SIM Card Carrying Traffic Lights

Apparently some of the traffic lights in Johannesburg, South Africa have SIM cards in them to help maintain the network without a physical connection. Now that’s some and not all, but apparently thieves have learned that the SIMs can be used in cell phones to make anonymous and unlimited calls. Officials are convinced that the thieves have inside information because they only crack open the lights that DO contain a card.

We’re white hats here at Hackaday and certainly don’t want to give out information that aids criminals. But since this is already a huge problem we have an idea of how thieves might be identifying which lights to rob. Sure, they probably do have inside information, but wouldn’t it be fairly simple to track down which lights use cellular communication by using a home made spectrum analyzer? We guess it would depend on how often the lights send out communications bursts. Does anyone have insight on this? Leave you thoughts in the comments.

[Thanks Bob]

47 thoughts on “SIM Card Carrying Traffic Lights

  1. If they want to keep track of which light is on which state, it would be almost every minute. that would rack up a lot so i am assuming that they are only polling the lights every so often.

  2. From what I was reading last week about this, I think the SIM cards are only used to send data as to whether the light has faults or not. Presumably this is only then once a day or something, perhaps only when the light has a fault.

  3. SIM cards can be provisioned with voice, data, or SMS service. There’s no reason for SIMs in these devices to have anything other than minimal data or SMS plans. Seems this problem could easily be resolved by the cellular provider.

  4. The traffic signal controllers don’t contain the SIM cards directly, instead they connect via RS-232 to some form of GSM/CDMA-enabled Serial-over-IP device (One such product is the Metretek Invisconnect). These are used to talk to remote serial device all over the place, including vending machines (newer Coke machines can phone in problems/stock), electronic message boards on the highways, and traffic controllers. In these cases, the devices
    are usually dial-on-demand, or in rare cases, set to phone in once every few hours.

    Outside of RS-232 adapters, MANY devices use embedded cellular modems, including modern alarm systems, RedBox movie rentals, and arcade machines (Golden Tee, or anything with national leaderboards).

    Embedded cellular devices are far from uncommon, which really makes it look like an inside job, since they are only targeting traffic cabinets.

  5. even without sending or recieving data if the device is in contact with the cell I think it will transmit every so often, a cheap radio with antenna held near would work although camping out under a light with an antenna would be suspicious.

  6. How do they know they aren’t breaking into all of them and not just putting back together the SIMless lights?

    Would one of the GSM interceptor projects be able to get these to connect to it and then be able to increase traffic making triangulation easier?

  7. Well, I’m not sure about how to tell which light is what, but it seems like a pretty easy fix on the telco’s part. Just create a whitelist with only the support numbers allowed for those SIM cards.

  8. >>It’s probably incredibly obvious if you look at one that does not and one that does.

    Then that would be pretty boneheaded of the officials that are “convinced they have inside information” based on which ones are broken into…

  9. Couldn’t they use a low tech hack? Something like an AM radio and a stick, put the radio on the end of the stick, wait a while, and if gets the GSM interference (217hz) it probably has a sim inside.

  10. According to this article http://bit.ly/fAnzKY , it seems that both look the same, so antenna could be a printed circuit or a wire hidden inside the box just like the ones we have in our phones. Also the article takes about traffic jams cause after the system failed so they could of been used for more that just reporting failures and they will need to communicate information more frequently. So a spectrum analyzer with some patience will work but an inside information is way easier knowing that some of them got stolen again after they were fixed!

  11. That picture… those are more likely speakers. As the antenna is contained within the cabinet.

    The cabinet looks something like this:
    http://www.ustraffic.net/images/astccabinet-med.png
    (more likely in a gray color)
    And the antenna looks more like this:
    http://www.gsm-modem.de/image/antenna_gsm-GPS.jpg
    Only the black part is mounted on the outside.

    So identifying the right lights is easy, just check the outside of the cabinets. Black cap on it? Most likely GSM enabled.

    I work in this field, so I kinda know what I’m talking about. The stupid part is in the SIMs, it’s we only use SIMs that cannot be used for calling. And are locked down to a different network. If you steal them they are useless.
    Also, our traffic lights trigger silent alarms when you open them.

  12. One thing that everyone is missing is that there are some with GSM(?) modems inside but use a soldered on sim card and the only ones being broken open are the ones with discrete socketed cards.

    Don’t remember where I read this, I’ll see if I can find it.

  13. @fartface Uhm… cellphones these days carry their antennas inside. I’d say that an external antenna would just increase the cost of the solution (well it’s the government, you never know).

    What I think is that they should stick them with epoxy or some type of glue, such that trying to pull them out render them useless.

    Now, if they use the SIMs to report fails with the regular phone lines, I also assume they can also implement a mechanism to report through the phone line about cellular failure. I’d also say to use cameras, but they would probably vandalize them or steal the hardware too.

  14. Im from South Africa, and I can honestly say that its definitely not a hack , there just not clever enough to do that sort of thing, most likely its a syndicate that got the information from the people who install these lights, that’s normally what happens here, info gets leaked they get paid a bribe, simple as that,nothing special.

  15. The real question should be …why are they using sim cards that will allow UNLIMITED and ANONYMOUS calls? The use of the cellular tech I have no issues with..but not having security protocols in place is dangerous in any case.

    1. make the sim cards limited. Reduces value to crooks. if these are just for reporting fault conditions a very limited number(10-20 per month?) of SMS texts should do the trick. NO phone minutes.
    2. make the sim cards traceable in some manner. Not that familiar with the tech, but there has to be some way….
    3. harden the TRANSMITTER CASING to make it harder for crooks to steal said sim cards….not a perfect solution as someone will get a hold of the proper tools or find a way to circumvent it eventually. Adds cost(or does it prevent cost…hmmm)., but physical solutions are often the best.
    4. create a system to send an alert in case of tampering. A few false positives may happen, but thats life.

    Nothing earth shattering, just simple common sense steps. Don’t depend on any one as a magic bullet. Use them all to reinforce each other.

    Just my 2 bits.

  16. Pretty bone-headed of them to not only allow communications in the way that this method requires. If it sends status information via SMS to a certain number, the account should be locked to only sending SMS’s to a specific number.

  17. If they stick the traffic light controllers in the big all metal NEMA boxes like they do in my area, then they most certainly would have an external antenna. It may just be that the officials are too boneheaded to notice the difference between a cellular unit and a non-cellular.

  18. I’ll expand on FaSMaB’s post to say that in SA, while there’s the local expertise to go the technical route, the pervasive poverty encourages the social engineering approach. The economics of poverty also suggests that *even if* the sim cards were configured for minimal services, they’d still be considered worth stealing.

  19. “Each of those lights costs over $3,000 U.S. to repair”

    How the hell can each light cost $3,000 to repair? A new one shouldn’t cost that much. Even if the thieves were uneducated slobs that just tore everything apart it shouldn’t cost nearly that much or be much more difficult than slapping a new SIM in there.

  20. “How the hell can each light cost $3,000 to repair? A new one shouldn’t cost that much. Even if the thieves were uneducated slobs that just tore everything apart it shouldn’t cost nearly that much or be much more difficult than slapping a new SIM in there.”

    You clearly have no concept of how contracting with a government entity works.

    Also if they destroy the unit how would a new sim fix it??

  21. What gets me is that its a simple point-and-click in the m2m cellular provider interface. Limit data to say, 3mb per month and if you get an overage alert that sim is suspect. Least that’s how it works on this side of the water.

    Part 2 is, why can’t they poll the light and kill the sim if they don’t get correct responses?

  22. I use these devices professionally as well, and our SIM cards will not make phone calls. They have data plans limited to 2, 5, 10 or 50 MB. We use Sierra Wireless Raven XT products, a small aluminum enclosed board that communicates RS-232 to TC/IP protocol – that is, they don’t make phone calls to transmit the data. They can have a small plastic “rubber ducky” antenna if they’re internal to a plastic enclosure and have good reception, otherwise I can also use a yagi or external mag-mount omni antenna with better gain.

    I think it’s reckless that they used SIMs that would allow more features than necessary, but probably they have some kind of “pool” deal for all of their cellular equipment, including cell phones and data modems. My company has separate pool deals for data modems and cellular phones, for this reason probably.

  23. @Jtaylor @wigwam GSM allows “local networks” at special prices. For example an company could set a local network for it’s employees. The employees are allowed to communicate with each other, but the other functions are limited or not available at all.
    Under GSM an call is anonymous as much as provider allows it. GSM calls are traceable up to some extent. The problem occurs if there is too much untagged SIMs, or SIMs with same ID, too much bleeps on the screen…

    As FaSMaB said it must be an criminal syndication or corruption at work. At $3,000 per unit (overpriced) and unlimited anonymous SIM inside (why), there is a lot of money to go around.

  24. I’m guessing the boxes have to transmit once in awhile to say that they are still working. A non responding light might also indicate a problem and might show up more often then a specific error. I like dan fruzzetti’s idea of placing a speaker by it and waiting for a chirp.

  25. So, I made this collection of info based off of some of the comments posted below the article… If you are lucky enough to be reading all these comments, and you must have been intrigutd by the article, no?

    Basically, to perform this “hack/theif” all you need to do is:

    A: Observe your local intersections, and look for both visual signs, and wireless spectrum signs of GSM signal communication in the area.

    Visual signs:

    Black or Grey block(antenna box) fixed to the controller box(Cabinet)
    (Cabinet)
    http://www.ustraffic.net/images/astccabinet-med.png (can be Grey, Green, Tan, Baise)
    (Antenna Box)
    http://www.gsm-modem.de/image/antenna_gsm-GPS.jpg
    Only the black part is mounted on the outside.
    !!!ANTENNA CAN BE INTERNAL!!!
    Nokia sticker on Cabinet

    Wireless Spectrum signals:
    USING OLD BOOMBOX(no clue if legit), or SPECTRUM ANALYER
    http://hackaday.com/2010/03/17/im-me-spectrum-analyzer/

    BOS-Funk (“public safety communication systems”)
    RS-232 to some form of GSM/CDMA-enabled Serial-over-IP
    GSM interference (217hz)

    !!!!!WARNING UPON OPENING THE CABINETS/LIGHTS!!!!!!
    Traffic lights/cabinets trigger silent alarms when you open them.

    KEYWORDS I USED:
    (Google is your friend here)
    RS-232 to some form of GSM/CDMA-enabled Serial-over-IP
    Metretek Invisconnect
    embedded cellular modems
    lights that have an antenna
    Black or Grey block fixed to the controller box
    GSM interference (217hz)
    BOS-Funk (“public safety communication systems”)
    the antenna is contained within the cabinet
    traffic lights trigger silent alarms when you open them.
    Sierra Wireless Raven XT

    Once GSM sims have been obtained they probably will only work for DATA(does not mean phone calls won’t work, if your smart) They also only have a limited amount of data that can be used before they are depleated.(Thats what the south afican hit-men are using as burners which are only good for like A SINGLE PHONE CALL/TEXT)

    THEY ARE ANONYMOUS(kinda…GSM can be traced but, fuck it, its one phone call, then phone thrown in a garbage truck…)

    How to enable phone calls if you can only use data, use VOIP. I am not disclosing which VOIP to use but, suggesting something w/ extremely low bandwidth usage, and ability to be SSH tunneled, also suggesting encrypting text communication w/ Elite-ANONYMOUS SOCK5 proxy-chain, SUPER-SSH, and *encryption scheme here*package encryption.
    This all made in a few delicious copypastas….

  26. I just thought I’d mention that, almost all of the comments given thus far deal specifically with the device in question. Which is fine because that’s the main point of the question, and this is afterall, hackaday. However, no one is really making note that we are talking about Johannesburg, South Africa here. This isn’t across the street from the Nokia Headquarters in Tokyo, or by an engineering plaza in Munich. Johannesburg is photographed very well in Google Street View, have a look for yourself. The traffic lights do not look like the one in the photo. In a square in the main downtown part of Johannesburg a lot of the traffic lights have a ‘black bubble’ looking thing that sticks off of them at a 45degree arch. Other traffic lights don’t seem to have them.

    Surely there is a method to the madness of which ones have and which ones do not have. Surely if the ‘thieves’ found one that had a S.I.M. card they could logically reason that within a radius of ‘x’ the other traffic lights should have them to.

    Also, again, do you have any idea how much corruption and shoddy jobs happen within South Africa. They are not getting ‘traffic light technology’ from the top engineering firms in the world. No. Who knows where the technology came from and who exactly is putting this whole operation together. Maybe whoever was hired to put them in marked them for their own purposes. Maybe there’s a little mark on the devices which have them and which do not.

    Anyhow, I think this particular question has more to do with South Africa (Johannesburg), and how they actually ‘installed’ the devices; and less to do with the technology in and of itself. I’m sure if any three of the readers above were to actually walk around Johannesburg, in six minutes they would be able to say “Oh. Wow. Yeah, I’ve figured it out now. That’s so obvious.”

    -James.

  27. In South Africa we call them Robot’s (nobody is sure why… but that’s just the way it is).

    The one’s containing SIM cards are simply located in rural area’s where there are no Telkom phone lines.

  28. I live in Johannesburg and I’ve got a set of these traffic lights outside my apartment block. The system was installed to notify a central operations centre built and managed by the city Municipality. The system is passive and intended to dial through to the the control room when a problem is detected in the normal opoeration of the traffic lights. An sms message is sent with location, time, a fault code, current status, etc. This system was installed to ease traffic congestion, improve safety and improve repair turnaround times. The problem is that the Johannesburg Municipality is has degraded to the the point of disfunction. There are no trained staff to repair these traffic lights, no working vehicles to get them there and even then, the national electricity generating authority (Eskom)cannot provide capacity to reliably operate the traffic lights were they to be fixed.

Leave a Reply to CutterJeffCancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.