Hacking traffic light systems
Traffic light systems security issues
We often see movie scenes in which hackers are able to hack systems for the control of traffic lights, with catastrophic consequences, unfortunately, we must be conscious that threat actors are really able these complex infrastructures causing serious problems.
Traffic lights were originally designed as standalone systems, but they evolved with technological progress into more complex, networked systems. Modern traffic controllers are able to execute multiple timing plans, communicate in real-time with a huge quantity networked sensors and elaborate the collected information to manage traffic flows in the most efficient way
FREE role-guided training plans
Coordinated traffic signal systems provide great benefits in term of wasted time, environmental impact and public safety, but for their interconnection, public administration have to spend a great effort to ensure an efficient interconnection on a metropolitan geographic distribution. Wireless networking represented the optimal choice to reduce the interconnection cost and quickly implement an interconnected network of traffic light control systems. However, these improvements have raised serious questions in term of security of the overall architectures, the components of traffic light systems are today remotely accessible and wireless interconnected, with serious repercussions in term of security.
Cesar Cerrudo … hacking traffic lights and electronic signs worldwide
Cesar Cerrudo, chief technology officer at IOActive, is one of the cyber experts that has conducted a study to investigate on the security level of components within control systems for traffic lights and electronic signs in different cities around the world. Cesar Cerrudo analyzed the architecture of traffic light systems installed in many countries, including the United States, the U.K., Australia, China, and Canada.
Figure 1 - Sensys Video presentation
https://www.youtube.com/watch?v=pb8nVvBxRgA&list=UUYUxGM5obXEcpK0r3z3Scpg
The researcher discovered a worrying scenario, several devices in traffic light systems are vulnerable to a range of cyber attacks, vulnerabilities in these architectures could be exploited to cause a Denial of Service or to spread a malware within a network connecting with these systems.
Electronic signs and traffic light systems are controlled by automated systems that could be targeted by threat actors exacly as any other device.
Cerrudo has presented the results of his research at the Infiltrate Security conference, illustrating the details on the security flaws discovered and the components affected by such vulnerabilities, which could be exploited by an attacker using the right equipment at a suitable distance.
Figure 2 - Video Intro Cesar Cerrudo
https://www.youtube.com/watch?feature=player_embedded&v=RviQ3YQTxMo
"The vulnerabilities I found allow anyone to take complete control of the devices and send fake data to traffic control systems. Basically anyone could cause a traffic mess by launching an attack with a simple exploit programmed on cheap hardware ($100 or less)," explained Cerrudo in a blog post.
Cerrudo also imagined a possible attack vector for the attacks against traffic light systems, bad actors could use a commercially available unmanned vehicle to hack the vulnerable devices. The research demonstrated that equipping a drone with a powerful antenna it is possible to interfere with traffic light systems from more than 600 feet in the air, it's clear that the range could be extended to a mile with a stronger antenna.
The hacker explained that a bad actor could be able to conduct the attack using a wireless transmitter of variable size, with a USB stick receiver attacker could intercept data from 150 feet away, a distance that could be easily extended to 1,500 feet using a greater antenna.
"I even tested the attack launched from a drone flying at over 650 feet, and it worked! Theoretically, an attack could be launched from up to 1 or 2 miles away with a better drone and hardware equipment, I just used a common, commercially available drone and cheap hardware. Since it seems flying a drone in the US is not illegal and anyone will be able to get drones on demand soon, I would be worried about attacks from the sky in the US."
To better understand the possible impact of a cyber attack against a traffic light system, let's consider the statistics proposed in the post:
"In 2012, there were an estimated 5,615,000 police-reported traffic crashes in which 33,561 people were killed and 2,362,000 people were injured; 3,950,000 crashes resulted in property damage only." US DoT National Highway Traffic Safety Administration: Traffic Safety Facts
"Road crashes cost the U.S. $230.6 billion per year, or an average of $820 per person"Association for Safe International Road Travel: Annual US Road Crash Statistics
Security of vital infrastructure is a critical goal for every cyber strategy, governments must seriously consider the possible risks related to cyber attacks and traffic light systems are considered a privileged target.
"This should be another wake up call for governments to evaluate the security of devices/products before using them in critical infrastructure, and also a request to providers of government devices/products to take security and security vulnerability reports seriously." said Cerrudo.
Cerrudo started its analysis evaluating the architectures of traffic light systems and discovered that in 40 US cities, including San Francisco, Los Angeles, New York City, Washington DC and also in other nine countries were installed vulnerable controllers Sensys Networks wireless vehicle detection systems.
Figure 3 - Sensyn Architecture (Slide)
The company installed its systems in 40 states and its network counts more than 50,000 sensors operating in 10 countries, including the United Kingdom, China, Canada, Australia, and France.
Vehicle detection systems are composed of magnetic sensors hidden in the roadways that collect information about the traffic flow and wirelessly transmit it, through the proprietary protocol Sensys NanoPower Protocol, to nearby access points and repeaters, which then sent the data to traffic signal controllers.
Figure 4 - Sensys sensor
A threat actor could hit the system described, and in particular the information exchanged, because the protocol used lack of authentication mechanisms and data sent aren't encrypted. Theoretically, an attacker could sniff the traffic, reverse engineer the protocol and replace information with fake data.
"it was found that all communication is performed in clear text without any encryption nor security mechanism. Sensor identification information (sensorid), commands, etc. could be observed being transmitted in clear text. Because of this, wireless communications to and from devices can be monitored and initiated by attackers, allowing them to send arbitrary commands, data and manipulating the devices."
Anyway, sensors are just a component of the overall architecture, it it necessary to submit the information in the correct way to trick control traffic light systems into thinking that the actual traffic flow is different from the real one.
Cesar Cerrudo made his tests in principal US cities, including Seattle, New York, and Washington and DC, and the situation was always the same.
Another security issue noticed by the researcher Cesar Cerrudo is related to the possibility to alter the firmware running on the sensors. The code is not not digitally signed and is not protected by any security mechanism, this circumstance led the experts to think that a threat actor could access the firmware and modify it to alter the configuration and the behavior of the devices.
An attacker for example, could hack the sensor in order to provide fake data or just to transmit data on a different radio channel. In both cases, as highlighted by Cerrudo, it would be very hard to detect a potential attack and identify the compromised sensor.
The attacks explained by Cesar Cerrudo could cause serious problems to the tragic flaw, an attacker could manipulate the transition times of traffic lights creating traffic jams and other problems, and such attacks are quite impossible to discover in a short time.
"These traffic problems could cause real accidents, even deadly ones by cars crashing or by blocking ambulances, fire fighters, or police cars going for an emergency call," said Cerrudo.
The hacking tools
The Researcher Cesar Cerrudo explained that is not necessary an expensive instrumentation to hack control traffic light systems, he explained that an attacker could use a small specialized equipment to do it. To build a lab for his tests the researchers purchased an access point from Sensys Networks at a cost of about $4,000.
Of course, such kind of access points isn't available to the public and the researchers have obtained it for testing purposes by telling the vendor he was evaluating it for one of his clients.
"There's a huge volume impact here,""The vulnerabilities I found allow anyone to take complete control of the devices and send fake data to traffic control systems. Basically anyone could cause a traffic mess by launching an attack with a simple exploit programmed on cheap hardware ($100 or less)."said Cerrudo.
The access point acquired by the researcher is compatible with all the sensors used by the Sensys to monitor the streets worldwide. The access point intercepts data sent by sensors, for this reason he placed it in a backpack or on his car dashboard during the experiments conducted in the streets of different cities, including Seattle, New York, and Washington, DC.
Figure 5 - Sensyn Access Point
Anyway, an attacker could intercept data anyway without the Sensys access point, he could simply intercept exchanged data using a wireless transceiver, but this process is more complex without the knowledge of the proprietary protocol used. A threat actor having the knowledge of the protocol could capture the data sent by the sensors to the access points, which includes configuration information about the devices such as the unique ID of the sensors.
"Without the access point and software, you can sniff the wireless data, but it will be difficult to understand what everything means," "You need the access point to learn how the system works, but after you learn, then you don't need anymore the access point because you can build your own device." said Cerrudo.
As explained by the researcher, a sensible improvement of the overall security of networks of traffic light systems could be obtained by encrypting the communications between sensors and the access points. As described in the study, an attacker could also intentionally modify the firmware of the sensors or their configuration data, for this reason another suggestion provided by Cerrudo is to prevent unauthorized users from accessing the firmware.
Cerrudo reported the security flaw to ICS-CERT division in July and according to the researcher, he was told that lack of encryption for communication was not a flaw but a design choice requested by Municipal entities to the company Sensys Networks.
"The option for encrypting the over-the-air information was removed early in the product's life cycle based on customer feedback," "There was nothing broken on the system as we did not intend the over-the-air information to be protected." explained an unknown Sensys employee to ICS-CERT.
Sensys also added that firmware updates for the sensors are now encrypted with AES, the measure has been implemented to avoid reverse engineering of the their source code and discover which flaw they fix, an information that could help attacker to build specific exploits.
Cerrudo anyway observed that firmware updates are only encrypted for new versions of the sensors, devices already deployed in the streets are not able to update firmware with encrypted updates. This means that old version of sensors have to be disinterred from roadways and replaced with new ones that support encrypted updates.
"[W]hile there may be a need for code signing/encryption of firmware for older models of the in-ground sensor, newer versions of the hardware have this capability but older versions cannot be updated without replacement (e.g. digging up the roadbed)," ICS-CERT wrote to Cerrudo.
"If you can provide details of a vulnerability being exploited in this or the other products, ICS-CERT will revisit the issue at that time," said Matthew Kress-Weitenhagen, a vulnerability coordinator for ICS-CERT.
According to Cesar Cerrudo, the position of ICS-CERT on the flaw reported is disconcerting, the CERT in fact accepted the declaration of Sensys Networks company that doesn't consider the security issues as flaws because the systems weren't accessible via the internet.
The justifications, Cerrudo says, "are mostly nonsense. It's like the guys at ICS-CERT don't understand and buy what the vendor says. But I clearly told CERT that there is no encryption and no authentication and that anyone can take over the sensors.
"[It's] funny how they get all this information affecting national infrastructure and it ends up without solution," he says.
Privacy issue
Networks of traffic light systems aren't used only to regulate traffic flow, the sensors can be also used to count vehicles in a specific area of the city or to track the movement of vehicles by detecting the same vehicle with different sensors located in different positions in a metropolitan area. This data could allow bad actors or governments to track specific vehicles violating the users' privacy.
According to the information disclosed by the Sensys company it has deployed more than 1,300 wireless sensors in Washington, DC to collect data on traffic speed, vehicle count, and occupancy to "optimize real-time congestion management and emergency response. But the city is the place where lives the President of the US, for this reason it is to speculate that such systems could be improved to be integrated in a surveillance system which includes also data from cameras located in the city and any other information from different sources related to the local population.
For this reason, I think we must be aware that such system could represent a serious threat for privacy and security in case of cyber attacks.
An academic point of view
Hacking Traffic light systems is an argument even more discussed by security experts that is becoming very popular also within common people thanks to the movie industry.
A study conducted by security researchers at the University of Michigan, led by computer scientist J. Alex Halderman, has refuted the findings from cesar Cerrudo. According the ream of researchers it is very easy to hack traffic light systems.
The team of experts explained how bad actors without any particular knowledge could hit traffic light networks, also in this case it is sufficient a laptop and a specific radio system.
Figure 6 - Traffic interception scheme
As shown in the above image a modern traffic interception is composed of the following components:
- Sensors to detect cars and inspect the infrastructure.
- Controllers to receive data from sensors and control light states, according different politics, for example, in a totaly automated fashion based on information provided real time by sensors.
- Communication channels, which could be hard-wired through optical or electric means or wireless.
-
Malfuction Management Unit, which manages potential conflicts through hardware-level safetyMechanisms, practically it ensures that lights are always in a valid state.
The researchers published a paper which describes the experiments conducted, the techniques implemented to exploit security vulnerabilities in traffic light systems and the indings.
In particular, in a live test the experts very easily and very quickly gained the control of the system of at least 100 traffic signals, in an unnamed city in the Michigan, from a single point of access, a local road agency.
‟We investigate a networked traffic signal system currently deployed in the United States and discover a number of security flaws that exist due to systemic failures by the designers. We leverage these flaws to create attacks, which gain control of the system, and we successfully demonstrate them on the deployment in coordination with authorities. Our attacks show that an adversary can control traffic infrastructure to cause disruption, degrade safety, or gain an unfair advantage,"
"The vulnerabilities we discover in the infrastructure are not a fault of any one device or design choice, but rather show a systemic lack of security consciousness," states the paper.
The experts identified three major weaknesses in the national traffic systems, which potentially allow anyone to hack the traffic light networks:
- Unencrypted radio signals.
- Devices on the network lack secure authentication.
- The traffic controller is vulnerable to known exploits.
As explained by the experts the use of wireless radio transmissions (a combination of 5.8GHz and 900MHz radio signals) is very common for traffic light systems, this choice allows to reduce the costs of installation and maintenance of the networks.
The 900MHz links used in the traffic light systems implement "a proprietary protocol with frequency hopping spread-spectrum (FHSS)," but the 5.8GHz version of the proprietary protocol is similar to 802.11n.
"The proprietary protocol is similar to 802.11 and broadcasts an SSID which is visible from standard laptops and smartphones but cannot be connected to. In order to properly connect, a slave radio must use the proper protocol and know the network SSID. The wireless connections are unencrypted and the radios use factory default usernames and passwords. The configuration software for these radios accepts customized credentials but assumes that the same username and password are used across all
radios on the network." states the paper.
Anyone with a laptop and a radio system operating on the same frequency as the networked traffic light (5.8 GHz) could access the network because the communication isn't encrypted.
The researchers demonstrated to be able to infiltrate the networks of control traffic light systems, once gained the access they were able to communicate with controllers that run VxWorks 5.5 version. This version unfortunately by default has a debug port using for for testing, and researchers exploited it.
"By sniffing packets sent between the controller and this program, we discovered that communication with the controller is not encrypted, requires no authentication, and is replayable. Using this information, we were then able to reverse engineer parts of the communication structure," the paper reads.
Once again, an unprotected communication allowed the researchers to reverse engineer the protocol used in the communication, once controlled the debug port the experts were able to send commands to control lights or alter the timing of neighboring intersections.
"Various command packets only differ in the last byte, allowing an attacker to easily determine remaining commands once one has been discovered. We created a program that allows a user to activate any button on the controller and then displays the results to the user. We also created a library of commands which enable scriptable attacks. We tested this code in the field and were able to access the controller remotely."
The researchers also demonstrated that a bad actor, once infiltrated the network, could perform a wide range of attacks, including:
- Denial-of-service (DoS) attack on controlled intersections that could cause a traffic jam. As explained by the researchers the attackers could set the all lights to red or trigger the MMU to take over by attempting an unsafe configuration, this last case is serious because need a physical intervention of personnel to restore a normal situation.
- Traffic Congestion manipulating timings of an intersection relative to its neighbors with repercussion for the entire traffic infrastructure. Such attacks have a significant financial impact on the community targeted as demonsstrated by numerous studies.
- Light control for personal gain, as explained by researchers "lights could be changed to red in coordination with another attack in order to cause traffic congestion and slow emergency vehicle response."
Conclusions
The studies presented in this post demonstrate that traffic control systems are vulnerable to cyber attacks, fortunately improving security of the components of a traffic light control system and of the internal connection is possible to prevent major incidents. We have seen that an attacker can run a denial of service attack or cause a traffic jam as diversive measure in a more sophisticated attack.
As remarked by all the actors involved in such interesting studies, the principal problem is the lack of security awareness of the cyber threat, the experts highlighted that traffic controller vendors haven't managed properly the vulnerability disclosure by the security community. The companies just ensure the compliance to actual industry standards, which don't consider properly the security issues.
Next generation of control traffic systems must be built with security by design, and fortunatelly governments are understanding the critic of such environments and the risks of major attacks.
The researchers suggest manufacturers and operators to improve the security of traffic light systems adopting encrypted communications between components of the infrastructure, digitally signing the firmware running on each component to avoid software modifications, and not using default credentials.
Let me close with a reflection, Traffic Light systems are just a sample of the larger family of IoT (Internet of Things), many other devices we daily use have similar vulnerabilities threat actors are increasing targeted them.
What should you learn next?