-forward-to-the-mobile-app dept.

An anonymous reader notes coverage of research from the University of Michigan into the ease with which attackers can hack traffic lights. From the article: As is typical in large urban areas, the traffic lights in the subject city are networked in a tree-type topology, allowing them to pass information to and receive instruction from a central management point. The network is IP-based, with all the nodes (intersections and management computers) on a single subnet. In order to save on installation costs and increase flexibility, the traffic light system uses wireless radios rather than dedicated physical networking links for its communication infrastructure—and that’s the hole the research team exploited. ... The 5.8GHz network has no password and uses no encryption; with a proper radio in hand, joining is trivial. ... The research team quickly discovered that the debug port was open on the live controllers and could directly "read and write arbitrary memory locations, kill tasks, and even reboot the device (PDF)." Debug access to the system also let the researchers look at how the controller communicates to its attached devices—the traffic lights and intersection cameras. They quickly discovered that the control system’s communication was totally non-obfuscated and easy to understand—and easy to subvert.

144 comments

Min score:

Reason:

Sort:

Old news by neglogic · 2014-08-22 00:52 · Score: 4, Informative

This was central to the plot of the Italian Job. The real Napster took care of it.
1. Re:Old news by ArcadeMan · 2014-08-22 00:53 · Score: 1
  
  This only proves that Italian traffic lights are easy to hack.
  
  --
  Get free satoshi (Bitcoin) and Dogecoins
2. Re:Old news by the_skywise · 2014-08-22 01:29 · Score: 1
  
  ptphpt... Zero Cool did it while the real Napster was still in diapers.
3. Re: Old news by andy_spoo · 2014-08-22 02:03 · Score: 1
  
  The 'Italian Job' was the first thing I thought of when I read that as well. It's got to be done, sorry, but "You're only ment to blow the bloody doors off" :-)
4. Re:Old news by Anonymous Coward · 2014-08-22 02:58 · Score: 0
  
  Professor Peach did it before Zero Cool was a gleam in his father's eye.
  (Good name: Zero Cool is quite descriptive of how cool he actually is.)
5. Re: Old news by Anonymous Coward · 2014-08-22 03:05 · Score: 0
  
  Watch the movie. The last job is like the Italian job only in how they relocate the safe. The last job takes place in LA.
6. Re:Old news by Kozar_The_Malignant · 2014-08-22 03:34 · Score: 2
  
  This only proves that Italian traffic lights are easy to hack.
  Who cares? No one pays attention to Italian traffic lights anyway. A red light is not even a suggestion; it's an insult.
  
  --
  Some mornings it's hardly worth chewing through the restraints to get out of bed.
7. Re: Old news by k6mfw · 2014-08-22 03:41 · Score: 2
  
  same with me, hacking traffic lights and reminded me of Benny Hill as the professor inserting hacked tape into the control system deck. Michael Caine said to the other members of his team though professor had "interesting reading material" to not make fun of him because he is very important for the job. I saw the movie last month (previously saw it in 1970s), featured the Mini Coopers that were screamers (back in the days almost all small cars were slow), Italian constantly honking horns (most in those little Fiats). In real life they do that even when traffic isn't moving.
  
  --
  mfwright@batnet.com
8. Re:Old news by k6mfw · 2014-08-22 03:58 · Score: 1
  
  This only proves that Italian traffic lights are easy to hack.
  but how many young techies know how to hack something like this,
  http://www.wired.com/wp-conten...
  
  --
  mfwright@batnet.com
9. Re: Old news by rHBa · 2014-08-22 04:56 · Score: 1
  
  Sorry, mis-moderated...
10. Re:Old news by davester666 · 2014-08-22 05:43 · Score: 1
  
  A red light is a request to accelerate.
  
  --
  Sleep your way to a whiter smile...date a dentist!
11. Re:Old news by Anonymous Coward · 2014-08-27 10:35 · Score: 0
  
  The field test of this exploit was conducted in a small un-named town in upstate Wisconsin. No where near Italy.
See: Hackers(1995) by Anonymous Coward · 2014-08-22 00:54 · Score: 0

n/t
Welcome to the Information Age! by sinij · 2014-08-22 00:55 · Score: 5, Insightful

It is scary how many industries (e.g. autos, "smart" electronics, control systems) are decades behind state of the art security. We will have a lot of growing pains to get out "only computer guys need to do this".
1. Re:Welcome to the Information Age! by Mr+D+from+63 · 2014-08-22 01:07 · Score: 5, Informative
  
  From TFA,
  
  In fact, the most upsetting passage in the entire paper is the dismissive response issued by the traffic controller vendor when the research team presented its findings. According to the paper, the vendor responsible stated that it "has followed the accepted industry standard and it is that standard which does not include security."
  Don't blame the vendor, blame the standard. The vendor that includes security in his bid will have a higher price and lose to the vendor that doesn't.
2. Re:Welcome to the Information Age! by Anonymous Coward · 2014-08-22 01:12 · Score: 0
  
  Not really that scary unless you are paranoid.
  The effort to kill someone is far less than the effort needed to hack the traffic lights. Why don't we put more effort in making it harder to kill people? Well, the main reason is that the vast majority of the population has no interest in killing.
  You can walk around feeling safe, knowing that no one has any particular interest in killing you. If they wanted to they could have shot you years ago when you went to the grocery store.
3. Re:Welcome to the Information Age! by sinij · 2014-08-22 01:16 · Score: 2
  
  This is not "going after you" concern, this is general mayhem concern.
  
  Single stoplight can easily add +10 minutes of traffic to my commute. I imagine once Metasploit module for this comes out, some script kiddie would be able to turn everyone's commute to living hell for a considerable period of time.
4. Re:Welcome to the Information Age! by gtall · 2014-08-22 01:18 · Score: 2
  
  A tree limb falls on a vehicle and kills the driver. When asked about it, the county highway department issued a statement saying that tree had never shown any intent to fall before and hence there was no reason to suspect that it would fall this time. The public can feel safe knowing that trees do not have any particular interest in killing you. If they wanted to do, they could have fallen on you years ago when you went to the grocery store.
5. Re:Welcome to the Information Age! by sinij · 2014-08-22 01:20 · Score: 4, Insightful
  
  "Acceptable industry standard" is not a standard, it is status quo. You have to blame municipalities for complete lack of understanding of these security concerns.
  
  Next, script kiddies causing couple fender-benders and every municipality having to upgrade traffic light systems at a "I want it yesterday" premium. Then higher property taxes to pay for such monumental lack of planning and foresight.
6. Re:Welcome to the Information Age! by Chris+Mattern · 2014-08-22 01:22 · Score: 3, Insightful
  
  And who will be blamed? Why, the researchers who discovered this incredible negligence, of course! "If you hadn't shown the hackers how to do it, we never would have this problem!"
7. Re:Welcome to the Information Age! by rmdingler · 2014-08-22 01:24 · Score: 2
  
  Nothing will be done until the vulnerability is exploited, and even then it will be measured against a cost/benefit actuarial table.
  "Since a clean room will eventually devolve into a dirty room, there's no point in cleaning it."
  
  --
  Happiness in intelligent people is the rarest thing I know.
  Ernest Hemingway
8. Re:Welcome to the Information Age! by sinij · 2014-08-22 01:27 · Score: 1
  
  This is indeed the likely outcome of this debacle. If it comes to court, I will personally pitch-in for defense fund.
  
  Still, it is surprising that nobody looked into these systems before. The technology to do so existed for many years.
9. Re:Welcome to the Information Age! by Mr+D+from+63 · 2014-08-22 01:27 · Score: 3, Insightful
  
  Most of those who do the purchasing are required to enforce the standards. Deviating, even with the intent of improvement, can bring unintended consequences and blame. For instance, add security, then all of the sudden maintenance access doesn't work because its different, complaints and blame fly. Just one possible example of many things that can happen, thus they have standards and are required to use them.
10. Re:Welcome to the Information Age! by nine-times · 2014-08-22 01:30 · Score: 3, Insightful
  
  No, it's scary how much we still don't care about security. These things could definitely be fixed, we just don't care to fix them. We don't demand security in the first place, we aren't willing to pay for security, and we aren't really willing to fix security when it's broken. People will run around looking for blood for 5 minutes when it's discovered that there are huge security flaws, but nobody will fix them.
  Remember all the news when it was discovered that a person could easily and untraceably hack voting machines? Do you think that was ever fixed? The way we use credit cards is insecure. Most email is unencrypted. We use Social Security Numbers as both an identifier and a form of authentication.
  Most of what we do is completely insecure, and it's actually kind of amazing how rarely people take advantage of it. But it's really disturbing that we aren't remotely willing to secure things that would be relatively easy to secure, and would solve lots of problems.
11. Re:Welcome to the Information Age! by jonwil · 2014-08-22 01:34 · Score: 1
  
  I recon if you were trying to convince someone to take security of critical infrastructure, one way to do it would be to show them Die Hard 4.0 (best example I know of when it comes to hackers breaking into infrastructure) and say "this may only be a Hollywood movie but do you want to be the one who said "no" to better security when that shit happens for real?"
12. Re:Welcome to the Information Age! by mlts · 2014-08-22 01:48 · Score: 2
  
  I know what the reply will be:
  "The hackers would have gotten in no matter what we would have done."
13. Re:Welcome to the Information Age! by Lumpy · 2014-08-22 01:48 · Score: 4, Insightful
  
  "we aren't willing to pay for security" It's worse than that. IT also stems from the fact that people in charge. The guys making big bucks making decisions are horribly undereducated.
  If you ask the guy that is in charge of the city's traffic lights to explain in detail how the system works he will NOT be able to tell you. We as a society do not put in leadership positions the best and brightest. WE instead promote those that can suck up the best and schmoose the best.
  And it's now biting us in the ass because the decision makers in general are dumb as a box of rocks. And when faced with a problem they simply say "I dont know" or try to scream how we need more laws instead of actually learning what the problem is and fixing it.
  
  --
  Do not look at laser with remaining good eye.
14. Re:Welcome to the Information Age! by Anonymous Coward · 2014-08-22 01:56 · Score: 0
  
  You can not afford the safety you are asking for, unless I have misunderstood you and your only concern is the functionality of traffic lights in which case I consider you a nutjob.
  To secure everything around you from the elevator control panel to every building wall to the extent that it won't harm you even if intentionally tampered with.. well.. have a look at the health care system. We are willing to let people die for costs that aren't even a fraction of what you are asking for.
15. Re:Welcome to the Information Age! by Anonymous Coward · 2014-08-22 02:01 · Score: 0
  
  What makes you think we haven't? You know all those "lucky" people who rarely get a red light? It's not luck.
16. Re:Welcome to the Information Age! by Anonymous Coward · 2014-08-22 02:22 · Score: 1
  
  "Not really that scary unless you are paranoid.
  The effort to kill someone is far less than the effort needed to hack the traffic lights."
  Indeed. I'd prefer it if they'd sell an 'always green' gadget on aliexpress for 25 bucks.
17. Re:Welcome to the Information Age! by Anonymous Coward · 2014-08-22 02:32 · Score: 0
  
  It has nothing to do with "computer guys" needing to do anything. I worked at a major software outfit where I discovered a major security flaw in their enterprise product. Basically any user on the network could connect to the database and edit critical financial information with no audit trail and no evidence that it had ever occurred. Management's response to my discovery? "Nobody's going to think of doing that," and they never bothered to fix it. The flaw, the database server's username and password stored in plaintext on every single client machine. All you had to do was open that file with Notepad and copy and paste. Nobody will think of that when there are thousands or millions of dollars at stake, nope.
  The point is that most people just don't believe security is an issue.
18. Re:Welcome to the Information Age! by GameboyRMH · 2014-08-22 02:33 · Score: 1
  
  Haha I see you also work in a business where you have this kind of discussion often!
  
  --
  "When information is power, privacy is freedom" - Jah-Wren Ryel
19. Re:Welcome to the Information Age! by aaarrrgggh · 2014-08-22 03:31 · Score: 1
  
  "Standard of Care" would be the correct term.
20. Re:Welcome to the Information Age! by aaarrrgggh · 2014-08-22 03:34 · Score: 1
  
  I started to rebut your comment... but then actually came to agree. The cost of fixing this problem is huge; any traffic light pedestal could be an entry point from a "trusted" point on the system, and I have seen several in Los Angeles unlocked. Effectively the problem is reduced to if you have physical access to the machine there isn't much you can do for security.
21. Re:Welcome to the Information Age! by aaarrrgggh · 2014-08-22 03:38 · Score: 1
  
  There is one option; the PLCs fail to a "safe" mode and ignore the network if the validation PLC (not networked) detects an anomaly. Stoplight timing is out the window, but green lights in all directions would not be possible.
22. Re:Welcome to the Information Age! by DidgetMaster · 2014-08-22 03:40 · Score: 1
  
  I think I read somewhere that traffic lights are designed so that it is impossible for both sides to get a simultaneous green light. They have some kind of physical switch that enforces this. In other words, even if the system is hacked, you can't make cars crash by changing all the lights to green. That doesn't mean that a hacker can't cause some problems by making the lights stay red for 10+ minutes or other such mischief.
23. Re:Welcome to the Information Age! by nine-times · 2014-08-22 03:40 · Score: 1
  
  I don't know. I my experience, a lot of poor security isn't caused by incompetence. It's caused by someone saying, "But that will cost more money..." or "That will take too much time..." or "But I want to buy from this supplier because the owner is my brother-in-law..."
  I mean, they don't necessarily say those things out loud, but those are often the reasons. It's not necessarily that they're too dumb to understand that it's bad security. They just don't care. They're not thinking about the potential for problems down the road. They're not thinking about long-term maintenance. They're not really thinking about public safety. They're just thinking about, "I have to get this job done in a way that makes my life better/easier. I want to work less and make a big bonus."
  Not that I work in a traffic-related industry. That's just been my general professional experience as to why security is usually terrible.
24. Re:Welcome to the Information Age! by Belial6 · 2014-08-22 03:55 · Score: 1
  
  This is just a "on a computer" issue. If I want traffic lights to behave badly, I could easily do it without connecting into the automation side of it. A few colored LED disks attached in front of the existing lights and I get the same effect with no hacking involved. It is like people worrying that their car's drive by wire breaking system will get hacked because they believe it is so much more likely than having their break line cut.
25. Re:Welcome to the Information Age! by Belial6 · 2014-08-22 03:59 · Score: 0
  
  You can not secure the lights. It is simply impossible without placing security guards at every corner.
26. Re:Welcome to the Information Age! by michelcolman · 2014-08-22 04:01 · Score: 1
  
  And how exactly would a simple password result in a higher price?
  They are using standard IP software (as evidenced by the fact that the "attackers" could join without the slightest effort), and I'm sure that software has the option of requiring a password to join the network. All they had to do is tick the box, pick a password, and hardcode the password into the traffic lights software. I know, not the best solution, but surely better than using no password at all.
  So don't tell me cost was the reason. Basic negligence (and possibly bad intentions, hoping for a new juicy contract for an "improved" system once someone exploits it) are the real reasons.
27. Re:Welcome to the Information Age! by sinij · 2014-08-22 04:04 · Score: 1
  
  Understandably, I 100% disagree. It is possible to secure almost everything. How? Use the goddamn airgap! Don't network what you can't reasonably secure from tampering.
  
  Everything from the elevator control panel to SCADA have no place being remotely accessible! If you do need remote functionality, you better secure it!
28. Re:Welcome to the Information Age! by Rogue974 · 2014-08-22 04:05 · Score: 2
  
  I agree with you. I am a Controls Engineer. Until recently, my controls security was decades behind. Fortunately, Stuxnet happened, our CEO noticed the news stories and started asking questions and took an interest. A small group of controls engineers and an IT person who also did the controls network at the small plants he supports made a team, did research, made recommendations and were given money to start securing our network properly.
  We need to start realizing security through obscurity is no security at all and make the changes starting with the vendors all the way through the end users.
  A huge problem I have experienced is actually a lack of understanding of security and networking on the part of controls engineers, and a lack of understanding of controls systems by IT staff. I think this is actually one of the biggest problems that creates the security problems. Every place I have worked at or in (did a stint as a contract CE and went many places) there is a stand off between controls and IT. Controls knows what we need to do to make our system work and IT tries to tell us how we have to do things and they don't realize that it is not the same as a buisness network because it will shut the plant down to do some things they would like us to. CEs don't understand enough to secure the networks themselves so we do the best we can and keep IT away from our stuff and muddle through.
  We need education on both sides so controls people know what they need to do and IT people who understand the differences between business networks and controls networks. Unfortunately, of all the IT professionals I have worked with, only 2 have understand the controls world enough, or been willing to even listen) to help so we just shut them out. I would much rather work with IT and not have to learn all of this security stuff myself when we have IT professionals who know the security. Granted, they probably don't want to learn about my world the same way I would rather not have to learn theirs, so we are right back at the stand off.
29. Re:Welcome to the Information Age! by Mr+D+from+63 · 2014-08-22 04:16 · Score: 1
  
  And how exactly would a simple password result in a higher price?
  That completely misses the point, even if adding a simple password were the answer. If a standard is not sufficient, it should be changed. Don't blame the buyer or the vendor. For things like traffic lights, you want them all to be as alike as possible to save costs, be it purchasing requirements, maintenance and troubleshooting, and operation. That is why there are standards and why they are followed and why there are costs associated with deviating from the standard.
30. Re:Welcome to the Information Age! by Anonymous Coward · 2014-08-22 04:19 · Score: 0
  
  I think I read somewhere that traffic lights are designed so that it is impossible for both sides to get a simultaneous green light.
  Conflicting greens are cross-wired. If the lamps are powered simultaneously...for any reason...it causes a short circuit that trips the breakers. You can't turn those greens on at the same time. They'll just go dark.
  It's a slick, simple safety feature that's almost as old as electric traffic lights themselves. When rats get in, chew insulation, pee everywhere, and snuggle up between live wires, you need a failsafe that can handle anything.
31. Re:Welcome to the Information Age! by sinij · 2014-08-22 04:19 · Score: 1
  
  If I can mess with your drive-by-wire system remotely, then yes, it is A LOT more likely to happen than having line cut.
32. Re:Welcome to the Information Age! by nine-times · 2014-08-22 05:14 · Score: 2
  
  Did you not read the summary, even?
  
  The network is IP-based, with all the nodes (intersections and management computers) on a single subnet. In order to save on installation costs and increase flexibility, the traffic light system uses wireless radios rather than dedicated physical networking links for its communication infrastructure ... The 5.8GHz network has no password and uses no encryption; with a proper radio in hand, joining is trivial. ... The research team quickly discovered that the debug port was open on the live controllers and could directly "read and write arbitrary memory locations, kill tasks, and even reboot the device.
  Yes, ultimately physical security is always an issue. They can try to make the devices difficult to access, but as you've pointed out, that's always going to be a problem.
  But this is a different level of "insecure". These things are controlled through open, unencrypted wireless networking. There are no passwords. It's like the difference between saying, "Your home is never completely secure, since someone can always break a window or crowbar the door open," vs. "Let's just leave our valuables sitting out on the lawn, completely unattended."
33. Re: Welcome to the Information Age! by Anonymous Coward · 2014-08-22 06:11 · Score: 0
  
  Good thing my car doesn't have these "break" lines you (and other dumb people) seem to have.
34. Re:Welcome to the Information Age! by omnichad · 2014-08-22 06:41 · Score: 1
  
  I think it's a bit more likely to go undetected if you do it wirelessly.
35. Re:Welcome to the Information Age! by omnichad · 2014-08-22 06:43 · Score: 1
  
  What makes you think there are standards? I can almost guarantee that you're vendor-locked the moment you start building the system.
36. Re:Welcome to the Information Age! by omnichad · 2014-08-22 06:44 · Score: 1
  
  The US is finally moving to chip and pin for credit cards by next fall.
37. Re:Welcome to the Information Age! by jafac · 2014-08-22 06:47 · Score: 1
  
  Not only is it that the guys making big bucks making decisions are horribly undereducated: they won't pay for security because that would cut into THEIR compensation (to have to pay competent engineering staff). So not only are they undereducated, they have a conflict of interest that promotes horrible engineering practices.
  
  --
  
  These are my friends, See how they glisten. See this one shine, how he smiles in the light.
38. Re:Welcome to the Information Age! by sjames · 2014-08-22 06:59 · Score: 1
  
  It would cost more to cover therepy for their employees. When the customer calls 3 times a day and says "I don't remember if the password is 1234 like my luggage of 4321 like my ATM (or is that the other way around), could you set it to something i'll remember?" it takes a huge effort and creates a lot of stress to refrain from answering "I doubt it"
39. Re:Welcome to the Information Age! by Anonymous Coward · 2014-08-22 07:56 · Score: 0
  
  We as a society do not put in leadership positions the best and brightest. WE instead promote those that can suck up the best and schmoose the best.
  The "best and brightest" are unfortunately not infallible...that's why they should be kept in containment...
40. Re:Welcome to the Information Age! by jratcliffe · 2014-08-22 08:13 · Score: 1
  
  Nothing will be done until the vulnerability is exploited, and even then it will be measured against a cost/benefit actuarial table.
  I would certainly hope so. If government isn't doing cost-benefit analysis of spending decisions, it's being grossly irresponsible.
41. Re:Welcome to the Information Age! by Darinbob · 2014-08-22 08:18 · Score: 1
  
  The thing is, the "hole" is not about being wireless, that's just stupid fear mongering. The hole is in not having security in the first place. You can indeed have highly secure wireless networking. The trick is in getting the customers to demand security instead of thinking of it as an inconvenient hassle.
42. Re:Welcome to the Information Age! by Mr+D+from+63 · 2014-08-22 08:48 · Score: 1
  
  You can have vendor lock with or without standards. Standards can often contribute to vendor lock.
  
  Why do I think there are standards? For one, the article refers to them, albeit vaguely. For two, purchasing standards or requirements for commonplace items such as stoplights typically fall under some type of code/standard/requirement system, and that makes sense when you want to make sure equipment is similar throughout a large system or state. Be that for vendor lock, or simple management simplicity, you choose, that part is irrelevant to my point.
43. Re:Welcome to the Information Age! by Anonymous Coward · 2014-08-22 10:15 · Score: 0
  
  If I understand correctly, once they were able to communicate with the wireless radio network, they saw everything in the clear (data is unencrypted). Which means just adding a password will _not_ resolve the issue. If a password was implemented, no matter how complex (even a passphrase), it will be wirelessly-sniffed/discovered and used to get back into the "Traffic Light" network. Even adding encryption may not help: If you go back to Wi-Fi's initial growing pains (different technology but same issue), WEP _was_ the secure way to implement. It had passwords AND encryption for "secure" access. However, as I understand, WEP was never put through the gauntlet of security testing and it was quickly discovered WEP was insecure...even with password _and_ encryption. So going back to the vulnerabilities of the "Traffic Light" network, unless it already exists, a new and (ehem) secure implementation of a Traffic Light network will also have to go through rigorous testing. Bottom line: A secure implementation of Traffic Light networks will not be a cheap fix.
44. Re:Welcome to the Information Age! by rmdingler · 2014-08-22 10:44 · Score: 1
  
  Ha!
  Yes, for a moment there I utterly ignored the impeccable reputation of government.
  
  --
  Happiness in intelligent people is the rarest thing I know.
  Ernest Hemingway
45. Re:Welcome to the Information Age! by AK+Marc · 2014-08-22 11:29 · Score: 1
  
  And how exactly would a simple password result in a higher price?
  The training and SOPs for new processes, at the very minimum. Perhaps new control systems for the "secure" interface, at the cost of billions.
  
  --
  Learn to love Alaska
46. Re:Welcome to the Information Age! by AK+Marc · 2014-08-22 11:31 · Score: 1
  
  And when they do "fix" it, they'll charge the hacker with the cost of fixing systems they knew were insecure for 30 years.
  
  --
  Learn to love Alaska
47. Re:Welcome to the Information Age! by bill_mcgonigle · 2014-08-22 12:01 · Score: 1
  
  These things could definitely be fixed, we just don't care to fix them.
  And we don't even have the tools do to so. How many languages let you write:
  secure char[] myPassword
  much less:
  secure objectType myObject
  and have the language memset its memory to zero (or shred, etc.) for you when the variables go out of scope?
  It's hard to do security right even if you're really trying. Anybody know if C++2014 made any gains here?
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
48. Re:Welcome to the Information Age! by rmdingler · 2014-08-22 12:33 · Score: 1
  
  Restitution in action.
  
  --
  Happiness in intelligent people is the rarest thing I know.
  Ernest Hemingway
49. Re:Welcome to the Information Age! by michelcolman · 2014-08-22 21:36 · Score: 1
  
  That's like saying "I'm not going to lock my door because thieves know how to pick locks anyway". Very bad argument if you ask me.
  Jeez, the system they used actually supported WPA2, all they had to do was tick a box and choose a password. Sure, maybe that will be cracked one day, too. But it will certainly take more expertise than just listening to data that's transmitted in the clear.
50. Re:Welcome to the Information Age! by michelcolman · 2014-08-22 21:39 · Score: 1
  
  New processes? Training and SOPs to tick the (existing) box "enable WPA2" and enter a password?
51. Re: Welcome to the Information Age! by Anonymous Coward · 2014-08-23 05:04 · Score: 0
  
  why can't you just mark it as private
  private password = myPassword
52. Re:Welcome to the Information Age! by strikethree · 2014-08-24 18:00 · Score: 1
  
  Most of what we do is completely insecure, and it's actually kind of amazing how rarely people take advantage of it. But it's really disturbing that we aren't remotely willing to secure things that would be relatively easy to secure, and would solve lots of problems.
  It is almost like we are under the rule of a third world tin pot dictatorship. The top of the control pyramid can't hear anything because control is all that matters and the bottom can't teach the top anything because the top already hires the "best and brightest" (read: best friends and shiniest coins). Heh. Gotta love what power does does to most individuals.
  
  --
  "Someone needs to talk to the tree of liberty about its ghoulish drinking problem." by ohnocitizen
53. Re:Welcome to the Information Age! by stoatwblr · 2014-08-25 01:27 · Score: 1
  
  "Next, script kiddies causing couple fender-benders "
  Bumping up congestion would be more constructive in a lot of cases. Taking back the streets for pedestrians, etc, etc.
54. Re:Welcome to the Information Age! by nine-times · 2014-08-25 01:44 · Score: 1
  
  You know, I've thought about why this is the case, and here are a couple of thoughts that I had:
  1) With all we've found out about big businesses cooperating with the NSA, I wouldn't be too surprised if the NSA had, in some ways, actively discouraged security and encryption.
  2) I think part of the problem is coming up with, agreeing on, and an implementing a set of standards. We don't do standards anymore. Everyone has little walled gardens. We're not going to come up with better email standards, for example, because the days of everyone wanting to agree on protocols like SMTP and POP3 and IMAP are over. Now Google wants to have its own email standards and protocols, Microsoft wants to have its own, and Facebook wants to have its own. You aren't going to get those companies together into a room, working towards a better solution that they can all use. Even if you had a better protocol all worked out, they wouldn't use it. It's a combination of "not invented here" syndrome and "I want to control the patents and the infrastructure" and finally, "I don't even want people to be able to communicate with people on my service unless they also sign up for my service."
  3) People prefer to do nothing than to undertake change. Fixing things takes effort, and your attempts to fix things might not go according to plan. As long as nobody important to yelling at them to get things fixed, a lot of people would rather sit back and watch things fall apart.
What are they waiting for? by Hamsterdan · 2014-08-22 01:00 · Score: 1

Deaths? multiple injured people? Why isn't that secured in the first place? With all the news about stuff getting *hacked*, why are they still doing this?

--
I've got better things to do tonight than die.
1. Re:What are they waiting for? by Nyder · 2014-08-22 01:10 · Score: 3, Insightful
  
  Deaths? multiple injured people? Why isn't that secured in the first place? With all the news about stuff getting *hacked*, why are they still doing this?
  They are waiting for the first part, because unless there is a big uproar about it (which there won't be until it gets abused enough to cause deaths) it costs too much money to fix.
  How this is a surprise to anyone by now is a surprise to me, this has been standard operating procedures with pretty much everyone since computers have come out. That is, security is non existent or an afterthought. Paying money to make sure everything is secure for any sort of attacks/compromise/whatever takes away from the bottom line, so shareholders don't like that stuff. And management is kissing the shareholders ass, so it's not as important.
  Now for government work, it's a bidding process and well, you aren't going to make any money on the job by having to hire some sort of computer type to make sure the system is secure. And since the contract probably didn't state it needed to be done, well, this is what we have.
  So wait until it gets abused bad enough to kill people, nothing will get done.
  
  --
  Be seeing you...
2. Re:What are they waiting for? by Anonymous Coward · 2014-08-22 01:34 · Score: 0
  
  If you read the PDF, you would find unsafe scenarios, such as, green all directions is excluded on the hardware level. Why do you want to induce panic without even reading the literature associated with the article?
3. Re:What are they waiting for? by Lumpy · 2014-08-22 01:51 · Score: 1
  
  They don't care. There was a very dangerous intersection that people wanted stop signs at for years and asked several times and were denied. Until there was a major nasty accident that happened and the news covered it and got word that the city ignored requests for stop signs, the light of public anger was finally pointed at them and they suddenly had the signs installed.
  Your city does not care one bit if you die or even if 100 people die, they only care if they look good to the public. This is the problem with our current election system,
  
  --
  Do not look at laser with remaining good eye.
4. Re:What are they waiting for? by mlts · 2014-08-22 02:29 · Score: 3, Interesting
  
  I remember this crossroads in the 1990s. Would firms in general focus on security, even though the worst threats at that time were college students looking to rm -rf / a box or two for kicks.
  It came out worse than I could imagine. I heard the "security has no ROI" mantra many a time (although the past couple places I worked at, they actually take it seriously.) When working as a consultant, I asked companies what they had for something if they were hacked. The response was, "We will call Geek Squad or Infosys, and have the problem fixed."
  I have read people hoping for a "Warhol event" that would get businesses focusing on security. However, I would say that a "cyber 9/11" (to use a buzzword" would do far more harm to security in general than help.
  Take this scenario:
  A hurricane has a populated city in its sights. Evacuations are starting. As people are getting on the roads, Elbonian actors hack the anti-theft disable mechanism of a major car maker, disabling random cars at a time on all major roads. When those are towed, another set of cars get turned off. Havoc happens.
  Congress is then pushed to push some bills into law. Well, they do. However, they do little or nothing. Here are the bills:
  1: A mandatory DRM stack on any device in the US accessing the Internet, enforced by endpoint routers, with mandatory 10-life if any are tampered with.
  2: All "tools for cyber-warfare", even something as banal as tcpdump, would be removed from operating systems, and only allowed to registered people.
  3: Similar to #1, all machines would run a scanner similar to an antivirus utility, but would use signatures to look for unlicensed MP3 files, movies, programs like Handbrake, and if detected, would automatically shut the machine down and notify the local authorities.
  4: A central ID card, similar to a PIV/CAC would be requires on any/all devices so all transactions (even a web login) are positively identified. It would be a felony for someone to access the Internet without their packets being signed or attributed to an ID card.
  Of course, none of this would actually -HELP- security, but it would keep it swept under the covers, and (using MBA speak) allow better monetization of existing revenue streams... i.e. your PC becomes a locked down console with only big name brands able to write software for it due to the legal barriers of entry.
5. Re:What are they waiting for? by Zmobie · 2014-08-22 03:41 · Score: 1
  
  This right here. The problem with any "unsafe" scenario is that these lights are usually logic controlled by PLCs or some such. I had a professor in college that used to work for one of the state roadway departments and he did work on traffic light controllers for a while. Most of them have to physically prevent anything like that from being possible just like how a civil engineer is supposed to prove their bridge is safe within x parameters. From what I understand this isn't even a concern for all traffic light controllers because ones outside of the big metro areas are not even interconnected to a central controller (this was just what I was told and know from the small towns I have lived in, if someone knows otherwise feel free to correct me here).
  I personally am a huge security advocate and believe that, yes these things need to be secured to a reasonable extent, but it is overblown to think this is going to get a bunch of people easily killed just because someone wants to play around with it. Now, someone building a DIY "make light go green" device is not outside the realm of possibility... In fact, I may have a new project just to see if I can do it!
6. Re:What are they waiting for? by Belial6 · 2014-08-22 04:01 · Score: 0
  
  Because the very nature of traffic lights make them insecure. It is physically impossible to secure traffic lights without placing an actual human guard at each corner.
7. Re:What are they waiting for? by beschra · 2014-08-22 05:42 · Score: 1
  
  You can't be serious. Fixing something after it's been done wrong is even more expensive than doing it right the first time. Take the current example of traffic signals. Physical access is a huge problem. How do you address that? Work out a new design and retrofit hardware and software. Not free. Not anywhere is that even approaching cheap.
  
  --
  It is unwise to ascribe motive
8. Re:What are they waiting for? by omnichad · 2014-08-22 06:49 · Score: 1
  
  Because the CEO already got theirs and they can just step down and keep their share of the profits. Leave it for the corporation to handle without them.
9. Re:What are they waiting for? by Em+Adespoton · 2014-08-22 07:10 · Score: 1
  
  Indeed... not only that, but the system has to be set up to work with both non-authenticating and authenticating devices for a significant period of time, while each traffic light is swapped out for a reprogrammed light that authenticates correctly.
  What's really needed is to use something like sslwrapper on both ends of the system, so that each device on the network must authenticate with its private key. To do so, however, will require creating a test controller and a testbed of lights (to assure that nothing will break when it gets implemented) followed by a controller roll-out, and then by requiring the new PK system be installed in each light/camera that goes into the field.
  Then, for the next 3 years or so, the old lights get swapped out and the upgraded ones are swapped in, by someone being paid to do this.
  Disabling the debug port on the controller should be something fairly cheap to fix, but if the municipal employees maintaining the system currently use debug for some purpose, they're also going to require retraining and a new and effective system will need to be developed to replace the insecure method.
  So yeah; we're talking about each municipality undergoing a major retraining and QA budget bump, plus the hiring/re-purposing of employees to manage this. The costs will scale more than linearly with the size of the system being upgraded.
10. Re:What are they waiting for? by Em+Adespoton · 2014-08-22 07:19 · Score: 1
  
  Indeed. The things that could probably be controlled are:
  1) Proximity green lights (all lights turn green just as if a pedestrian had pressed a button). The PLC will still require time to go through amber to red for the other direction prior to the green light
  which leads us to...
  2) adjusting amber light timings
  THIS is where lives could be lost, which is the reason municipalities put up those "New Traffic Sequence" signs. If suddenly the amber light only takes a second or so, even though it takes 20 seconds to walk across the intersection and 5 seconds for cars to clear the intersection, you're going to end up with fatalities. The PLC, not being custom programmed for individual intersections, can't defend against this.
  3) easiest one: default to the flashing red "4-way" signal. Unfortunately, a large number of drivers don't seem to know what flashing red means, resulting in confusion, snarled traffic, and the odd accident. Not too big a deal though.
  But I'm more interested in the traffic cameras on the network. Being able to access all traffic and red light cameras city-wide could have many uses (including plotting the fastest route through town, searching for someone/something and collecting a massive license plate tracking system).
11. Re:What are they waiting for? by Hentai · 2014-08-22 10:25 · Score: 1
  
  How this is a surprise to anyone by now is a surprise to me, this has been standard operating procedures with pretty much everyone since computers have come out.
  Computers?
  http://www.motherjones.com/pol...
  
  --
  -Hentai [in vita non pacem est]
12. Re:What are they waiting for? by Zmobie · 2014-08-22 13:44 · Score: 1
  
  Interesting points. The amber light timings though I would think should have a hard floor/ceiling inside the PLC. Not sure how much adjustment you could do because when the PLC write happens it has certain limits for the logic to even recognize what is told to it via input. The cameras are a very intriguing point and probably the most dangerous. I vaguely recall a story on slashdot a while back about the camera networks though having terrible security, but don't remember the details.
13. Re: What are they waiting for? by Anonymous Coward · 2014-08-23 05:17 · Score: 0
  
  did you even read the summary? they are wireless, so having a guard at each light would solve nothing.
  this is the second time somebody said this. for Christ sakes, stop posting just to post.
14. Re:What are they waiting for? by Em+Adespoton · 2014-08-23 07:26 · Score: 1
  
  Yes; I seem to recall the amber light timings do have a floor/ceiling -- but as I pointed out, that range has to take into consideration all sorts of intersections and traffic speeds; the result is that you would require a conservative range of 2-6 seconds; setting a 6-second intersection to 2 seconds could have catastrophic results.
  http://redlightrobber.com/red/... lays out the mathematical issues at stake here. This paper was published in 1959, but is just as true today.
White hat application to cycling by tepples · 2014-08-22 01:01 · Score: 1

So can cyclists use this to proceed through an intersection with miscalibrated vehicle sensors without having to wait several minutes for a motor vehicle to pull up behind? I don't know about other countries, but not every US state has a dead red law allowing one to proceed with caution through a malfunctioning signal.
1. Re:White hat application to cycling by sinij · 2014-08-22 01:13 · Score: 0, Offtopic
  
  I personally want to take Sicilian gondola everywhere I go, rowing it is good for your health and it is perfectly green. I advocate for all bike lanes to be turned into waterways to accommodate my craze.
2. Re:White hat application to cycling by Greyfox · 2014-08-22 01:32 · Score: 1
  
  Hah. In my town the traffic lights seem to be designed so that traffic stops at every goddamn one of them. I wonder if they could be fixed. I'm already not liking where this train of thought is going heh heh.
  
  --
  I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
3. Re:White hat application to cycling by Anonymous Coward · 2014-08-22 02:40 · Score: 0
  
  Your city's stoplights are balanced for a different speed. Or you are speeding.
  I had the same issue where I grew up. *ALWAYS* hitting the lights. I slowed down by ~3-5mph. Coasted thru every light, very little stopping. Only if you get caught on the back end of a flow you will hit a few reds. Until you are 'at the front' again. Think of red/green light design as a water flow thru a switch system. Then figure out how you would setup that flow to maximize thruput. Then stick to those rules. Go against the rules and you will sit at the red.
  But when i saw this I was thinking in my best ace ventura voice *reaaaaaaaaaallllly* with a nice chin stroke...
What would happen? by khr · 2014-08-22 01:03 · Score: 1

My home town only has one traffic light (and didn't get a left turn lane until after I moved away). I wonder what sort of damage hackers could do with that... Chaos where US 101 meets highway 34....
1. Re:What would happen? by drinkypoo · 2014-08-22 01:34 · Score: 1
  
  Your home town probably doesn't have a network-connected traffic light, either, since it only has one light to work with and there's not much point. Unless there's some compelling reason to do otherwise, these systems are only replaced when they fail. If you live in a major metro area then sure, there's reasons to upgrade before failure, involving traffic management.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
2. Re:What would happen? by Anonymous Coward · 2014-08-22 01:42 · Score: 1
  
  Well, the security through scarcity will not slow them down. The meanies will just steal your stop signs and pee in Eckman creek, which are totally insecure and unguarded. This is a good thing. In most towns police guard the traffic lights and issue tax bills at random under the guise of security.
  Hell, in some places, like where Eric Garner lived, packs of police officers will hunt you like wolves and beat you to death. Yup, if I were the ex janitor at the D.O.T. who found out how to hack a street light, I would keep my mouth shut till this blows over. Also you better start figuring out how to secure the remote on your T.V. I hear they are pretty easy to hack too.
3. Re:What would happen? by freeze128 · 2014-08-22 05:34 · Score: 1
  
  I'm just surprised that you even have INTERNET ACCESS.
What's the point of this? by Anonymous Coward · 2014-08-22 01:04 · Score: 1

What is the point of this "research"? To prove that there are still many systems in our world that can be hacked easily? No shit.
The thing is that sometimes there is no incentive to hack things because it is a lot of work for very little gain, until some other asshat on the interwebs shows people how it can be done. Then the effort to hack it becomes less (as there is not a manual), and thus the freqnency of it occurring increases. I may exaggerate a little when call this a form of sponsored vandalism... but I am not sure what society will gain from this research.
The large majority of hacks are done by people trying to steal or just for entertainment. Terrorism is really not your #1 hacker. And anyway, I don't see Al Quaida making a statement by hacking the traffic lights on a particular crossing. Instead, what we get now is that all 18-year-olds who read ars technica will try this out.
They Might be Giants by puddingebola · 2014-08-22 01:18 · Score: 2

Red means stop. Do not go. No, no, no. Green in all directions means go. Oh no, Oh no, Oh no.
1. Re:They Might be Giants by GTRacer · 2014-08-22 02:29 · Score: 1
  
  Or, Monty Python:
  
  I like traffic lights,
  I like traffic lights,
  I like traffic lights,
  No matter where they've been.
  
  I like traffic lights,
  I like traffic lights,
  I like traffic lights,
  But only when they're green.
  
  And so on in that fashion for several more verses...
  
  --
  Defending IP by destroying access to it? That makes sense, RIAA/MPAA. Go to the corner until you can play nice!
Cool! by AchilleTalon · 2014-08-22 01:28 · Score: 1

No more reasons to be late at work.

--
Achille Talon
Hop!
That's old news by Anonymous Coward · 2014-08-22 01:36 · Score: 0

You just open up the junction boxes at the intersection, cross some wires and all the lights become green. The Gremlins already knew how to do it. No hacking required.
Oh.. by Anonymous Coward · 2014-08-22 01:39 · Score: 0

"Watchdogs" fan boys might get a kick out of this one.
This makes me happy by Anonymous Coward · 2014-08-22 01:54 · Score: 0

Now I'm really happy that my area still uses dial-up to communicate with the traffic lights - the lights call in to a central controller a handful of times a day. I'd always thought that they should upgrade, but now I'm not so sure.
Security... by Coditor · 2014-08-22 01:55 · Score: 1

... is a job best done by people who understand it. Yet the security czar of the US Government bragged in an interview that since he didn't know anything about security he was better able to deal with it.
people charge of traffic lights are engineers but by Joe_Dragon · 2014-08-22 02:00 · Score: 1

people charge of traffic lights are engineers but not likely to be EE's or tech people. They may know some what about how they work but maybe not the deep tech parts. The engineers in charge are traffic / construction engineers.
Watch Dogs was accurate! by Anonymous Coward · 2014-08-22 02:02 · Score: 0

Looks like the security is so laughable (basically no security) that Watch Dogs portrayed mucking with traffic lights surprisingly accurately :)
why I oppose v2v and smart cars by Anonymous Coward · 2014-08-22 02:09 · Score: 0

The people that will implement 'smart' cars, which use vehicle to vehicle communication, and communication with traffic lights will screw up, and be vulnerable to criminal hackers. The current dumb vehicle system works pretty well. Unless distractions, or ethanol is added to the biological computing unit.
Re:people charge of traffic lights are engineers b by TWX · 2014-08-22 02:24 · Score: 1

Civil engineers that design traffic flow systems are looking at the problem from a macro-scale, and from a traffic-perspective, not from a security or physical device perspective.

It's the job of the designer/implementer to put the security into the system. In that sense the vendor and manufacturer should be held liable, not the customer.

--
Do not look into laser with remaining eye.
I wonder if this means... by kick6 · 2014-08-22 02:39 · Score: 1

I can fix the the flashing reds that happen all. the. damn. time. In my hometown.
1. Re:I wonder if this means... by omnichad · 2014-08-22 07:06 · Score: 1
  
  Flashing reds is probably a failsafe mode. You could give yourself a green, but it won't fix them for anyone else.
A lot of easy things are illegal by TomGreenhaw · 2014-08-22 02:53 · Score: 5, Insightful

Its easy to exceed the speed limit. Its easy to shop lift. Its easy to buy a gun and shoot somebody.

Its probably easy to build a device that gives you green lights as though you were an emergency vehicle. This is definitely illegal.

While I think its irresponsible to design computer systems without basic and reasonable security measures, technology is not the final answer to antisocial behavior. Hacking somebody else's systems is illegal and wrong. Finding (sometimes ) esoteric ways to do it and making it easy for bad guys is just plain foolish.

My friend Neil and I have a law: You know you have enough security when you can't do your job anymore. Requiring the average stop light electrician to now be a computer networking security expert requiring tons of tech support would certainly drive up taxes.

Antisocial behavior is why we have laws and there is a reason we should obey them.

--
Greed is the root of all evil.
1. Re:A lot of easy things are illegal by ogdenk · 2014-08-22 05:20 · Score: 1
  
  Hey! I speed occasionally and I own a firearm or two *BUT* I don't shoplift or shoot everyone that pisses me off. So does that mean I'm only halfway antisocial?
  Bringing security flaws that could get us killed to light in public view is NOT antisocial behavior. Hacking said systems and actually manipulating them to cause mayhem *IS* antisocial behavior.
  Software security is VERY important. Anything can be hacked but irresponsibly making it blatantly easy for people to control these systems and cause loss of life or injury is insane. People that release knowledge of the flaws are not the enemy. It's the responsible thing to do as the people in charge of these systems will not act unless their ass suddenly depends on it.
2. Re:A lot of easy things are illegal by Anonymous Coward · 2014-08-22 05:43 · Score: 0
  
  Its probably easy to build a device that gives you green lights as though you were an emergency vehicle. This is definitely illegal.
  It's actually *usually* not. It takes a significant expertise and effort to reverse engineer a proprietary protocol from the physical layer up through the application layer.
  If you read the links, you'll notice that the researchers bypassed this effort by purchasing a off the shelf part.
  That said, it's orders of magnitude easier to social engineer your way to obtain one of these public safety access points that don't just get sold to anyone, but it still wouldn't necessarily be easy.
3. Re:A lot of easy things are illegal by omnichad · 2014-08-22 07:07 · Score: 1
  
  Its probably easy to build
  The cost of building a device doesn't necessarily include R&D costs. It's possible someone else has already done the work for you.
4. Re:A lot of easy things are illegal by Anonymous Coward · 2014-08-22 07:39 · Score: 0
  
  It's easy to build a device... It's not easy to build a device that will properly work with a proprietary protocol.
  You can find a IC that'll work with pretty much any part of the radio spectrum now. But then what? Below are just a few of the very high level questions you'd have to figure out before you could even consider looking at a baseband data stream:
  How do you know if the protocol is FSK, -PSK, QAM... etc?
  How do you know the channel bandwidth?
  How do you know where the pilot and control signals are located?
  Also, if you read the links. The access points frequency hop. Do you have any idea how the frequency selection works?
5. Re:A lot of easy things are illegal by Richy_T · 2014-08-22 07:57 · Score: 1
  
  I believe the poster was talking about the devices which imitate the strobe on emergency vehicles that triggers the green. A much simpler protocol and fairly easy to detect and engineer with low-cost equipment. Someone from around here (Tennessee) was charged with making such a device a few years ago.
6. Re:A lot of easy things are illegal by Anonymous Coward · 2014-08-22 08:55 · Score: 0
  
  That's not to mention you don't know if there's a layer for transmission security layered for the signal as well. If it's using frequency hopping, most likely it'll have transmission security layering.
7. Re:A lot of easy things are illegal by TomGreenhaw · 2014-08-22 15:34 · Score: 1
  
  All you people are missing the point.
  
  We can do this. It's not that hard. Some work is not right.
  
  Apparently engineers and scientists need to be reminded that everyone needs a moral compass. Consider the golden rule. Would your actions make our world a better place for our children.
  
  --
  Greed is the root of all evil.
8. Re:A lot of easy things are illegal by ToddInSF · 2014-08-23 08:41 · Score: 1
  
  If "security" requires that everyone be obedient and fear the designation "antisocial", then by all means, we should all be actively seeking to destroy every vestige of THAT delusion.
9. Re: A lot of easy things are illegal by Anonymous Coward · 2014-08-23 12:40 · Score: 0
  
  Missing what point? That it's easy to 'hack' something by purchasing the product to do the 'hacking'? Well no shit. No amount of security is going to protect you when the hacker has the exact same product you use to build your network. Fortunately, pub safety equipment is regulated and joe blow cant just go and by one legally. So he'd have to buy one illegally or reverse engineer it and build his own. If it's the latter, then good luck doing it.
10. Re:A lot of easy things are illegal by strikethree · 2014-08-24 18:05 · Score: 1
  
  My friend Neil and I have a law: You know you have enough security when you can't do your job anymore.
  As a "security guru" and a Heinlein fan, I love to twist some words that Mr. Heinlein wrote:
  My job is to help you do, in a safer manner, what you were going to do anyway, not to prevent you from doing it in the first place.
  This was concerning an exchange of a Mr. Harriman to his lawyer with me speaking from the lawyer's point of view.
  
  --
  "Someone needs to talk to the tree of liberty about its ghoulish drinking problem." by ohnocitizen
So What? by mjwaters · 2014-08-22 02:56 · Score: 1

Wireless security doesn't mean much when people already have easy physical access to all of these traffic lights. It's not like they are guarded by more than a pad lock. I am guessing the greatest threat to traffic lights (in the eyes of the department of transportation) is still copper thieves.
1. Re:So What? by pruss · 2014-08-22 04:30 · Score: 1
  
  It's a lot easier to get caught when breaking into the padlock than when driving by with an RF device.
Of course it's easy to hack something... by Anonymous Coward · 2014-08-22 03:20 · Score: 0

When you buy a off the shelf part that does 99% the work for you and have all the accompanying documentation on how to use the part shipped to you along with it.
It explicitly states that the sensors uses proprietary protocol.
The researchers decided to bypass all of the time and effort of reverse engineering the protocol; that is everything from the physical, link layer, transport, all the way up to the application.
Their rational to this is that it's easy to "trick" public safety companies who have to follow ITAR and EAR regulations into selling a part to any random dude. Their citation is a link to an article about one guy, who had a contract for conducting this sort of research, "social engineering" his way to obtain a off the shelf part.
Sure they pointed out some valid security concerns such as no encryption at the application layer and debug access to VxWorks, but it is absolute FUD to call it easy.
Try hacking one of these if you 1) don't work for the companies that make these 2) don't actually have the access point and documentation handed to you.
5.8 GHz? by Anonymous Coward · 2014-08-22 03:25 · Score: 0

how come I don't see the networks on Wigle and my Android phone? Umm.
2600 by Anonymous Coward · 2014-08-22 03:33 · Score: 0

2600 posted story about this back in the 90's. Things don't really change apparently.
Don't emergency vehicles use this? by asylumx · 2014-08-22 03:38 · Score: 1

Don't emergency vehicles sometimes use this to their advantage to turn an intersection into a 4-way red light so that they can get through? I know I've heard of ambulances and fire trucks having a button that makes all stop lights near them turn red, but I have never tried to verify the truth of the claim.
1. Re:Don't emergency vehicles use this? by k6mfw · 2014-08-22 03:50 · Score: 2
  
  I was thinking what do they use now. Years ago I remember fire engines and trucks had strobe light on top of cab that flashes sequences which causes traffic light to turn red on opposing traffic. In late 70s or early 80s I saw a Dodge van that was parked in Quement Electronics on Bascom Ave in San Jose (you old guys remember that store, favorite among geeks back in the days when Fry's was a grocery store). I guess this person got ahold of one of these and voila, never gets a red light. Question I always wondered if that was legal.
  
  Fast forward to nowadays, do emergency vehicles use such a system and is it RF based?
  
  --
  mfwright@batnet.com
2. Re:Don't emergency vehicles use this? by bored_engineer · 2014-08-22 05:28 · Score: 2
  It's called signal preemption. Opticom is IR-based, and in fairly common use. There are several other systems available for signal preemption, including:
  
  --GPS-equipped vehicles communicate with a control center, which does the preemption,
  --audio-based, which react (hopefully) to a siren,
  --rf-based.
  There may be others, but these are the ones I'm familiar with.
So when are we going to hear by Stan92057 · 2014-08-22 03:44 · Score: 1

So when are we going to hear about sob storys from idiots who hack traffic lights and get more then 33 months in jail for it?

--
Jack of all trades,master of none
1. Re:So when are we going to hear by sl149q · 2014-08-22 11:08 · Score: 1
  
  This is really not much different from simply (for example) removing traffic signs.
  I recall that some kids removed a stop sign as a prank, (Florida, mid 90's?) There was a bad accident and the result was a man slaughter charges and something like 20 year sentences.
Re:people charge of traffic lights are engineers b by ortholattice · 2014-08-22 03:50 · Score: 1

I once knew a traffic-light engineer who was an EE with a BS. I mentioned that I thought it was annoying not to have sensors on lights in rarely-used cross streets, since it wastes a lot of gas to have the main throughway traffic constantly stopping for no reason, not to mention wasting people's time. He said that if you put in a sensor, people will get used to the light always being green, and in the rare case it turns red they will tend not to stop and will cause more accidents. He was very strongly opposed to such sensors - arguing supposedly from experience as a professional and an expert - and our argument started to become, well, heated, so I just let it go. I really doubt what he said is supported by statistics, but his attitude was an example of the thinking of the people designing the lights.
(This was a couple of decades ago. Maybe the thinking has changed since I do see more sensors these days, but still not nearly enough. Often they seem poorly designed, such as unnecessarily waiting a full cycle before changing even if there is no cross traffic.)
Re:people charge of traffic lights are engineers b by Anonymous Coward · 2014-08-22 04:06 · Score: 0

Yes, but the customer should probably be specifying some level of security in their requirements.
From the standpoint of managing or architecting the product, if there isn't a specific requirement for such a feature, then you don't actually have any spec to design it to, and it's one more thing that you have to document and test before you can release your product.
Traffic Lights by Anonymous Coward · 2014-08-22 04:17 · Score: 0

The traffic lights in our metropolitan area are connected via the 900MHZ ISM Band. We were able to use the XBee Pros to connect to them and see the (unencrypted) data streaming across coordinating the lights (and also changing them in the case of emergency vehicles). I never had the guts to issue commands to them, but it was cool to see...
1. Re:Traffic Lights by Anonymous Coward · 2014-08-22 05:27 · Score: 0
  
  What do you mean by connect to them? As in being identify yourself as a network node?
  I'm pretty sure the XBees have some propietary form of DigiMesh. If you're just blindly demodulating signals, without knowing what the protocol is, how do you know the '1' you see in the end is really a '1'?
Re:people charge of traffic lights are engineers b by cnaumann · 2014-08-22 04:23 · Score: 1

You would be surprised how conditioned you can become to traffic patterns always being a certain way. I nearly caused an accident last week when I turned left in front of a car that was going straight. I am a good driver... why did I do that? The intersection was where two small neighborhood roads intersect the main road. After I screwed up, I realized that In the last 25 years, I had _never_ seen a car go straight through that particular intersection. I unconsciously assumed that he was waiting for the light so that he could turn left, like cars always do.
Traffic engineering is not about saving gas. It is mostly about preventing accidents. That is one of the reasons you see so few Yield signs these days.
Re:people charge of traffic lights are engineers b by tlhIngan · 2014-08-22 04:48 · Score: 1

You would be surprised how conditioned you can become to traffic patterns always being a certain way. I nearly caused an accident last week when I turned left in front of a car that was going straight. I am a good driver... why did I do that? The intersection was where two small neighborhood roads intersect the main road. After I screwed up, I realized that In the last 25 years, I had _never_ seen a car go straight through that particular intersection. I unconsciously assumed that he was waiting for the light so that he could turn left, like cars always do.
The intersection on our street has two lanes on the cross street - one dedicated right-turn lane, and a combined left-turn/straight-through lane.
We usually go straight through, but it's some where we never go through without being cautious because a straight-through/left-turn lane is a rarity. It's usually more common as a left-turn, and a right-turn/straight lane. People just don't seem to understand that after the car turns left, the car behind might want to go straight.
We've nearly had accidents where people would assume we'd be turning left.
Had a right-turn from the main road assume the same thing - the light was red, we headed straight, and the guy never looked to his left and continued making the right turn. He never figured out that people might not be turning and didn't look.
These days more traffic goes through there so people are more used to not assuming that most people turn. But geez.
It's apparently common enough that it's why they have "Traffic Pattern Changed" signs to warn drivers that they've mucked with the lights, lanes, etc.
Phrack Magazine 2002 by Anonymous Coward · 2014-08-22 05:19 · Score: 0

http://phrack.org/issues/60/14.html
Balanced for a different velocity by tepples · 2014-08-22 05:23 · Score: 1

Your city's stoplights are balanced for a different speed.
Or they are balanced for the same speed in a different direction. On a two-way street whose signals are timed for 30 mph eastbound at a particular part of the day, westbound traffic is going to have a problem.
Or perhaps they are balanced for a different speed, the speed of the type of vehicle driven by the majority. Most signals are timed for people who drive cars, which means cyclists tend to hit more reds.
Crosswalk hacks by almitydave · 2014-08-22 05:28 · Score: 2

Reminds me of the time when that list of crosswalk-button hacks was published - it created quite a stir.

--
my, your, his/her/its, our, your, their
I'm, you're, he's/she's/it's, we're, you're, they're
1. Re:Crosswalk hacks by Anonymous Coward · 2014-08-22 10:46 · Score: 0
  
  Reminds me of the time when that list of crosswalk-button hacks was published - it created quite a stir.
  No it didnt. I foolishly read the linked article. Its an Onion style satire piece.
Re:people charge of traffic lights are engineers b by bored_engineer · 2014-08-22 05:44 · Score: 2

Unfortunately, those sensors sometimes fail. With no "call," then one direction may never get a green light. (Of course, if this happens, then the tech will call an engineer to get a timing plan, then go out and reprogram the faulty controller, if it's not networked.) Freezing conditions, et c. can ruin in-ground loop sensors, and optical sensors can become befuddled by fog, snow and sun. Radar-based sensors are becoming more common, and because they're mounted on an arm or on a pole, they can be replaced more easily than the inductive loops.
Re:people charge of traffic lights are engineers b by omnichad · 2014-08-22 06:47 · Score: 1

I was stuck at a faulty red light with a sensor once. I waited for almost 5 minutes, wanting to call the police out to get me out of the stop light. Yes, I'm pedantic enough to annoy my wife like that. I knew that backing up and pulling forward would work, but it shouldn't have been necessarily.
As Always by meustrus · 2014-08-22 07:36 · Score: 1

As always, when something gets hacked, we find out it was for the stupidest reasons. You can just log into a Wi-Fi network and dump the entire memory of the traffic light through a debug port that was left open? I mean sure, everything can be hacked, but this is just handing the entire system to the hackers. Just like nearly every other "hack" that goes on in the real world.
This is just like when a web forum gets "hacked" because somebody with an axe to grind guessed the admin's password was actually "PaSsWoRd".

--
I sometimes ask revealing, often ignorant-seeming questions. Maybe they're harder to answer than you think.
Re:people charge of traffic lights are engineers b by sl149q · 2014-08-22 11:02 · Score: 1

Well our local municipal engineering department obviously has not read that memo.
We have various lights that are always green and switch on demand when a car approaches on the side street.
I'll note that the counter argument is that people using those roads get used to them always being green, but also get used to them switching quickly to red when a car approaches from the side street.
Re:people charge of traffic lights are engineers b by AK+Marc · 2014-08-22 11:36 · Score: 1

The issue with any traffic engineer, is that there's actually no science supporting traffic engineering. It's voodoo. And if you say that to anyone who deals with traffic, they act like you dessicated their shrine. Sure, some individual parts have science (traffic flow). But when proven false (California flows better than stated, other places worse) they will persist on using the proven wrong models, rather than trying to solve for reality.

A human factors study into lights, and having the colors/flashing change to help improve flow/compliance isn't what they do. "Fuck you, red lights are read and solid" is the closest to a discussion they will have with you.

--
Learn to love Alaska
Bruce Willis and Kevin Smith knew by eric_harris_76 · 2014-08-23 04:47 · Score: 1

They were both in that Die Hard movie that demonstrated the consequences of bad people gaining control of traffic lights -- among other things.

--
There's no time like the present. Well, the past used to be.