Slashdot Mirror

← Back to Stories (view on slashdot.org)

It's Easy To Hack Traffic Lights

Posted by Soulskill on from the looking-forward-to-the-mobile-app dept.

An anonymous reader notes coverage of research from the University of Michigan into the ease with which attackers can hack traffic lights. From the article: As is typical in large urban areas, the traffic lights in the subject city are networked in a tree-type topology, allowing them to pass information to and receive instruction from a central management point. The network is IP-based, with all the nodes (intersections and management computers) on a single subnet. In order to save on installation costs and increase flexibility, the traffic light system uses wireless radios rather than dedicated physical networking links for its communication infrastructure—and that’s the hole the research team exploited. ... The 5.8GHz network has no password and uses no encryption; with a proper radio in hand, joining is trivial. ... The research team quickly discovered that the debug port was open on the live controllers and could directly "read and write arbitrary memory locations, kill tasks, and even reboot the device (PDF)." Debug access to the system also let the researchers look at how the controller communicates to its attached devices—the traffic lights and intersection cameras. They quickly discovered that the control system’s communication was totally non-obfuscated and easy to understand—and easy to subvert.

24 of 144 comments (clear)

  1. Old news by neglogic · · Score: 4, Informative

    This was central to the plot of the Italian Job. The real Napster took care of it.

    1. Re:Old news by Kozar_The_Malignant · · Score: 2

      This only proves that Italian traffic lights are easy to hack.

      Who cares? No one pays attention to Italian traffic lights anyway. A red light is not even a suggestion; it's an insult.

      --
      Some mornings it's hardly worth chewing through the restraints to get out of bed.
    2. Re: Old news by k6mfw · · Score: 2

      same with me, hacking traffic lights and reminded me of Benny Hill as the professor inserting hacked tape into the control system deck. Michael Caine said to the other members of his team though professor had "interesting reading material" to not make fun of him because he is very important for the job. I saw the movie last month (previously saw it in 1970s), featured the Mini Coopers that were screamers (back in the days almost all small cars were slow), Italian constantly honking horns (most in those little Fiats). In real life they do that even when traffic isn't moving.

      --
      mfwright@batnet.com
  2. Welcome to the Information Age! by sinij · · Score: 5, Insightful

    It is scary how many industries (e.g. autos, "smart" electronics, control systems) are decades behind state of the art security. We will have a lot of growing pains to get out "only computer guys need to do this".

    1. Re:Welcome to the Information Age! by Mr+D+from+63 · · Score: 5, Informative
      From TFA,

      In fact, the most upsetting passage in the entire paper is the dismissive response issued by the traffic controller vendor when the research team presented its findings. According to the paper, the vendor responsible stated that it "has followed the accepted industry standard and it is that standard which does not include security."

      Don't blame the vendor, blame the standard. The vendor that includes security in his bid will have a higher price and lose to the vendor that doesn't.

    2. Re:Welcome to the Information Age! by sinij · · Score: 2

      This is not "going after you" concern, this is general mayhem concern.

      Single stoplight can easily add +10 minutes of traffic to my commute. I imagine once Metasploit module for this comes out, some script kiddie would be able to turn everyone's commute to living hell for a considerable period of time.

    3. Re:Welcome to the Information Age! by gtall · · Score: 2

      A tree limb falls on a vehicle and kills the driver. When asked about it, the county highway department issued a statement saying that tree had never shown any intent to fall before and hence there was no reason to suspect that it would fall this time. The public can feel safe knowing that trees do not have any particular interest in killing you. If they wanted to do, they could have fallen on you years ago when you went to the grocery store.

    4. Re:Welcome to the Information Age! by sinij · · Score: 4, Insightful

      "Acceptable industry standard" is not a standard, it is status quo. You have to blame municipalities for complete lack of understanding of these security concerns.

      Next, script kiddies causing couple fender-benders and every municipality having to upgrade traffic light systems at a "I want it yesterday" premium. Then higher property taxes to pay for such monumental lack of planning and foresight.

    5. Re:Welcome to the Information Age! by Chris+Mattern · · Score: 3, Insightful

      And who will be blamed? Why, the researchers who discovered this incredible negligence, of course! "If you hadn't shown the hackers how to do it, we never would have this problem!"

    6. Re:Welcome to the Information Age! by rmdingler · · Score: 2
      Nothing will be done until the vulnerability is exploited, and even then it will be measured against a cost/benefit actuarial table.

      "Since a clean room will eventually devolve into a dirty room, there's no point in cleaning it."

      --
      Happiness in intelligent people is the rarest thing I know.

      Ernest Hemingway

    7. Re:Welcome to the Information Age! by Mr+D+from+63 · · Score: 3, Insightful

      Most of those who do the purchasing are required to enforce the standards. Deviating, even with the intent of improvement, can bring unintended consequences and blame. For instance, add security, then all of the sudden maintenance access doesn't work because its different, complaints and blame fly. Just one possible example of many things that can happen, thus they have standards and are required to use them.

    8. Re:Welcome to the Information Age! by nine-times · · Score: 3, Insightful

      No, it's scary how much we still don't care about security. These things could definitely be fixed, we just don't care to fix them. We don't demand security in the first place, we aren't willing to pay for security, and we aren't really willing to fix security when it's broken. People will run around looking for blood for 5 minutes when it's discovered that there are huge security flaws, but nobody will fix them.

      Remember all the news when it was discovered that a person could easily and untraceably hack voting machines? Do you think that was ever fixed? The way we use credit cards is insecure. Most email is unencrypted. We use Social Security Numbers as both an identifier and a form of authentication.

      Most of what we do is completely insecure, and it's actually kind of amazing how rarely people take advantage of it. But it's really disturbing that we aren't remotely willing to secure things that would be relatively easy to secure, and would solve lots of problems.

    9. Re:Welcome to the Information Age! by mlts · · Score: 2

      I know what the reply will be:

      "The hackers would have gotten in no matter what we would have done."

    10. Re:Welcome to the Information Age! by Lumpy · · Score: 4, Insightful

      "we aren't willing to pay for security" It's worse than that. IT also stems from the fact that people in charge. The guys making big bucks making decisions are horribly undereducated.

      If you ask the guy that is in charge of the city's traffic lights to explain in detail how the system works he will NOT be able to tell you. We as a society do not put in leadership positions the best and brightest. WE instead promote those that can suck up the best and schmoose the best.

      And it's now biting us in the ass because the decision makers in general are dumb as a box of rocks. And when faced with a problem they simply say "I dont know" or try to scream how we need more laws instead of actually learning what the problem is and fixing it.

      --
      Do not look at laser with remaining good eye.
    11. Re:Welcome to the Information Age! by Rogue974 · · Score: 2

      I agree with you. I am a Controls Engineer. Until recently, my controls security was decades behind. Fortunately, Stuxnet happened, our CEO noticed the news stories and started asking questions and took an interest. A small group of controls engineers and an IT person who also did the controls network at the small plants he supports made a team, did research, made recommendations and were given money to start securing our network properly.

      We need to start realizing security through obscurity is no security at all and make the changes starting with the vendors all the way through the end users.

      A huge problem I have experienced is actually a lack of understanding of security and networking on the part of controls engineers, and a lack of understanding of controls systems by IT staff. I think this is actually one of the biggest problems that creates the security problems. Every place I have worked at or in (did a stint as a contract CE and went many places) there is a stand off between controls and IT. Controls knows what we need to do to make our system work and IT tries to tell us how we have to do things and they don't realize that it is not the same as a buisness network because it will shut the plant down to do some things they would like us to. CEs don't understand enough to secure the networks themselves so we do the best we can and keep IT away from our stuff and muddle through.

      We need education on both sides so controls people know what they need to do and IT people who understand the differences between business networks and controls networks. Unfortunately, of all the IT professionals I have worked with, only 2 have understand the controls world enough, or been willing to even listen) to help so we just shut them out. I would much rather work with IT and not have to learn all of this security stuff myself when we have IT professionals who know the security. Granted, they probably don't want to learn about my world the same way I would rather not have to learn theirs, so we are right back at the stand off.

    12. Re:Welcome to the Information Age! by nine-times · · Score: 2

      Did you not read the summary, even?

      The network is IP-based, with all the nodes (intersections and management computers) on a single subnet. In order to save on installation costs and increase flexibility, the traffic light system uses wireless radios rather than dedicated physical networking links for its communication infrastructure ... The 5.8GHz network has no password and uses no encryption; with a proper radio in hand, joining is trivial. ... The research team quickly discovered that the debug port was open on the live controllers and could directly "read and write arbitrary memory locations, kill tasks, and even reboot the device.

      Yes, ultimately physical security is always an issue. They can try to make the devices difficult to access, but as you've pointed out, that's always going to be a problem.

      But this is a different level of "insecure". These things are controlled through open, unencrypted wireless networking. There are no passwords. It's like the difference between saying, "Your home is never completely secure, since someone can always break a window or crowbar the door open," vs. "Let's just leave our valuables sitting out on the lawn, completely unattended."

  3. Re:What are they waiting for? by Nyder · · Score: 3, Insightful

    Deaths? multiple injured people? Why isn't that secured in the first place? With all the news about stuff getting *hacked*, why are they still doing this?

    They are waiting for the first part, because unless there is a big uproar about it (which there won't be until it gets abused enough to cause deaths) it costs too much money to fix.

    How this is a surprise to anyone by now is a surprise to me, this has been standard operating procedures with pretty much everyone since computers have come out. That is, security is non existent or an afterthought. Paying money to make sure everything is secure for any sort of attacks/compromise/whatever takes away from the bottom line, so shareholders don't like that stuff. And management is kissing the shareholders ass, so it's not as important.

    Now for government work, it's a bidding process and well, you aren't going to make any money on the job by having to hire some sort of computer type to make sure the system is secure. And since the contract probably didn't state it needed to be done, well, this is what we have.

    So wait until it gets abused bad enough to kill people, nothing will get done.

    --
    Be seeing you...
  4. They Might be Giants by puddingebola · · Score: 2

    Red means stop. Do not go. No, no, no. Green in all directions means go. Oh no, Oh no, Oh no.

  5. Re:What are they waiting for? by mlts · · Score: 3, Interesting

    I remember this crossroads in the 1990s. Would firms in general focus on security, even though the worst threats at that time were college students looking to rm -rf / a box or two for kicks.

    It came out worse than I could imagine. I heard the "security has no ROI" mantra many a time (although the past couple places I worked at, they actually take it seriously.) When working as a consultant, I asked companies what they had for something if they were hacked. The response was, "We will call Geek Squad or Infosys, and have the problem fixed."

    I have read people hoping for a "Warhol event" that would get businesses focusing on security. However, I would say that a "cyber 9/11" (to use a buzzword" would do far more harm to security in general than help.

    Take this scenario:

    A hurricane has a populated city in its sights. Evacuations are starting. As people are getting on the roads, Elbonian actors hack the anti-theft disable mechanism of a major car maker, disabling random cars at a time on all major roads. When those are towed, another set of cars get turned off. Havoc happens.

    Congress is then pushed to push some bills into law. Well, they do. However, they do little or nothing. Here are the bills:

    1: A mandatory DRM stack on any device in the US accessing the Internet, enforced by endpoint routers, with mandatory 10-life if any are tampered with.

    2: All "tools for cyber-warfare", even something as banal as tcpdump, would be removed from operating systems, and only allowed to registered people.

    3: Similar to #1, all machines would run a scanner similar to an antivirus utility, but would use signatures to look for unlicensed MP3 files, movies, programs like Handbrake, and if detected, would automatically shut the machine down and notify the local authorities.

    4: A central ID card, similar to a PIV/CAC would be requires on any/all devices so all transactions (even a web login) are positively identified. It would be a felony for someone to access the Internet without their packets being signed or attributed to an ID card.

    Of course, none of this would actually -HELP- security, but it would keep it swept under the covers, and (using MBA speak) allow better monetization of existing revenue streams... i.e. your PC becomes a locked down console with only big name brands able to write software for it due to the legal barriers of entry.

  6. A lot of easy things are illegal by TomGreenhaw · · Score: 5, Insightful

    Its easy to exceed the speed limit. Its easy to shop lift. Its easy to buy a gun and shoot somebody.

    Its probably easy to build a device that gives you green lights as though you were an emergency vehicle. This is definitely illegal.

    While I think its irresponsible to design computer systems without basic and reasonable security measures, technology is not the final answer to antisocial behavior. Hacking somebody else's systems is illegal and wrong. Finding (sometimes ) esoteric ways to do it and making it easy for bad guys is just plain foolish.

    My friend Neil and I have a law: You know you have enough security when you can't do your job anymore. Requiring the average stop light electrician to now be a computer networking security expert requiring tons of tech support would certainly drive up taxes.

    Antisocial behavior is why we have laws and there is a reason we should obey them.

    --
    Greed is the root of all evil.
  7. Re:Don't emergency vehicles use this? by k6mfw · · Score: 2

    I was thinking what do they use now. Years ago I remember fire engines and trucks had strobe light on top of cab that flashes sequences which causes traffic light to turn red on opposing traffic. In late 70s or early 80s I saw a Dodge van that was parked in Quement Electronics on Bascom Ave in San Jose (you old guys remember that store, favorite among geeks back in the days when Fry's was a grocery store). I guess this person got ahold of one of these and voila, never gets a red light. Question I always wondered if that was legal.

    Fast forward to nowadays, do emergency vehicles use such a system and is it RF based?

    --
    mfwright@batnet.com
  8. Re:Don't emergency vehicles use this? by bored_engineer · · Score: 2

    It's called signal preemption. Opticom is IR-based, and in fairly common use. There are several other systems available for signal preemption, including:

    • --GPS-equipped vehicles communicate with a control center, which does the preemption,
    • --audio-based, which react (hopefully) to a siren,
    • --rf-based.

    There may be others, but these are the ones I'm familiar with.

  9. Crosswalk hacks by almitydave · · Score: 2

    Reminds me of the time when that list of crosswalk-button hacks was published - it created quite a stir.

    --
    my, your, his/her/its, our, your, their
    I'm, you're, he's/she's/it's, we're, you're, they're
  10. Re:people charge of traffic lights are engineers b by bored_engineer · · Score: 2

    Unfortunately, those sensors sometimes fail. With no "call," then one direction may never get a green light. (Of course, if this happens, then the tech will call an engineer to get a timing plan, then go out and reprogram the faulty controller, if it's not networked.) Freezing conditions, et c. can ruin in-ground loop sensors, and optical sensors can become befuddled by fog, snow and sun. Radar-based sensors are becoming more common, and because they're mounted on an arm or on a pole, they can be replaced more easily than the inductive loops.