It has long been a dream of drivers the world over to make traffic lights instantly flip from red to green with the push of a button. A study published this month by computer scientists at the University of Michigan found that not only is hacking traffic signals to do your bidding possible, but it’s actually shockingly easy.
First getting permission from local authorities, the researchers used little more than wireless-enabled laptops to remotely hack into the network controlling the traffic lights in an unnamed Michigan city. ‟Our attacks show that an adversary can control traffic infrastructure to cause disruption, degrade safety, or gain an unfair advantage,” the paper’s authors explained.
When automatic traffic signals were first rolled out in the United States in the late 1800s, they operated mechanically as stand-alone units. However, as time wore on and technology advanced, most traffic signals evolved into computers, often connected to a larger network of other traffic lights through wireless technology and running through a central server. While these advances allow traffic signals to coordinate with each other more efficiently, it also opens those systems up to attack by hackers who no longer need to open up the physical devices in order to change their behavior.
Using computers that could communicate at the same frequency as the traffic signals, the team was able to intercept communications on the network and execute fraudulent commands across the entire system.
The researchers found that the system wasn’t particularly secure. Not only were the wireless communications between the traffic signals and the central server being sent unencrypted, but the passwords on the devices were set to their factory defaults—meaning anyone able to download a copy of the user’s manual off the Internet could crack them by simply turning to the right page.
‟The vulnerabilities we discover in the infrastructure are not a fault of any one device or design choice,” the study noted, ‟but rather show a systemic lack of security consciousness.”
The study posits that hackers could mount a whole range of attacks on traffic light systems. The authors speculate about denial of service attacks that could stop all lights from operating normally; traffic congestion attacks that subtly throw off the timing a light relative to its neighbors as to increase congestion without a high risk of detection; and light control attacks, where someone could ensure he or she only hits green lights wherever they happen to be driving.
The authors added that, even though traffic light systems around the country differ in their specific implementations, they don’t believe that others are necessarily significantly more secure than the one they were able to easily hack into. Vox notes that an estimated 62 percent of traffic lights in the United States are networked in a similar manner.
This study isn’t the first time someone has addressed insecurity of of traffic lights. Earlier this year, an Argentinian security researcher with IoActive presented similar discussion at at cybersecurity conference in Florida showing how someone could build a device for hacking traffic lights for under $100.
Additionally, at least one enterprising hacker has produced a step-by-step guide for building your own specialized controller for hacking traffic lights from the comfort of your own home.
The authors of the University of Michigan study charge that the problem of paying insufficient attention to cybersecurity concerns is endemic across the entire traffic signal industry. They conclude:
A clear example can be seen in the response of the traffic controller vendor to our vulnerability disclosure. It stated that the company, “has followed the accepted industry standard and it is that standard which does not include security.” The industry as a whole needs to understand the importance of security, and the standards it follows should be updated to reflect this. Security must be engineered into these devices from the start rather than bolted on later. Until these systems are designed with security as a priority, the security of the entire traffic infrastructure will remain at serious risk.