Traffic Light Hacking

Eventually our world will get back to normal, and where we will be back in cars, stuck at traffic lights. But, for such as critical part…
Photo by Paweł Czerwiński on Unsplash

Traffic Light Hacking

Eventually, our world will get back to normal, and where we will be back in cars — stuck at traffic lights. But, for such a critical part of our transport network, are traffic lights actually secure? Well, in 2020, Dutch researchers (Rik van Duijn and Wesley Neelen) outlined that it is possible to trick traffic lights remotely:

Figure 1

With this they managed to hack traffic lights in 10 cities in the Netherlands, and where they tricked the system with fake bicycles at intersections. This then sets a green light for the cycle route and a red for the cars. Their focus is to show that a hacker could cause large-scale traffic jams within cities. For this, they used mobile apps for cyclists (including Schwung and CrossCycle) and which allow for the sharing of a location. These apps then support the detection of a cyclist at a junction and which tries to allow a cyclist to pass through the junction without stopping. The researchers injected fake data into the app, and which allowed them to control the traffic lights.

Traffic Light Hacking

There have been many occurrences of traffic light hacking. In 2014, security researchers, led by Alex Halderman at the University of Michigan, managed to use a laptop and an off-the-shelf radio transmitter to control traffic light signals [here]. Overall they found many security vulnerabilities and managed to control over 100 traffic signals within Michigan City using a single laptop. In order to be ethical in their approach, they gained full permission from the road agency and made sure that there was no danger to drivers. Their sole motivation was to show that traffic control infrastructure could be easily taken over.

Overall they found a weak implementation of security with the usage of open and unencrypted radio signals, which allowed intruders to tap into their communications, and then discovered the usage of factory-default usernames and passwords. Along with this, there was a debugging port which could be easily compromised.

In the US, the radio frequency used to control traffic lights is typically in the ISM band at 900 MHz or 5.8 GHz, which makes it fairly easy to get equipment to communicate with the radio system. The researchers used readily available wireless equipment and a single laptop to read the unencrypted data on the wireless network.

Figure 2 provides an overview of the control system where the radio transmitter provides a live feed (and other sensed information) to the road agency. The induction unit is normally buried in each of the junctions and detects cars as they pass over it, and the camera is used to watch the traffic lights, and feed the colours of the lights back to the controller. In this way, there is a visual failsafe.

Figure 2: Overview of a traffic control system

Overriding the failsafe

The MMU (Malfunction Management Unit) is the failsafe operator on the system and ensures that the lights are not put into an unsafe state (such as for Red and Green at the same time), and the lights are then adjusted using the information gained from the induction loops in the road (and which senses cars as they pass over it). If control can be gained to the MMU, and allow for access to the controller, the lights can be compromised to go into incorrect states or to stay at steady red (and cause a gridlock within a city). Within the MMU controller board, the researchers found that by connecting a jumper wire, the output from the controller was ignored, and the intersection was put into a known-safe state.

Same old debug port

A typical security problem in many control systems is that there is often a debug port, which gives highly privileged access to the system. Within this compromise, the researchers found that the control boxes ran VxWorks 5.5, which leaves a debug port open for testing. They then sniffed the packages between the controller and the MMU, and found that there was no authentication used and that the messages were not encrypted and can be easily viewed and replayed. This allowed them to reverse-engineer the messaging protocol for the lights. They then created a program to activate any of the buttons within the controller and display the results, and then even access the controller remotely. In the end, they managed to turn all the lights in the neighbourhood to red (or all green on a given route — in order to operate safely within the experiment).

DDoS

Finally, they found that the units were susceptible to a denial-of-service (DoS) attack, where continual accesses with incorrect control signals over the network, caused the malfunction management unit to put the lights in a failure state (all red). In this way, the system failed to cope with excessive traffic, and all the units would end up failing with this type of probe.

This vulnerability showed all the standard signs of the bad integration of security, and which is common in many systems, where security is not thought of as a major concern. This is not a small-scale issue, as the researchers identified that this type of system is used in more than 60% of the traffic intersections in the US. If a malicious agent wanted to bring a city or even a country to its knees, they could just flip a switch … and there is no road transport system, which can then cause chaos to the rest of the infrastructure. We really need to think of the way that systems are designed and probe them for their vulnerabilities.

The researchers in this study have already got other easy targets in their sight such as tapping into the public messaging systems on freeways, and into the infrastructure created by the U.S. Department of Transportation (USDOT) for vehicle-to-vehicle (V2V) and vehicle-to-infrastructure (V2I) systems, along with the new work related to the Connected Vehicle Safety Pilot program.

Conclusion

With all our complex infrastructures, it is the most simple of things that can trip them all, and cause large-scale chaos … the electrical supply. Unfortunately, it’s not an easy call to make as the systems need to be safe, but this safety can lead to automated trips and are in danger of operator error.

As we move into a world, too, where the intercommunication of signals between cars and the roadway, and between cars, it is important that we understand if there are security problems, as with a flick of a switch an attacker could cause mass chaos.

So our perhaps security risks are not from the servers and desktops and mobile devices, but from the new Internet of Things (IoT) and from power supplies, so make sure your own power supplies are secure for your organisation, and just hope that someone somewhere is doing the same for your supplies.