In a paper
study published this month, the security researchers describe how a series of major security vulnerabilities in traffic light systems allowed them to very easily and very quickly seized control of the whole system of at least 100 traffic signals in an unnamed Michigan city from a single point of access.
Researchers took permission from a local road agency before performing the hack, but they did not disclose exactly where in Michigan they did their research.
‟Our attacks show that an adversary can control traffic infrastructure to cause disruption, degrade safety, or gain an unfair advantage,” the paper explained.
SECURITY HOLES IN TRAFFIC LIGHT SYSTEMS
The team, led by University of Michigan computer scientist J. Alex Halderma
n, said that the networked traffic systems are left vulnerable to three major weaknesses:
- unencrypted radio signals,
- the use of factory-default usernames and passwords, and
- a debugging port that is easy to attack
This left the network accessible to everyone from cyber criminals to young hackers.
“The vulnerabilities we discover in the infrastructure are not a fault of any one device or design choice, but rather show a systemic lack of security consciousness,” the researchers report in a paper.
In an effort to save on installation costs and increase flexibility, the traffic light system makes use of wireless radio signals rather than dedicated physical networking links for its communication infrastructure - this hole was exploited by the researchers. Surprisingly, more than 40 states currently use such systems to keep traffic flowing as efficiently as possible.
“The safety critical nature of traffic infrastructure requires that it be secure against computer-based attacks, but this is not always the case,” the team said. “We investigate a networked traffic signal system currently deployed in the United States and discover a number of security flaws that exist due to systemic failures by the designers. We leveraged these flaws to create attacks which gain control of the system, and we successfully demonstrate them on the deployment.”
WIRELESS SECURITY IN QUESTIONS
The Traffic light systems use a combination of 5.8GHz and 900MHz radio signals, depending on the conditions at each intersection, for wireless communication in point-to-point or point-to-multipoint configurations. The 900MHz links use "a proprietary protocol with frequency hopping spread-spectrum (FHSS)," but the 5.8GHz version of the proprietary protocol isn't terribly different from 802.11n.
The researchers says that anyone with a laptop and a wireless card operating on the same frequency as the wirelessly networked traffic light — in this case, 5.8 gigahertz — could access the entire unencrypted network.
Now, after gaining access, next was to communicate with one of the controllers in their target network. This was done very easily due to the fact that this system’s the control boxes run VxWorks 5.5, a version which by default gets built from source with a debug port left accessible for testing.
“By sniffing packets sent between the controller and this program, we discovered that communication to the controller is not encrypted, requires no authentication, and is replayable. Using this information, we were then able to reverse engineer parts of the communication structure,” the paper reads.
“Various command packets only differ in the last byte, allowing an attacker to easily determine remaining commands once one has been discovered. We created a program that allows a user to activate any button on the controller and then displays the results to the user. We also created a library of commands which enable scriptable attacks. We tested this code in the field and were able to access the controller remotely.”
This debug port allowed researchers to successfully turned all lights red or alter the timing of neighboring intersections — for example, to make sure someone hit all green lights on a given route.
More worrying part is the ability of a cyber criminal to perform denial-of-service (DoS) attack on controlled intersections by triggering each intersection’s malfunction management unit by attempting invalid configurations, which would put the lights into a failure mode.
SOLUTION TO PROBLEM
At last, the team called for manufacturers and operators to improve the security of traffic infrastructure. It recommended that the traffic-system administrators should not use default usernames and passwords, as well as they should stop broadcasting communications unencrypted for “casual observers and curious teenagers” to see.
"While traffic control systems may be built to fail into a safe state, we have shown that they are not safe from attacks by a determined adversary," the paper concluded.
Moreover, they also warned that devices like voting machines and even connected cars could suffer similar attacks.