It's Easy To Hack Traffic Lights

An anonymous reader notes coverage of research from the University of Michigan into the ease with which attackers can hack traffic lights. From the article: As is typical in large urban areas, the traffic lights in the subject city are networked in a tree-type topology, allowing them to pass information to and receive instruction from a central management point. The network is IP-based, with all the nodes (intersections and management computers) on a single subnet. In order to save on installation costs and increase flexibility, the traffic light system uses wireless radios rather than dedicated physical networking links for its communication infrastructure—and that’s the hole the research team exploited. ... The 5.8GHz network has no password and uses no encryption; with a proper radio in hand, joining is trivial. ... The research team quickly discovered that the debug port was open on the live controllers and could directly "read and write arbitrary memory locations, kill tasks, and even reboot the device (PDF)." Debug access to the system also let the researchers look at how the controller communicates to its attached devices—the traffic lights and intersection cameras. They quickly discovered that the control system’s communication was totally non-obfuscated and easy to understand—and easy to subvert.

Old news

[neglogic]

This was central to the plot of the Italian Job. The real Napster took care of it.

Re:Old news

[ArcadeMan]

This only proves that Italian traffic lights are easy to hack.

Re:Old news

[the_skywise]

ptphpt... Zero Cool did it while the real Napster was still in diapers.

Re: Old news

[andy_spoo]

The 'Italian Job' was the first thing I thought of when I read that as well. It's got to be done, sorry, but "You're only ment to blow the bloody doors off" :-)

Re:Old news

[Kozar_The_Malignant]

This only proves that Italian traffic lights are easy to hack.

Who cares? No one pays attention to Italian traffic lights anyway. A red light is not even a suggestion; it's an insult.

Re: Old news

[k6mfw]

same with me, hacking traffic lights and reminded me of Benny Hill as the professor inserting hacked tape into the control system deck. Michael Caine said to the other members of his team though professor had "interesting reading material" to not make fun of him because he is very important for the job. I saw the movie last month (previously saw it in 1970s), featured the Mini Coopers that were screamers (back in the days almost all small cars were slow), Italian constantly honking horns (most in those little Fiats). In real life they do that even when traffic isn't moving.

Re:Old news

[k6mfw]

This only proves that Italian traffic lights are easy to hack.

but how many young techies know how to hack something like this,
http://www.wired.com/wp-conten...

Re: Old news

[rHBa]

Sorry, mis-moderated...

Re:Old news

[davester666]

A red light is a request to accelerate.

Welcome to the Information Age!

[sinij]

It is scary how many industries (e.g. autos, "smart" electronics, control systems) are decades behind state of the art security. We will have a lot of growing pains to get out "only computer guys need to do this".

Re:Welcome to the Information Age!

[Mr+D+from+63]

From TFA,

In fact, the most upsetting passage in the entire paper is the dismissive response issued by the traffic controller vendor when the research team presented its findings. According to the paper, the vendor responsible stated that it "has followed the accepted industry standard and it is that standard which does not include security."

Don't blame the vendor, blame the standard. The vendor that includes security in his bid will have a higher price and lose to the vendor that doesn't.

Re:Welcome to the Information Age!

[sinij]

This is not "going after you" concern, this is general mayhem concern.

Single stoplight can easily add +10 minutes of traffic to my commute. I imagine once Metasploit module for this comes out, some script kiddie would be able to turn everyone's commute to living hell for a considerable period of time.

Re:Welcome to the Information Age!

[gtall]

A tree limb falls on a vehicle and kills the driver. When asked about it, the county highway department issued a statement saying that tree had never shown any intent to fall before and hence there was no reason to suspect that it would fall this time. The public can feel safe knowing that trees do not have any particular interest in killing you. If they wanted to do, they could have fallen on you years ago when you went to the grocery store.

Re:Welcome to the Information Age!

[sinij]

"Acceptable industry standard" is not a standard, it is status quo. You have to blame municipalities for complete lack of understanding of these security concerns.

Next, script kiddies causing couple fender-benders and every municipality having to upgrade traffic light systems at a "I want it yesterday" premium. Then higher property taxes to pay for such monumental lack of planning and foresight.

Re:Welcome to the Information Age!

[Chris+Mattern]

And who will be blamed? Why, the researchers who discovered this incredible negligence, of course! "If you hadn't shown the hackers how to do it, we never would have this problem!"

Re:Welcome to the Information Age!

[rmdingler]

Nothing will be done until the vulnerability is exploited, and even then it will be measured against a cost/benefit actuarial table.

"Since a clean room will eventually devolve into a dirty room, there's no point in cleaning it."

Re:Welcome to the Information Age!

[sinij]

This is indeed the likely outcome of this debacle. If it comes to court, I will personally pitch-in for defense fund.

Still, it is surprising that nobody looked into these systems before. The technology to do so existed for many years.

Re:Welcome to the Information Age!

[Mr+D+from+63]

Most of those who do the purchasing are required to enforce the standards. Deviating, even with the intent of improvement, can bring unintended consequences and blame. For instance, add security, then all of the sudden maintenance access doesn't work because its different, complaints and blame fly. Just one possible example of many things that can happen, thus they have standards and are required to use them.

Re:Welcome to the Information Age!

[nine-times]

No, it's scary how much we still don't care about security. These things could definitely be fixed, we just don't care to fix them. We don't demand security in the first place, we aren't willing to pay for security, and we aren't really willing to fix security when it's broken. People will run around looking for blood for 5 minutes when it's discovered that there are huge security flaws, but nobody will fix them.

Remember all the news when it was discovered that a person could easily and untraceably hack voting machines? Do you think that was ever fixed? The way we use credit cards is insecure. Most email is unencrypted. We use Social Security Numbers as both an identifier and a form of authentication.

Most of what we do is completely insecure, and it's actually kind of amazing how rarely people take advantage of it. But it's really disturbing that we aren't remotely willing to secure things that would be relatively easy to secure, and would solve lots of problems.

Re:Welcome to the Information Age!

[jonwil]

I recon if you were trying to convince someone to take security of critical infrastructure, one way to do it would be to show them Die Hard 4.0 (best example I know of when it comes to hackers breaking into infrastructure) and say "this may only be a Hollywood movie but do you want to be the one who said "no" to better security when that shit happens for real?"

Re:Welcome to the Information Age!

[mlts]

I know what the reply will be:

"The hackers would have gotten in no matter what we would have done."

Re:Welcome to the Information Age!

[Lumpy]

"we aren't willing to pay for security" It's worse than that. IT also stems from the fact that people in charge. The guys making big bucks making decisions are horribly undereducated.

If you ask the guy that is in charge of the city's traffic lights to explain in detail how the system works he will NOT be able to tell you. We as a society do not put in leadership positions the best and brightest. WE instead promote those that can suck up the best and schmoose the best.

And it's now biting us in the ass because the decision makers in general are dumb as a box of rocks. And when faced with a problem they simply say "I dont know" or try to scream how we need more laws instead of actually learning what the problem is and fixing it.

Re:Welcome to the Information Age!

"Not really that scary unless you are paranoid.
The effort to kill someone is far less than the effort needed to hack the traffic lights."

Indeed. I'd prefer it if they'd sell an 'always green' gadget on aliexpress for 25 bucks.

Re:Welcome to the Information Age!

[GameboyRMH]

Haha I see you also work in a business where you have this kind of discussion often!

Re:Welcome to the Information Age!

[aaarrrgggh]

"Standard of Care" would be the correct term.

Re:Welcome to the Information Age!

[aaarrrgggh]

I started to rebut your comment... but then actually came to agree. The cost of fixing this problem is huge; any traffic light pedestal could be an entry point from a "trusted" point on the system, and I have seen several in Los Angeles unlocked. Effectively the problem is reduced to if you have physical access to the machine there isn't much you can do for security.

Re:Welcome to the Information Age!

[aaarrrgggh]

There is one option; the PLCs fail to a "safe" mode and ignore the network if the validation PLC (not networked) detects an anomaly. Stoplight timing is out the window, but green lights in all directions would not be possible.

Re:Welcome to the Information Age!

[DidgetMaster]

I think I read somewhere that traffic lights are designed so that it is impossible for both sides to get a simultaneous green light. They have some kind of physical switch that enforces this. In other words, even if the system is hacked, you can't make cars crash by changing all the lights to green. That doesn't mean that a hacker can't cause some problems by making the lights stay red for 10+ minutes or other such mischief.

Re:Welcome to the Information Age!

[nine-times]

I don't know. I my experience, a lot of poor security isn't caused by incompetence. It's caused by someone saying, "But that will cost more money..." or "That will take too much time..." or "But I want to buy from this supplier because the owner is my brother-in-law..."

I mean, they don't necessarily say those things out loud, but those are often the reasons. It's not necessarily that they're too dumb to understand that it's bad security. They just don't care. They're not thinking about the potential for problems down the road. They're not thinking about long-term maintenance. They're not really thinking about public safety. They're just thinking about, "I have to get this job done in a way that makes my life better/easier. I want to work less and make a big bonus."

Not that I work in a traffic-related industry. That's just been my general professional experience as to why security is usually terrible.

Re:Welcome to the Information Age!

[Belial6]

This is just a "on a computer" issue. If I want traffic lights to behave badly, I could easily do it without connecting into the automation side of it. A few colored LED disks attached in front of the existing lights and I get the same effect with no hacking involved. It is like people worrying that their car's drive by wire breaking system will get hacked because they believe it is so much more likely than having their break line cut.

Re:Welcome to the Information Age!

[michelcolman]

And how exactly would a simple password result in a higher price?

They are using standard IP software (as evidenced by the fact that the "attackers" could join without the slightest effort), and I'm sure that software has the option of requiring a password to join the network. All they had to do is tick the box, pick a password, and hardcode the password into the traffic lights software. I know, not the best solution, but surely better than using no password at all.

So don't tell me cost was the reason. Basic negligence (and possibly bad intentions, hoping for a new juicy contract for an "improved" system once someone exploits it) are the real reasons.

Re:Welcome to the Information Age!

[sinij]

Understandably, I 100% disagree. It is possible to secure almost everything. How? Use the goddamn airgap! Don't network what you can't reasonably secure from tampering.

Everything from the elevator control panel to SCADA have no place being remotely accessible! If you do need remote functionality, you better secure it!

Re:Welcome to the Information Age!

[Rogue974]

I agree with you. I am a Controls Engineer. Until recently, my controls security was decades behind. Fortunately, Stuxnet happened, our CEO noticed the news stories and started asking questions and took an interest. A small group of controls engineers and an IT person who also did the controls network at the small plants he supports made a team, did research, made recommendations and were given money to start securing our network properly.

We need to start realizing security through obscurity is no security at all and make the changes starting with the vendors all the way through the end users.

A huge problem I have experienced is actually a lack of understanding of security and networking on the part of controls engineers, and a lack of understanding of controls systems by IT staff. I think this is actually one of the biggest problems that creates the security problems. Every place I have worked at or in (did a stint as a contract CE and went many places) there is a stand off between controls and IT. Controls knows what we need to do to make our system work and IT tries to tell us how we have to do things and they don't realize that it is not the same as a buisness network because it will shut the plant down to do some things they would like us to. CEs don't understand enough to secure the networks themselves so we do the best we can and keep IT away from our stuff and muddle through.

We need education on both sides so controls people know what they need to do and IT people who understand the differences between business networks and controls networks. Unfortunately, of all the IT professionals I have worked with, only 2 have understand the controls world enough, or been willing to even listen) to help so we just shut them out. I would much rather work with IT and not have to learn all of this security stuff myself when we have IT professionals who know the security. Granted, they probably don't want to learn about my world the same way I would rather not have to learn theirs, so we are right back at the stand off.

Re:Welcome to the Information Age!

[Mr+D+from+63]

And how exactly would a simple password result in a higher price?

That completely misses the point, even if adding a simple password were the answer. If a standard is not sufficient, it should be changed. Don't blame the buyer or the vendor. For things like traffic lights, you want them all to be as alike as possible to save costs, be it purchasing requirements, maintenance and troubleshooting, and operation. That is why there are standards and why they are followed and why there are costs associated with deviating from the standard.

Re:Welcome to the Information Age!

[sinij]

If I can mess with your drive-by-wire system remotely, then yes, it is A LOT more likely to happen than having line cut.

Re:Welcome to the Information Age!

[nine-times]

Did you not read the summary, even?

The network is IP-based, with all the nodes (intersections and management computers) on a single subnet. In order to save on installation costs and increase flexibility, the traffic light system uses wireless radios rather than dedicated physical networking links for its communication infrastructure ... The 5.8GHz network has no password and uses no encryption; with a proper radio in hand, joining is trivial. ... The research team quickly discovered that the debug port was open on the live controllers and could directly "read and write arbitrary memory locations, kill tasks, and even reboot the device.

Yes, ultimately physical security is always an issue. They can try to make the devices difficult to access, but as you've pointed out, that's always going to be a problem.

But this is a different level of "insecure". These things are controlled through open, unencrypted wireless networking. There are no passwords. It's like the difference between saying, "Your home is never completely secure, since someone can always break a window or crowbar the door open," vs. "Let's just leave our valuables sitting out on the lawn, completely unattended."

Re:Welcome to the Information Age!

[omnichad]

I think it's a bit more likely to go undetected if you do it wirelessly.

Re:Welcome to the Information Age!

[omnichad]

What makes you think there are standards? I can almost guarantee that you're vendor-locked the moment you start building the system.

Re:Welcome to the Information Age!

[omnichad]

The US is finally moving to chip and pin for credit cards by next fall.

Re:Welcome to the Information Age!

[jafac]

Not only is it that the guys making big bucks making decisions are horribly undereducated: they won't pay for security because that would cut into THEIR compensation (to have to pay competent engineering staff). So not only are they undereducated, they have a conflict of interest that promotes horrible engineering practices.

Re:Welcome to the Information Age!

[sjames]

It would cost more to cover therepy for their employees. When the customer calls 3 times a day and says "I don't remember if the password is 1234 like my luggage of 4321 like my ATM (or is that the other way around), could you set it to something i'll remember?" it takes a huge effort and creates a lot of stress to refrain from answering "I doubt it"

Re:Welcome to the Information Age!

[jratcliffe]

Nothing will be done until the vulnerability is exploited, and even then it will be measured against a cost/benefit actuarial table.

I would certainly hope so. If government isn't doing cost-benefit analysis of spending decisions, it's being grossly irresponsible.

Re:Welcome to the Information Age!

[Darinbob]

The thing is, the "hole" is not about being wireless, that's just stupid fear mongering. The hole is in not having security in the first place. You can indeed have highly secure wireless networking. The trick is in getting the customers to demand security instead of thinking of it as an inconvenient hassle.

Re:Welcome to the Information Age!

[Mr+D+from+63]

You can have vendor lock with or without standards. Standards can often contribute to vendor lock.

Why do I think there are standards? For one, the article refers to them, albeit vaguely. For two, purchasing standards or requirements for commonplace items such as stoplights typically fall under some type of code/standard/requirement system, and that makes sense when you want to make sure equipment is similar throughout a large system or state. Be that for vendor lock, or simple management simplicity, you choose, that part is irrelevant to my point.

Re:Welcome to the Information Age!

[rmdingler]

Ha!

Yes, for a moment there I utterly ignored the impeccable reputation of government.

Re:Welcome to the Information Age!

[AK+Marc]

And how exactly would a simple password result in a higher price?

The training and SOPs for new processes, at the very minimum. Perhaps new control systems for the "secure" interface, at the cost of billions.

Re:Welcome to the Information Age!

[AK+Marc]

And when they do "fix" it, they'll charge the hacker with the cost of fixing systems they knew were insecure for 30 years.

Re:Welcome to the Information Age!

[bill_mcgonigle]

These things could definitely be fixed, we just don't care to fix them.

And we don't even have the tools do to so. How many languages let you write:

secure char[] myPassword

much less:

secure objectType myObject

and have the language memset its memory to zero (or shred, etc.) for you when the variables go out of scope?

It's hard to do security right even if you're really trying. Anybody know if C++2014 made any gains here?

Re:Welcome to the Information Age!

[rmdingler]

Restitution in action.

Re:Welcome to the Information Age!

[michelcolman]

That's like saying "I'm not going to lock my door because thieves know how to pick locks anyway". Very bad argument if you ask me.

Jeez, the system they used actually supported WPA2, all they had to do was tick a box and choose a password. Sure, maybe that will be cracked one day, too. But it will certainly take more expertise than just listening to data that's transmitted in the clear.

Re:Welcome to the Information Age!

[michelcolman]

New processes? Training and SOPs to tick the (existing) box "enable WPA2" and enter a password?

Re:Welcome to the Information Age!

[strikethree]

Most of what we do is completely insecure, and it's actually kind of amazing how rarely people take advantage of it. But it's really disturbing that we aren't remotely willing to secure things that would be relatively easy to secure, and would solve lots of problems.

It is almost like we are under the rule of a third world tin pot dictatorship. The top of the control pyramid can't hear anything because control is all that matters and the bottom can't teach the top anything because the top already hires the "best and brightest" (read: best friends and shiniest coins). Heh. Gotta love what power does does to most individuals.

Re:Welcome to the Information Age!

[stoatwblr]

"Next, script kiddies causing couple fender-benders "

Bumping up congestion would be more constructive in a lot of cases. Taking back the streets for pedestrians, etc, etc.

Re:Welcome to the Information Age!

[nine-times]

You know, I've thought about why this is the case, and here are a couple of thoughts that I had:

1) With all we've found out about big businesses cooperating with the NSA, I wouldn't be too surprised if the NSA had, in some ways, actively discouraged security and encryption.

2) I think part of the problem is coming up with, agreeing on, and an implementing a set of standards. We don't do standards anymore. Everyone has little walled gardens. We're not going to come up with better email standards, for example, because the days of everyone wanting to agree on protocols like SMTP and POP3 and IMAP are over. Now Google wants to have its own email standards and protocols, Microsoft wants to have its own, and Facebook wants to have its own. You aren't going to get those companies together into a room, working towards a better solution that they can all use. Even if you had a better protocol all worked out, they wouldn't use it. It's a combination of "not invented here" syndrome and "I want to control the patents and the infrastructure" and finally, "I don't even want people to be able to communicate with people on my service unless they also sign up for my service."

3) People prefer to do nothing than to undertake change. Fixing things takes effort, and your attempts to fix things might not go according to plan. As long as nobody important to yelling at them to get things fixed, a lot of people would rather sit back and watch things fall apart.

What are they waiting for?

[Hamsterdan]

Deaths? multiple injured people? Why isn't that secured in the first place? With all the news about stuff getting *hacked*, why are they still doing this?

Re:What are they waiting for?

[Nyder]

Deaths? multiple injured people? Why isn't that secured in the first place? With all the news about stuff getting *hacked*, why are they still doing this?

They are waiting for the first part, because unless there is a big uproar about it (which there won't be until it gets abused enough to cause deaths) it costs too much money to fix.

How this is a surprise to anyone by now is a surprise to me, this has been standard operating procedures with pretty much everyone since computers have come out. That is, security is non existent or an afterthought. Paying money to make sure everything is secure for any sort of attacks/compromise/whatever takes away from the bottom line, so shareholders don't like that stuff. And management is kissing the shareholders ass, so it's not as important.

Now for government work, it's a bidding process and well, you aren't going to make any money on the job by having to hire some sort of computer type to make sure the system is secure. And since the contract probably didn't state it needed to be done, well, this is what we have.

So wait until it gets abused bad enough to kill people, nothing will get done.

Re:What are they waiting for?

[Lumpy]

They don't care. There was a very dangerous intersection that people wanted stop signs at for years and asked several times and were denied. Until there was a major nasty accident that happened and the news covered it and got word that the city ignored requests for stop signs, the light of public anger was finally pointed at them and they suddenly had the signs installed.

Your city does not care one bit if you die or even if 100 people die, they only care if they look good to the public. This is the problem with our current election system,

Re:What are they waiting for?

[mlts]

I remember this crossroads in the 1990s. Would firms in general focus on security, even though the worst threats at that time were college students looking to rm -rf / a box or two for kicks.

It came out worse than I could imagine. I heard the "security has no ROI" mantra many a time (although the past couple places I worked at, they actually take it seriously.) When working as a consultant, I asked companies what they had for something if they were hacked. The response was, "We will call Geek Squad or Infosys, and have the problem fixed."

I have read people hoping for a "Warhol event" that would get businesses focusing on security. However, I would say that a "cyber 9/11" (to use a buzzword" would do far more harm to security in general than help.

Take this scenario:

A hurricane has a populated city in its sights. Evacuations are starting. As people are getting on the roads, Elbonian actors hack the anti-theft disable mechanism of a major car maker, disabling random cars at a time on all major roads. When those are towed, another set of cars get turned off. Havoc happens.

Congress is then pushed to push some bills into law. Well, they do. However, they do little or nothing. Here are the bills:

1: A mandatory DRM stack on any device in the US accessing the Internet, enforced by endpoint routers, with mandatory 10-life if any are tampered with.

2: All "tools for cyber-warfare", even something as banal as tcpdump, would be removed from operating systems, and only allowed to registered people.

3: Similar to #1, all machines would run a scanner similar to an antivirus utility, but would use signatures to look for unlicensed MP3 files, movies, programs like Handbrake, and if detected, would automatically shut the machine down and notify the local authorities.

4: A central ID card, similar to a PIV/CAC would be requires on any/all devices so all transactions (even a web login) are positively identified. It would be a felony for someone to access the Internet without their packets being signed or attributed to an ID card.

Of course, none of this would actually -HELP- security, but it would keep it swept under the covers, and (using MBA speak) allow better monetization of existing revenue streams... i.e. your PC becomes a locked down console with only big name brands able to write software for it due to the legal barriers of entry.

Re:What are they waiting for?

[Zmobie]

This right here. The problem with any "unsafe" scenario is that these lights are usually logic controlled by PLCs or some such. I had a professor in college that used to work for one of the state roadway departments and he did work on traffic light controllers for a while. Most of them have to physically prevent anything like that from being possible just like how a civil engineer is supposed to prove their bridge is safe within x parameters. From what I understand this isn't even a concern for all traffic light controllers because ones outside of the big metro areas are not even interconnected to a central controller (this was just what I was told and know from the small towns I have lived in, if someone knows otherwise feel free to correct me here).

I personally am a huge security advocate and believe that, yes these things need to be secured to a reasonable extent, but it is overblown to think this is going to get a bunch of people easily killed just because someone wants to play around with it. Now, someone building a DIY "make light go green" device is not outside the realm of possibility... In fact, I may have a new project just to see if I can do it!

Re:What are they waiting for?

[beschra]

You can't be serious. Fixing something after it's been done wrong is even more expensive than doing it right the first time. Take the current example of traffic signals. Physical access is a huge problem. How do you address that? Work out a new design and retrofit hardware and software. Not free. Not anywhere is that even approaching cheap.

Re:What are they waiting for?

[omnichad]

Because the CEO already got theirs and they can just step down and keep their share of the profits. Leave it for the corporation to handle without them.

Re:What are they waiting for?

[Em+Adespoton]

Indeed... not only that, but the system has to be set up to work with both non-authenticating and authenticating devices for a significant period of time, while each traffic light is swapped out for a reprogrammed light that authenticates correctly.

What's really needed is to use something like sslwrapper on both ends of the system, so that each device on the network must authenticate with its private key. To do so, however, will require creating a test controller and a testbed of lights (to assure that nothing will break when it gets implemented) followed by a controller roll-out, and then by requiring the new PK system be installed in each light/camera that goes into the field.

Then, for the next 3 years or so, the old lights get swapped out and the upgraded ones are swapped in, by someone being paid to do this.

Disabling the debug port on the controller should be something fairly cheap to fix, but if the municipal employees maintaining the system currently use debug for some purpose, they're also going to require retraining and a new and effective system will need to be developed to replace the insecure method.

So yeah; we're talking about each municipality undergoing a major retraining and QA budget bump, plus the hiring/re-purposing of employees to manage this. The costs will scale more than linearly with the size of the system being upgraded.

Re:What are they waiting for?

[Em+Adespoton]

Indeed. The things that could probably be controlled are:
1) Proximity green lights (all lights turn green just as if a pedestrian had pressed a button). The PLC will still require time to go through amber to red for the other direction prior to the green light
which leads us to...
2) adjusting amber light timings
THIS is where lives could be lost, which is the reason municipalities put up those "New Traffic Sequence" signs. If suddenly the amber light only takes a second or so, even though it takes 20 seconds to walk across the intersection and 5 seconds for cars to clear the intersection, you're going to end up with fatalities. The PLC, not being custom programmed for individual intersections, can't defend against this.
3) easiest one: default to the flashing red "4-way" signal. Unfortunately, a large number of drivers don't seem to know what flashing red means, resulting in confusion, snarled traffic, and the odd accident. Not too big a deal though.

But I'm more interested in the traffic cameras on the network. Being able to access all traffic and red light cameras city-wide could have many uses (including plotting the fastest route through town, searching for someone/something and collecting a massive license plate tracking system).

Re:What are they waiting for?

[Hentai]

How this is a surprise to anyone by now is a surprise to me, this has been standard operating procedures with pretty much everyone since computers have come out.

Computers?

http://www.motherjones.com/pol...

Re:What are they waiting for?

[Zmobie]

Interesting points. The amber light timings though I would think should have a hard floor/ceiling inside the PLC. Not sure how much adjustment you could do because when the PLC write happens it has certain limits for the logic to even recognize what is told to it via input. The cameras are a very intriguing point and probably the most dangerous. I vaguely recall a story on slashdot a while back about the camera networks though having terrible security, but don't remember the details.

Re:What are they waiting for?

[Em+Adespoton]

Yes; I seem to recall the amber light timings do have a floor/ceiling -- but as I pointed out, that range has to take into consideration all sorts of intersections and traffic speeds; the result is that you would require a conservative range of 2-6 seconds; setting a 6-second intersection to 2 seconds could have catastrophic results.

http://redlightrobber.com/red/... lays out the mathematical issues at stake here. This paper was published in 1959, but is just as true today.

White hat application to cycling

[tepples]

So can cyclists use this to proceed through an intersection with miscalibrated vehicle sensors without having to wait several minutes for a motor vehicle to pull up behind? I don't know about other countries, but not every US state has a dead red law allowing one to proceed with caution through a malfunctioning signal.

Re:White hat application to cycling

[Greyfox]

Hah. In my town the traffic lights seem to be designed so that traffic stops at every goddamn one of them. I wonder if they could be fixed. I'm already not liking where this train of thought is going heh heh.

What would happen?

[khr]

My home town only has one traffic light (and didn't get a left turn lane until after I moved away). I wonder what sort of damage hackers could do with that... Chaos where US 101 meets highway 34....

Re:What would happen?

[drinkypoo]

Your home town probably doesn't have a network-connected traffic light, either, since it only has one light to work with and there's not much point. Unless there's some compelling reason to do otherwise, these systems are only replaced when they fail. If you live in a major metro area then sure, there's reasons to upgrade before failure, involving traffic management.

Re:What would happen?

Well, the security through scarcity will not slow them down. The meanies will just steal your stop signs and pee in Eckman creek, which are totally insecure and unguarded. This is a good thing. In most towns police guard the traffic lights and issue tax bills at random under the guise of security.
Hell, in some places, like where Eric Garner lived, packs of police officers will hunt you like wolves and beat you to death. Yup, if I were the ex janitor at the D.O.T. who found out how to hack a street light, I would keep my mouth shut till this blows over. Also you better start figuring out how to secure the remote on your T.V. I hear they are pretty easy to hack too.

Re:What would happen?

[freeze128]

I'm just surprised that you even have INTERNET ACCESS.

What's the point of this?

What is the point of this "research"? To prove that there are still many systems in our world that can be hacked easily? No shit.

The thing is that sometimes there is no incentive to hack things because it is a lot of work for very little gain, until some other asshat on the interwebs shows people how it can be done. Then the effort to hack it becomes less (as there is not a manual), and thus the freqnency of it occurring increases. I may exaggerate a little when call this a form of sponsored vandalism... but I am not sure what society will gain from this research.

The large majority of hacks are done by people trying to steal or just for entertainment. Terrorism is really not your #1 hacker. And anyway, I don't see Al Quaida making a statement by hacking the traffic lights on a particular crossing. Instead, what we get now is that all 18-year-olds who read ars technica will try this out.

They Might be Giants

[puddingebola]

Red means stop. Do not go. No, no, no. Green in all directions means go. Oh no, Oh no, Oh no.

Re:They Might be Giants

[GTRacer]

Or, Monty Python:

I like traffic lights,
I like traffic lights,
I like traffic lights,
No matter where they've been.

I like traffic lights,
I like traffic lights,
I like traffic lights,
But only when they're green.

And so on in that fashion for several more verses...

Cool!

[AchilleTalon]

No more reasons to be late at work.

Security...

[Coditor]

... is a job best done by people who understand it. Yet the security czar of the US Government bragged in an interview that since he didn't know anything about security he was better able to deal with it.

people charge of traffic lights are engineers but

[Joe_Dragon]

people charge of traffic lights are engineers but not likely to be EE's or tech people. They may know some what about how they work but maybe not the deep tech parts. The engineers in charge are traffic / construction engineers.

Re:people charge of traffic lights are engineers b

[TWX]

Civil engineers that design traffic flow systems are looking at the problem from a macro-scale, and from a traffic-perspective, not from a security or physical device perspective.

It's the job of the designer/implementer to put the security into the system. In that sense the vendor and manufacturer should be held liable, not the customer.

I wonder if this means...

[kick6]

I can fix the the flashing reds that happen all. the. damn. time. In my hometown.

Re:I wonder if this means...

[omnichad]

Flashing reds is probably a failsafe mode. You could give yourself a green, but it won't fix them for anyone else.

A lot of easy things are illegal

[TomGreenhaw]

Its easy to exceed the speed limit. Its easy to shop lift. Its easy to buy a gun and shoot somebody.

Its probably easy to build a device that gives you green lights as though you were an emergency vehicle. This is definitely illegal.

While I think its irresponsible to design computer systems without basic and reasonable security measures, technology is not the final answer to antisocial behavior. Hacking somebody else's systems is illegal and wrong. Finding (sometimes ) esoteric ways to do it and making it easy for bad guys is just plain foolish.

My friend Neil and I have a law: You know you have enough security when you can't do your job anymore. Requiring the average stop light electrician to now be a computer networking security expert requiring tons of tech support would certainly drive up taxes.

Antisocial behavior is why we have laws and there is a reason we should obey them.

Re:A lot of easy things are illegal

[ogdenk]

Hey! I speed occasionally and I own a firearm or two *BUT* I don't shoplift or shoot everyone that pisses me off. So does that mean I'm only halfway antisocial?

Bringing security flaws that could get us killed to light in public view is NOT antisocial behavior. Hacking said systems and actually manipulating them to cause mayhem *IS* antisocial behavior.

Software security is VERY important. Anything can be hacked but irresponsibly making it blatantly easy for people to control these systems and cause loss of life or injury is insane. People that release knowledge of the flaws are not the enemy. It's the responsible thing to do as the people in charge of these systems will not act unless their ass suddenly depends on it.

Re:A lot of easy things are illegal

[omnichad]

Its probably easy to build

The cost of building a device doesn't necessarily include R&D costs. It's possible someone else has already done the work for you.

Re:A lot of easy things are illegal

[Richy_T]

I believe the poster was talking about the devices which imitate the strobe on emergency vehicles that triggers the green. A much simpler protocol and fairly easy to detect and engineer with low-cost equipment. Someone from around here (Tennessee) was charged with making such a device a few years ago.

Re:A lot of easy things are illegal

[TomGreenhaw]

All you people are missing the point.

We can do this. It's not that hard. Some work is not right.

Apparently engineers and scientists need to be reminded that everyone needs a moral compass. Consider the golden rule. Would your actions make our world a better place for our children.

Re:A lot of easy things are illegal

[ToddInSF]

If "security" requires that everyone be obedient and fear the designation "antisocial", then by all means, we should all be actively seeking to destroy every vestige of THAT delusion.

Re:A lot of easy things are illegal

[strikethree]

My friend Neil and I have a law: You know you have enough security when you can't do your job anymore.

As a "security guru" and a Heinlein fan, I love to twist some words that Mr. Heinlein wrote:

My job is to help you do, in a safer manner, what you were going to do anyway, not to prevent you from doing it in the first place.

This was concerning an exchange of a Mr. Harriman to his lawyer with me speaking from the lawyer's point of view.

So What?

[mjwaters]

Wireless security doesn't mean much when people already have easy physical access to all of these traffic lights. It's not like they are guarded by more than a pad lock. I am guessing the greatest threat to traffic lights (in the eyes of the department of transportation) is still copper thieves.

Re:So What?

[pruss]

It's a lot easier to get caught when breaking into the padlock than when driving by with an RF device.

Don't emergency vehicles use this?

[asylumx]

Don't emergency vehicles sometimes use this to their advantage to turn an intersection into a 4-way red light so that they can get through? I know I've heard of ambulances and fire trucks having a button that makes all stop lights near them turn red, but I have never tried to verify the truth of the claim.

Re:Don't emergency vehicles use this?

[k6mfw]

I was thinking what do they use now. Years ago I remember fire engines and trucks had strobe light on top of cab that flashes sequences which causes traffic light to turn red on opposing traffic. In late 70s or early 80s I saw a Dodge van that was parked in Quement Electronics on Bascom Ave in San Jose (you old guys remember that store, favorite among geeks back in the days when Fry's was a grocery store). I guess this person got ahold of one of these and voila, never gets a red light. Question I always wondered if that was legal.

Fast forward to nowadays, do emergency vehicles use such a system and is it RF based?

Re:Don't emergency vehicles use this?

[bored_engineer]

It's called signal preemption. Opticom is IR-based, and in fairly common use. There are several other systems available for signal preemption, including:

• --GPS-equipped vehicles communicate with a control center, which does the preemption,
• --audio-based, which react (hopefully) to a siren,
• --rf-based.

There may be others, but these are the ones I'm familiar with.

So when are we going to hear

[Stan92057]

So when are we going to hear about sob storys from idiots who hack traffic lights and get more then 33 months in jail for it?

Re:So when are we going to hear

[sl149q]

This is really not much different from simply (for example) removing traffic signs.

I recall that some kids removed a stop sign as a prank, (Florida, mid 90's?) There was a bad accident and the result was a man slaughter charges and something like 20 year sentences.

Re:people charge of traffic lights are engineers b

[ortholattice]

I once knew a traffic-light engineer who was an EE with a BS. I mentioned that I thought it was annoying not to have sensors on lights in rarely-used cross streets, since it wastes a lot of gas to have the main throughway traffic constantly stopping for no reason, not to mention wasting people's time. He said that if you put in a sensor, people will get used to the light always being green, and in the rare case it turns red they will tend not to stop and will cause more accidents. He was very strongly opposed to such sensors - arguing supposedly from experience as a professional and an expert - and our argument started to become, well, heated, so I just let it go. I really doubt what he said is supported by statistics, but his attitude was an example of the thinking of the people designing the lights.

(This was a couple of decades ago. Maybe the thinking has changed since I do see more sensors these days, but still not nearly enough. Often they seem poorly designed, such as unnecessarily waiting a full cycle before changing even if there is no cross traffic.)

Re:people charge of traffic lights are engineers b

[cnaumann]

You would be surprised how conditioned you can become to traffic patterns always being a certain way. I nearly caused an accident last week when I turned left in front of a car that was going straight. I am a good driver... why did I do that? The intersection was where two small neighborhood roads intersect the main road. After I screwed up, I realized that In the last 25 years, I had _never_ seen a car go straight through that particular intersection. I unconsciously assumed that he was waiting for the light so that he could turn left, like cars always do.

Traffic engineering is not about saving gas. It is mostly about preventing accidents. That is one of the reasons you see so few Yield signs these days.

Re:people charge of traffic lights are engineers b

[tlhIngan]

You would be surprised how conditioned you can become to traffic patterns always being a certain way. I nearly caused an accident last week when I turned left in front of a car that was going straight. I am a good driver... why did I do that? The intersection was where two small neighborhood roads intersect the main road. After I screwed up, I realized that In the last 25 years, I had _never_ seen a car go straight through that particular intersection. I unconsciously assumed that he was waiting for the light so that he could turn left, like cars always do.

The intersection on our street has two lanes on the cross street - one dedicated right-turn lane, and a combined left-turn/straight-through lane.

We usually go straight through, but it's some where we never go through without being cautious because a straight-through/left-turn lane is a rarity. It's usually more common as a left-turn, and a right-turn/straight lane. People just don't seem to understand that after the car turns left, the car behind might want to go straight.

We've nearly had accidents where people would assume we'd be turning left.

Had a right-turn from the main road assume the same thing - the light was red, we headed straight, and the guy never looked to his left and continued making the right turn. He never figured out that people might not be turning and didn't look.

These days more traffic goes through there so people are more used to not assuming that most people turn. But geez.

It's apparently common enough that it's why they have "Traffic Pattern Changed" signs to warn drivers that they've mucked with the lights, lanes, etc.

Balanced for a different velocity

[tepples]

Your city's stoplights are balanced for a different speed.

Or they are balanced for the same speed in a different direction. On a two-way street whose signals are timed for 30 mph eastbound at a particular part of the day, westbound traffic is going to have a problem.

Or perhaps they are balanced for a different speed, the speed of the type of vehicle driven by the majority. Most signals are timed for people who drive cars, which means cyclists tend to hit more reds.

Crosswalk hacks

[almitydave]

Reminds me of the time when that list of crosswalk-button hacks was published - it created quite a stir.

Re:people charge of traffic lights are engineers b

[bored_engineer]

Unfortunately, those sensors sometimes fail. With no "call," then one direction may never get a green light. (Of course, if this happens, then the tech will call an engineer to get a timing plan, then go out and reprogram the faulty controller, if it's not networked.) Freezing conditions, et c. can ruin in-ground loop sensors, and optical sensors can become befuddled by fog, snow and sun. Radar-based sensors are becoming more common, and because they're mounted on an arm or on a pole, they can be replaced more easily than the inductive loops.

Re:people charge of traffic lights are engineers b

[omnichad]

I was stuck at a faulty red light with a sensor once. I waited for almost 5 minutes, wanting to call the police out to get me out of the stop light. Yes, I'm pedantic enough to annoy my wife like that. I knew that backing up and pulling forward would work, but it shouldn't have been necessarily.

As Always

[meustrus]

As always, when something gets hacked, we find out it was for the stupidest reasons. You can just log into a Wi-Fi network and dump the entire memory of the traffic light through a debug port that was left open? I mean sure, everything can be hacked, but this is just handing the entire system to the hackers. Just like nearly every other "hack" that goes on in the real world.

This is just like when a web forum gets "hacked" because somebody with an axe to grind guessed the admin's password was actually "PaSsWoRd".

Re:people charge of traffic lights are engineers b

[sl149q]

Well our local municipal engineering department obviously has not read that memo.

We have various lights that are always green and switch on demand when a car approaches on the side street.

I'll note that the counter argument is that people using those roads get used to them always being green, but also get used to them switching quickly to red when a car approaches from the side street.

Re:people charge of traffic lights are engineers b

[AK+Marc]

The issue with any traffic engineer, is that there's actually no science supporting traffic engineering. It's voodoo. And if you say that to anyone who deals with traffic, they act like you dessicated their shrine. Sure, some individual parts have science (traffic flow). But when proven false (California flows better than stated, other places worse) they will persist on using the proven wrong models, rather than trying to solve for reality.

A human factors study into lights, and having the colors/flashing change to help improve flow/compliance isn't what they do. "Fuck you, red lights are read and solid" is the closest to a discussion they will have with you.

Bruce Willis and Kevin Smith knew

[eric_harris_76]

They were both in that Die Hard movie that demonstrated the consequences of bad people gaining control of traffic lights -- among other things.