Can Hackers Really Manipulate Traffic Lights Like You’ve Seen in the Movies?
The hacker in The Italian Job did it spectacularly. So did the fire-sale team in Live Free or Die Hard. But can hackers really hijack traffic lights to cause gridlock and redirect cars?
According to one researcher, parts of the vehicle traffic control system installed at major arteries in U.S. cities and the nation’s capital are so poorly secured that they can be manipulated to snarl traffic or force cars onto different streets.
Cesar Cerrudo, security researcher.
The hack doesn’t target the traffic lights directly but rather sensors embedded in streets that feed data to traffic control systems, said Cesar Cerrudo, an Argentinian security researcher with IOActive who examined the systems and plans to present his findings at the upcoming Infiltrate conference in Florida.
The vulnerable controllers — Sensys Networks VDS240 wireless vehicle detection systems — are installed in 40 U.S. cities, including San Francisco, Los Angeles, New York City, and Washington, D.C., as well as in nine other countries.
The system is comprised of magnetic sensors embedded in roadways that wirelessly feed data about traffic flow to nearby access points and repeaters, which in turn pass the information to traffic signal controllers.
The sensors use a proprietary protocol designed by the vendor — called the Sensys NanoPower protocol — that operates similar to Zigbee. But the systems lack basic security protections — such as data encryption and authentication — allowing the data to be monitored or, theoretically, replaced with false information.
Although an attacker can’t control traffic signals directly through the sensors, he might be able to trick control systems into thinking that congested roadways are clear or that open roadways are packed with cars, causing traffic signals to respond accordingly, Cerrudo said.
“By sniffing 802.15.4 wireless traffic on channels used by Sensys Networks devices,” Cerrudo wrote in an advisory he sent to the Department of Homeland Security’s ICS-CERT division last year, “it was found that all communication is performed in clear text without any encryption nor security mechanism. Sensor identification information (sensorid), commands, etc. could be observed being transmitted in clear text. Because of this, wireless communications to and from devices can be monitored and initiated by attackers, allowing them to send arbitrary commands, data and manipulating the devices.”
Sensors in roads send information that influences traffic-light behavior.