How a hacker could cause chaos on city streets

Traffic is chaotic enough in major cities, but imagine how much worse it would be if a criminal hacker got control of the traffic lights.

That Hollywood scenario is what researchers at the University of Michigan proved could happen given the security flaws in today's traffic infrastructure.

[Survey: Most hackers do it for the lulz]

In a paper released this month, the researchers described how they were able to commandeer roughly 100 lights in an unnamed Michigan town. The study was done in cooperation with local authorities.

"Our attacks show that an adversary can control traffic infrastructure to cause disruption, degrade safety, or gain an unfair advantage," the research said.

As hacking goes, the task of breaking into the traffic system wasn't difficult.

The first step is to buy the same radio found in a separate box or on one of the traffic lights on an intersection. Oftentimes, the manufacturer's name is on an external label at the radio's location.

The radio receives instructions from a city control room and passes it on to a controller that operates the lights. Each intersection has a radio and controller and all the radios are capable of passing instructions to each other.

For example, if traffic control officials want to time green lights on a particular road to keep traffic flowing during certain times of the day, they can do that by sending the instructions to one radio, which will pass them along to the others on the street.

Like many cities, the one where the research took place communicated with traffic lights wirelessly. By purchasing the same radio used by the city, the researchers were sure to use the same communications protocol.

In this case, it was NTCIP 1202, which is often used for radio to controller communications.

Manufacturers of traffic-light radios are suppose to sell these products only to governments, but "there's been a lot of literature on how easy it is to social engineer these people into selling you a radio," Branden Ghena, a doctorate student and co-author of the report, said.

Once the researchers had the radio and plugged it into a laptop, controlling the traffic lights was easy, because getting on the network did not require a password and the communications between radios and controllers were unencrypted.

The researchers blame the latter problem on the standards body that sets the NTCIP, which stands for the National Transportation Communications for Intelligent Transportation System (ITS) Protocol.

The NTCIP is a joint standard set by the National Electronics Manufacturers Association (NEMA), the American Association of State Highway and Transportation Officials (AASHTO), and the Institute of Transportation Engineers (ITE).

"The standards that define how you communicate with the traffic controller really don't go the distance in providing the security and access controls for these systems," Ghena said.

Once in the network, an attacker would not be able to switch lights to red, green and yellow. A safety feature called a malfunction management unit and required in all controllers is hardcoded to know all the safe patterns for traffic lights.

Trying an unsafe configuration would automatically send the light to blinking red. Therefore, a hacker would be limited to changing lights to red.

Nevertheless, a city filled with red lights would cause major traffic jams and chaos on the streets. To fix the mess, city workers would have to go to each intersection to reset the lights.

[How hackers used Google in stealing corporate data]

"The cost would be real in terms of man hours and money, but it wouldn't be as dangerous as a four-way green light would be," Ghena said.

Whether other towns and cities would be susceptible to the same attack would depend on their individual security mechanisms.

"There's lots of little simple things you can do to improve your security," Ghena said. "But to really fix the problem involves the standards organizations and the vendors getting together and really trying to make sure their systems are designed with security in mind."

Join the CSO newsletter!

Error: Please check your email address.

Tags security standardscritical security controlssecurity vulnerabilitiesUniversity of Michigancritical bugssecurity requirementscritical infrastructure securitysecurity advicesecurity architecturecritical infrastructure protectionsecuritycritical infrastucturephysical securitycritical flawscritical infrastructure

More about GoogleITETransportation

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place