Researchers from the University of Michigan EE/Computer Science Department (previously) presented their work on hacking traffic signals at this year's Usenix Security Symposium (previously), and guess what? It's shockingly easy to pwn the traffic control system.
The researchers targeted the wireless control systems at each intersection, avoiding any tampering with the actual junction boxes, which might be detected by passers-by (though seriously, some high-viz vests and a couple of traffic cones would likely serve as perfect camouflage), and worked with the permission of a local Michigan traffic authority.
Some of the systems they probed operated in the "open" spectrum at 900MHz and 5.8MHz, and some on a designated safety band at 4.9GHz. These radio channels were used to network the traffic signals together. The networking protocol is proprietary and unencrypted, and uses non-modifiable default passwords that are published online by the systems' vendors. By default these systems have the debugging port turned on, which allows untrusted parties to seize control over the system. Controlling a traffic signal also yields control over its sensors, including traffic cameras.
Once inside a traffic light, attackers can alter the light timing, making the lights very short or very long, or permanently freezing them in one state.
However, the lights do have a hardware-based governor that disallows potentially lethal configurations (four-way greens) and trips when there are too many alterations in too short a time.
Denial of Service A denial of service attack in this context
refers to stopping normal light functionality. The
most obvious way to cause a loss of service is to set all
lights to red. This would cause traffic congestion and considerable
confusion for drivers. Alternatively, the attacker
could trigger the MMU to take over by attempting an unsafe
configuration. This would cause the lights to enter a
safe but suboptimal state. Since this state can be triggered
remotely, but cannot be reset without physical access to
the controller, an adversary can disable traffic lights faster
than technicians can be sent to repair them. These attacks
are overt and would quickly be detected by road
agency personnel, who would be left with the recourse of
disabling network connections between intersections.
Traffic Congestion More subtly, attacks could be made
against the entire traffic infrastructure of a city which
would manipulate the timings of an intersection relative
to its neighbors. The effect would be that of a poorly
managed road network, causing significant traffic congestion
but remaining far less detectable than overt actions.
This type of attack could have real financial impacts on a
community. One study by the city of Boston calculated
that simply reconfiguring the timings of 60 intersections
in one district of the city could save $1.2 million per year
in person-hours, safety, emissions, and energy costs [2].
Light Control An attacker can also control lights for
personal gain. Lights could be changed to be green along
the route the attacker is driving. Since these attacks are remote,
this could even be done automatically as she drove,
with the lights being reset to normal functionality after
she passes through the intersection. More maliciously,
lights could be changed to red in coordination with another
attack in order to cause traffic congestion and slow
emergency vehicle response.
Green Lights Forever: Analyzing the Security of Traffic Infrastructure [Branden Ghena, William Beyer, Allen Hillaker, Jonathan Pevarnek, and J. Alex Halderman/Usenix]
(via O'Reilly)
(Image: First and Mill 3Ms)
