We’ve all thought about it while sitting at a red light; “How great would it be to have a machine that turned all my lights to green?”
Well, apparently traffic light systems in several major U.S. cities can actually be manipulated rather easily, but the result is less appealing than you might think. In fact, it has the potential to cause life-threatening chaos on important emergency evacuation routes along major traffic arteries.
One researcher who tested this vulnerability is so sure it has the potential to cause major problems, he wrote a letter to the Department of Homeland security.
Cesar Cerrudo, an Argentinian security researcher with IoActive, examined the vulnerable controllers – Sensys Networks VDS240 wireless vehicle detection systems – that are installed in 40 U.S. cities, including San Francisco, Los Angeles, New York City, Washington, DC, as well as in nine other countries, according to Wired.
The hack Cerrudo highlighted doesn’t target traffic lights directly, it manipulates the sensors embedded in streets that feed data to traffic control systems.
Magnetic sensors embedded in roadways wirelessly feed data about traffic flow to nearby access points and repeaters, which in turn pass the information to traffic signal controllers.
According to Wired:
The sensors use a proprietary protocol designed by the vendor — called the Sensys NanoPower Protocol — that operates similar to Zigbee. But the systems lack basic security protections — such as data encryption and authentication — allowing the data to be monitored, or, theoretically, replaced with false information.
Although an attacker can’t control traffic signals directly through the sensors, he might be able to trick control systems into thinking that congested roadways are clear or that open roadways are packed with cars, causing traffic signals to respond accordingly, says Cerrudo.
Cerrudo notified the Department of Homeland security in a letter where he advised that the channels used by the wireless traffic system can be intercepted and skewed.
“By sniffing 802.15.4 wireless traffic on channels used by Sensys Networks devices,” Cerrudo wrote, “it was found that all communication is performed in clear text without any encryption nor security mechanism. Sensor identification information (sensorid), commands, etc. could be observed being transmitted in clear text. Because of this, wireless communications to and from devices can be monitored and initiated by attackers, allowing them to send arbitrary commands, data and manipulating the devices.”
And hackers don’t need to be physically near the unit to achieve the feat. Simple wireless transmitters can intercept data from nearly 150 feet away, and that range could be easily extended to 1,500 feet using a powerful antenna, making it possible for someone to alter the data from a nearby rooftop or even from a drone flying overhead — which Cerruda tested.
The researcher used a drone to send fake signals to a Sensys access point he owns. He sent date from 600 feet in the air, but thinks with a stronger antenna he could achieve the same effect from a mile or more away — as long as he had line of site to the unit.
Check out the video below:
Follow Elizabeth Kreft (@elizabethakreft) on Twitter.