It's Easy To Hack Traffic Lights

An anonymous reader notes coverage of research from the University of Michigan into the ease with which attackers can hack traffic lights. From the article: As is typical in large urban areas, the traffic lights in the subject city are networked in a tree-type topology, allowing them to pass information to and receive instruction from a central management point. The network is IP-based, with all the nodes (intersections and management computers) on a single subnet. In order to save on installation costs and increase flexibility, the traffic light system uses wireless radios rather than dedicated physical networking links for its communication infrastructure—and that’s the hole the research team exploited. ... The 5.8GHz network has no password and uses no encryption; with a proper radio in hand, joining is trivial. ... The research team quickly discovered that the debug port was open on the live controllers and could directly "read and write arbitrary memory locations, kill tasks, and even reboot the device (PDF)." Debug access to the system also let the researchers look at how the controller communicates to its attached devices—the traffic lights and intersection cameras. They quickly discovered that the control system’s communication was totally non-obfuscated and easy to understand—and easy to subvert.

Old news

[neglogic]

This was central to the plot of the Italian Job. The real Napster took care of it.

Welcome to the Information Age!

[sinij]

It is scary how many industries (e.g. autos, "smart" electronics, control systems) are decades behind state of the art security. We will have a lot of growing pains to get out "only computer guys need to do this".

Re:Welcome to the Information Age!

[Mr+D+from+63]

From TFA,

In fact, the most upsetting passage in the entire paper is the dismissive response issued by the traffic controller vendor when the research team presented its findings. According to the paper, the vendor responsible stated that it "has followed the accepted industry standard and it is that standard which does not include security."

Don't blame the vendor, blame the standard. The vendor that includes security in his bid will have a higher price and lose to the vendor that doesn't.

Re:Welcome to the Information Age!

[sinij]

"Acceptable industry standard" is not a standard, it is status quo. You have to blame municipalities for complete lack of understanding of these security concerns.

Next, script kiddies causing couple fender-benders and every municipality having to upgrade traffic light systems at a "I want it yesterday" premium. Then higher property taxes to pay for such monumental lack of planning and foresight.

Re:Welcome to the Information Age!

[Chris+Mattern]

And who will be blamed? Why, the researchers who discovered this incredible negligence, of course! "If you hadn't shown the hackers how to do it, we never would have this problem!"

Re:Welcome to the Information Age!

[Mr+D+from+63]

Most of those who do the purchasing are required to enforce the standards. Deviating, even with the intent of improvement, can bring unintended consequences and blame. For instance, add security, then all of the sudden maintenance access doesn't work because its different, complaints and blame fly. Just one possible example of many things that can happen, thus they have standards and are required to use them.

Re:Welcome to the Information Age!

[nine-times]

No, it's scary how much we still don't care about security. These things could definitely be fixed, we just don't care to fix them. We don't demand security in the first place, we aren't willing to pay for security, and we aren't really willing to fix security when it's broken. People will run around looking for blood for 5 minutes when it's discovered that there are huge security flaws, but nobody will fix them.

Remember all the news when it was discovered that a person could easily and untraceably hack voting machines? Do you think that was ever fixed? The way we use credit cards is insecure. Most email is unencrypted. We use Social Security Numbers as both an identifier and a form of authentication.

Most of what we do is completely insecure, and it's actually kind of amazing how rarely people take advantage of it. But it's really disturbing that we aren't remotely willing to secure things that would be relatively easy to secure, and would solve lots of problems.

Re:Welcome to the Information Age!

[Lumpy]

"we aren't willing to pay for security" It's worse than that. IT also stems from the fact that people in charge. The guys making big bucks making decisions are horribly undereducated.

If you ask the guy that is in charge of the city's traffic lights to explain in detail how the system works he will NOT be able to tell you. We as a society do not put in leadership positions the best and brightest. WE instead promote those that can suck up the best and schmoose the best.

And it's now biting us in the ass because the decision makers in general are dumb as a box of rocks. And when faced with a problem they simply say "I dont know" or try to scream how we need more laws instead of actually learning what the problem is and fixing it.

Re:What are they waiting for?

[Nyder]

Deaths? multiple injured people? Why isn't that secured in the first place? With all the news about stuff getting *hacked*, why are they still doing this?

They are waiting for the first part, because unless there is a big uproar about it (which there won't be until it gets abused enough to cause deaths) it costs too much money to fix.

How this is a surprise to anyone by now is a surprise to me, this has been standard operating procedures with pretty much everyone since computers have come out. That is, security is non existent or an afterthought. Paying money to make sure everything is secure for any sort of attacks/compromise/whatever takes away from the bottom line, so shareholders don't like that stuff. And management is kissing the shareholders ass, so it's not as important.

Now for government work, it's a bidding process and well, you aren't going to make any money on the job by having to hire some sort of computer type to make sure the system is secure. And since the contract probably didn't state it needed to be done, well, this is what we have.

So wait until it gets abused bad enough to kill people, nothing will get done.

Re:What are they waiting for?

[mlts]

I remember this crossroads in the 1990s. Would firms in general focus on security, even though the worst threats at that time were college students looking to rm -rf / a box or two for kicks.

It came out worse than I could imagine. I heard the "security has no ROI" mantra many a time (although the past couple places I worked at, they actually take it seriously.) When working as a consultant, I asked companies what they had for something if they were hacked. The response was, "We will call Geek Squad or Infosys, and have the problem fixed."

I have read people hoping for a "Warhol event" that would get businesses focusing on security. However, I would say that a "cyber 9/11" (to use a buzzword" would do far more harm to security in general than help.

Take this scenario:

A hurricane has a populated city in its sights. Evacuations are starting. As people are getting on the roads, Elbonian actors hack the anti-theft disable mechanism of a major car maker, disabling random cars at a time on all major roads. When those are towed, another set of cars get turned off. Havoc happens.

Congress is then pushed to push some bills into law. Well, they do. However, they do little or nothing. Here are the bills:

1: A mandatory DRM stack on any device in the US accessing the Internet, enforced by endpoint routers, with mandatory 10-life if any are tampered with.

2: All "tools for cyber-warfare", even something as banal as tcpdump, would be removed from operating systems, and only allowed to registered people.

3: Similar to #1, all machines would run a scanner similar to an antivirus utility, but would use signatures to look for unlicensed MP3 files, movies, programs like Handbrake, and if detected, would automatically shut the machine down and notify the local authorities.

4: A central ID card, similar to a PIV/CAC would be requires on any/all devices so all transactions (even a web login) are positively identified. It would be a felony for someone to access the Internet without their packets being signed or attributed to an ID card.

Of course, none of this would actually -HELP- security, but it would keep it swept under the covers, and (using MBA speak) allow better monetization of existing revenue streams... i.e. your PC becomes a locked down console with only big name brands able to write software for it due to the legal barriers of entry.

A lot of easy things are illegal

[TomGreenhaw]

Its easy to exceed the speed limit. Its easy to shop lift. Its easy to buy a gun and shoot somebody.

Its probably easy to build a device that gives you green lights as though you were an emergency vehicle. This is definitely illegal.

While I think its irresponsible to design computer systems without basic and reasonable security measures, technology is not the final answer to antisocial behavior. Hacking somebody else's systems is illegal and wrong. Finding (sometimes ) esoteric ways to do it and making it easy for bad guys is just plain foolish.

My friend Neil and I have a law: You know you have enough security when you can't do your job anymore. Requiring the average stop light electrician to now be a computer networking security expert requiring tons of tech support would certainly drive up taxes.

Antisocial behavior is why we have laws and there is a reason we should obey them.