Green Light Your Commute with America’s Unsecured Traffic Lights

Green Lights Forever

Remember that episode of Leverage (season 5, episode 3), where Alec uses Marvin to wirelessly change all the street lights green so they can catch up to an SUV? And you scoffed and said “that’s so not real!”… well actually they got it right. A new study out of the University of Michigan (PDF warning), shows just how easy it is to make your morning commute green lights all the way.

The study points out that a large portion of traffic lights in the United States communicate with each other wirelessly over the 900Mhz and 5.8Ghz ISM band with absolutely no encryption. In order to connect to the 5.8Ghz traffic signals, you simply need the SSID (which is set to broadcast) and the proper protocol. In the study the researchers used a wireless card that is not available to the public, but they do point out that with a bit of social engineering you could probably get one. Another route is the HackRF SDR, which could be used to both sniff and transmit the required protocol. Once connected to the network you will need the default username and password, which can be found on the traffic light manufacturer’s website. To gain access to the 900Mhz networks you need all of the above and a 16-bit slave ID. This can be brute forced, and as the study shows, no ID was greater than 100. Now you have full access, not to just one traffic signal, but EVERY signal connected to the network.

Once on the network you have two options. The completely open debug port in the VxWorks OS which allows you to read-modify-write any memory register. Or by sending a(n) UDP packet where the last byte encodes the button pressed on the controller’s keypad. Using the remote keypad you can freeze the current intersection state, modify the signal timing, or change the state of any light. However the hardware Malfunction Management Unit (MMU) will still detect any illegal states (conflicting green or yellow lights), and take over with the familiar 4-way red flashing. Since a technician will have to come out and manually reset the traffic signal to recover from an illegal state, you could turn every intersection on the network into a 4-way stop.

So the next time you stop at a red light, and it seems to take forever to change, keep an eye out for the hacker who just green lit their commute.

Thanks for the tip [Matt]

Comments

  1. Paul says:

    The Italian Job?

  2. Michael says:

    It’s not April fools day is it? I hope no one installs a raspi near my traffic light to delay my bus when I’m running late.

  3. DainBramage1991 says:

    I thought that Hackaday discouraged illegal behavior? Doing this where I live, and probably in most other places as well, will land you in jail.

    Come on HAD, I thought you guys were trying to protect the reputations of us hackers, not ruin them by encouraging criminal activities.

    • TBjornA says:

      Pretend there’s a standard disclaimer all over hack-a-day: Breaking this seal will void your warranty. Personally I see one of HaD’s strengths as being making information available to you and me that the manufacturer doesn’t want to give us for fear of liability issues.

      • William DeRieux says:

        I agree — there’s no point in hiding the truth; bad security is what it is. if HAD said nothing, we would be naive and assume something was secure when it actually was not.

    • Isaac S. says:

      I see it more as exposing a glaring lack of basic security by manufacturers/municipalities. Even the password on their website is open…

      • Bob says:

        I second that.

        Quote: “default username and password, which can be found on the traffic light manufacturer’s website”

        Seriously, can it get worse than that.

        These things don’t get fixed until they become publicly known and HAD is playing a role in getting the problem fixed by (re)publishing.

        The “head in the sand” approach doesn’t work. Here in Aus they banned guns so all the law abiding people handed their guns in. The crims kept theirs.

        • Z00111111 says:

          Taking guns does help prevent a law abiding citizen from becoming a gun toting maniac when they have a bad day. It also makes it harder for the criminals obtain guns.

          HaD does have a history of publishing guides for illegal activities in the interests of education.

          • Bob says:

            Law abiding citizens don’t become gun toting maniacs when they have a bad day. The introduction of gun controls did not reduce crime or homicides. Criminals now have more guns because they’re harder to trace now that they’re underground items. Violent crimes by criminals such as criminal bikie gangs has increased. The fear of guns held by the general public has increased and peoples perceptions of personal safety have reduced. So in reality it was a failed experiment that was based on opinions (perhaps like yours) and not facts. It’s like the death penalty in the US. It has the opposite effect.

        • Bones says:

          Oddly, though, you haven’t had a major shooting-massacre since you turned in your guns after Port Arthur.

          • Bob says:

            Ok, there are hundreds of angles you can take on this and some will reflect on gun control positively and others will reflect on gun control negatively however none of these angles can change the fact the gun control has not reduced homicide.

            It’s the same basic principle that applies to the US where you have more serial murders in states that support the death penalty. Things don’t always work as expected.

            Using your suggested principle, I could argue that all knives should be banned, including kitchen knives as it would reduce stabbings. What would be the point if it has no effect on homicides. You can go on banning things forever.

            What about the whiskey a go go mass murder? Should we ban matches?

        • Ijon says:

          What I am wondering about souch laws, how is one financially compensated for have to giva away ones handguns? I mean, I bet they wont give me the full Retail price, but who is judging if my customized glock worth …say a hundred bucks or a thousand bucks even if the standard one retails at 600 (I dont own a gun, so the prices are just guessed)

          Do you know how that was handled? Or were they just confiscated and all owners asked for refound wer just told “well, fuck you!” O.o?

    • franklyn says:

      It is an article about a publicly available research paper. I don’t see anything wrong here.

    • Michael Chen says:

      They discourage illegal behavior, but hackers sure don’t believe in security by obscurity. Why would you even use the default password on a real implementation? Posts as these prompt people to actually set passwords and security measures.

      • Paul says:

        Most sites have default passwords because the people installing the system don’t run the system. As such they don’t know what password the operators will want on the system. Usually no one asks until the end of a job and the operators can’t decide so the installers walk away with the default password installed. The operators say they will change them but they get busy with other projects and move on. Just work load and the lack of understanding that passwords need to be higher priority.

    • yabapolido says:

      @DainBramage1991 if you’re complaining abou Hackaday, then you should complain on dozens of websites. I’ve seen this study maybe a week before getting published here, so…

    • JW6919 says:

      Well, at least a warning that it is illegal would be nice. I think the article is valid, its good information to have, but a reminder to people that there are legal consequences to hacking these systems.

    • Jim says:

      It would have hurt a lot of people if the open SSL vulnerability was hidden. Same here but I bet this doesn’t get fixed anytime soon.

  4. Mike Lima says:

    Scary stuff. I hope manufacturers / installers / cities take note of this and come up with a secure / encrypted / wired protocol.

    • nsayer says:

      No. No. No.

      Proper security doesn’t even *start* with designing proper protocols. It starts with configuration management and education. If you get that right (which clearly they have not in this case), then the rest is just software updates.

      The system they’ve described here *could* be made sufficiently resilient to attack without changing the specifications at all.

      • F says:

        “It starts with configuration management and education. If you get that right ”

        Maybe if you replace humans with space aliens! Since when did human beings gain the ability to act competently?

      • infe says:

        I don’t think you know how technology is created. Configuration and education is the last step before ongoing maintenance. Do you really want to start worrying about security after everything was designed, developed, manufactured, sold, and installed? Of course not.

    • lunaeros says:

      What’s so scary?
      Someone doing that would not make the lights stay red all the time. It would just trigger them for a succession of greens on the route of whoever hacked it.
      It wouldn’t be much different than a emergency vehicle tripping them for it’s route.

      • daid303 says:

        Disclaimer: I worked for a European traffic-light producer a few years ago.
        Traffic-lights have an “all red all the time” state. And you can remotely force it into that state. It’s sometimes done for software updates. With a tech at the intersection.

        Now, we never rolled out wireless systems. all our systems where wired, hooked up to central servers, with intrusion detection. But, that these systems are hacked does not surprise me at all. As the one I worked on had more holes then I could count. Securing it would be a nightmare.
        (But it was all based on linux, which was nice. All the same root passwords was less nice from a security standpoint)

        But if you want scary, with access to all the code I had, with all the information I had, I could have made a remote exploit which I think could have caused a remote-code-execution in the protection CPU (called MMU in the article here). I did harden that code against the bugs I found, but there are lots of units with old code out there.

  5. pcf11 says:

    Get caught doing it and the cops will drag you out of your car and then you’d be doing your best Rodney King impersonation.

  6. Isaac S. says:

    Reproducing the IR signal that firemen use to get through intersections would be the logical way to do this.

  7. Truth says:

    As much as I would wish that a HackRF could pretend to be an off spec wireless card, with it’s default firmware it can not. The firmware would need some hacking to allow it to respond to ACK’s faster than it could currently do via USB to stop the connection from timing out. A BladeRF or a USRP would have the same kind of issue if sending the ACK’s via USB. But with their onboard FPGA’s avoiding ACK time outs could probably be implemented easier.

  8. Mike Lu says:

    Maybe a legal use for this is to use a receive only device (like the cheap RTL SDRs for the 900MHz band) to sniff the light timing information and allow hypermilers to time the traffic lights right in the middle of the cycle?

    • infe says:

      Unfortunately decrypting wireless signals is technically illegal. The way it is worded makes listening in on digital signals out of public bands illegal. That is what made the scanner community sad when cellphones switched to digital. No more legal listening.

  9. William DeRieux says:

    @DainBramage1991 — hackaday’s take on this is the security — or lack there of. I believe they do discourage illegal activies, but they more or less want to — bring to the public’s attention–that the security people, think they have, is like cake, it’s a lie.

  10. JustS0m1 says:

    Leverage (2008+)? Think about Hackers (1995)… know your classics!

    • William DeRieux says:

      Hackers was good — with Angelina Jolie.
      However, one would be best of using: Gone In Sixty Seconds (Nicolas Cage, 2000)
      They did a green light when they stole a particular car and needed to get away from the cops — they also reg-lighted the cops.

  11. CC_DKP says:

    So you’re telling me that unchanged default passwords and unsecured wireless networks might be a problem? I’m expecting to see a writeup about how to hack Linksys routers by connecting to the SSID ‘linksys’ with no password, then connecting to the web interface using the password ‘admin’ (Which is scarily enough printed right on the manufacturer’s site!).

    I’m sorry for the snarky sarcasm, but the only real security news in the article is the vxworks debug port still being open. That needs to be fixed. Everything else is the result of people not changing the default passwords. All the wireless technology they tested has encryption modes available, but the city elected not to turn it on.

    Much of the technology in the traffic industry is 10-15 years behind the curve. The point of many of these city-wide fiber networks is simply to move 1200 baud serial from point A to point B. These devices are riddled with vulnerabilities. Many of them will default back to that 4-way flash after an aggressive NMAP scan or a quick pass with Nessus. I would love to see a writeup involving a real security analysis covering more than just a default password.

    • F says:

      I would rather that the system works fine for incompetent ambulance drivers who are too busy or too lazy to update their codes

      I am happier with a hackable system than I would be with a system that could potentially fail when it is most needed

      “risk / benefit” ratio is something that is meaningful in the real world

    • William DeRieux says:

      CC_DKP says:
      August 31, 2014 at 10:53 am
      ‘I’m sorry for the snarky sarcasm, but the only real security news in the article is the vxworks debug port still being open. That needs to be fixed. Everything else is the result of people not changing the default passwords. All the wireless technology they tested has encryption modes available, but the city elected not to turn it on.’

      What, not changing a default password, not using encryption — if available.
      That isn’t security news???
      That is the whole point of security, as something is only secure, if everyone does there part.

  12. ScottishCaptain says:

    Don’t fuck with this shit.

    I know (knew, haven’t spoke to him in years) someone who was mucking around with this shit long before these guys ever thought to. He was messing around with the preemption system that we’ve got up here in Canada (which isn’t hard to “hack”- in fact, as I recall it was easier to fool then this stuff since you didn’t need an SDR).

    Anyways, the cops showed up on his doorstep the first day he got the brilliant idea to green light his entire drive to work. Turns out we’ve got quite a few traffic cameras everywhere, and there are actual people sitting on the other end. It wasn’t hard for them to figure out who it was (assuming they couldn’t just see the IR emitter on the traffic camera) and they were not happy about having someone messing around with their system.

    There were some pretty stiff fines involved and I’m amazed to this day that they didn’t throw him in jail. I suppose this might be different in the States, but I have a feeling that even though these systems are wide open, they are closely monitored and you don’t want to piss off the people on the other end (especially when the usual USA knee jerk reaction these days is to label everything as a terrorist and get the DHS involved).

    • Chris C. says:

      Yep, you’d be a fool to put this on your own vehicle.

      Better to put it on a vehicle belonging to someone you don’t like. In which case you have the option of causing a fault that results in four-way flash, which sounds easier than green lighting. It will also annoy and inconvenience the mark. Plus maximize the time they spend under the watchful eye of any traffic cameras, and likelihood of identification. If caught and found guilty, in addition to any criminal penalties, I bet they’d be sued by the DOT to recover any costs incurred in diagnosis and reset of affected lights. And by anyone else who got into an accident caused by lights suddenly going to four-way flash.

      Welcome to alt.revenge, HAD Edition.

      • justice099 says:

        Until they interviewed the guy and realized he has absolutely no clue about the technology, but this one guy that doesn’t like him does. So they look for fingerprints and other tamper evidence. Sometimes, they do actually “investigate” before bringing charges and I bet those charges for doing this would be much higher than putting it on your own car and getting caught, including even charging you with intent to do bodily harm or wreckless endangerment by trying to affect an accident. The DOT and FAA do not fuck around.

        • Chris C. says:

          Written straight and true for sure, but in response to something that was not; the alt.revenge reference was intended as my hint I was being sardonic. Someone would be a fool to play around with this for any reason.

      • William DeRieux says:

        better make sure you don’t leave you fingerprints on the marks car.
        The cops will probably pull fingerprints off the car and device, as SOP.
        And when they claim they didn’t do it — this will give them probable cause to consider a 3rd-party — they will find you, eventually.

  13. CodeRed says:

    Reminds me of that scene in hackers. I can see where normal people would simply be discouraged from doing it for their own benefit for legal reasons, but someone with malicious intent could use this to create or add to a state of chaos in a major metro area. Not good. Its something that should be fixed, sooner than later.

  14. As a complete aside, what is it with this “Warning: PDF” thing I see on HaD, Dangerous Prototypes, and other sites? What’s people’s beef with PDF files?

    • F says:

      if you have adobe code on your computer and you let random web content touch it, you’re just asking to get infected

    • fhunter says:

      The pdf issue is download. You can watch html in browser, but you need to download pdf, even if it is the inbrowser viewer (crappy). + Size (some do read the internet from mobile phones where traffic is metered and the connection is slow).

    • Chris C. says:

      A few possibilities:

      1) You’re on a work, cafe, or library computer on which you want to prevent or erase traces of your activity; especially when related to topics of questionable legality. Loading content in a separate PDF app makes this more difficult.
      2) Your browser-integrated PDF viewer sometimes crashes the browser, and you might want to save a couple of things before opening a PDF. Or open it using another method.
      3) You’re a developer that’s been testing your own app with for compatibility with various PDF programs/versions, and are taking a break to read HAD, but don’t want the pirated version currently loaded to “phone home” while you have the network connection enabled. Or maybe it’s an old version that has a known, unpatched exploit.
      4) You don’t trust the content. After all, it was made by someone who specializes in exploits.
      5) You believe Adobe is run by the Illuminati, and PDFs inherently emit subliminal mind control rays, that you must put on a tinfoil hat to block before viewing. Or some other such nonsense. (HAD attracts the nutters.)

      Even if the warning is rarely actually needed, many still consider it polite to provide a warning when a link may do something unexpected; including but not limited to opening another app. I don’t personally have a problem with PDFs, but do appreciate warnings for other things. Powerpoint documents. Anything that may suddenly start blasting audio at disproportionate volume to my music. And so on.

  15. F says:

    We could have a story about the insecure locks on the gum machines in front of the supermarket, and how the planet would be a much better place if these locks had better security.

  16. j0z0r says:

    I think a buncha you guys are either confused or responding to other comments. This isn’t the opticon system used by police and emergency responders, this is the back way in through wireless communication. So it wouldn’t be something mounted on your vehicle, at least that’s not how I envision it. I see a RasPi or something similar waiting for a command to start exploiting your route. If you could get root inside one of their servers, no hardware even needed, just set a timer and watch the fun(if I recall, this is how they did it in Hackers)

  17. Whatnot says:

    In my town the programming of many traffic lights is awful. So it would be damn cool if someone hacked it and fixed the timing to reflect the traffic flow. And fix it to not have situations where everybody is pointlessly waiting for minutes from all directions simultaneously.

    It would be downright magnificent.

  18. Skot9000 says:

    Vallejo, CA has it’s traffic lights networked with fiber optic. It was done in the 90’s with a federal grant to reduce emissions. Kinda crazy.

    • John U says:

      Hey, fibre is a higher bar to hacker entry than wifi or tones down a wire. Quite future-proof too, it’ll be much cheaper for them to bolt a shitload of cameras to the traffic lights down the line…

  19. Jim says:

    New firmware for 5.8ghz routers?

  20. John U says:

    So this is surprising news because all other industrial control systems in existence turned out to be so very well secured?

    I don’t want to encourage people, but really 99% of everything networked, outside of “teh interwebs”, relies purely on security by obscurity.

    Mind you, when it’s also locked in a metal cabinet by the side of the road it does make life harder – making shit like this wireless is just asking for trouble.

  21. NewCommentor1283 says:

    sometimes they have that strobe-light sensor from the 80’s still working…
    if ever find waiting over 5 mins to use a crosswalk…
    must turn it off to use crosswalk !

    what?
    walking down the sidewalk with a strobe-light flashing (edit: and beer) is not normal???
    oh dang
    my bad!

  22. Rob says:

    Leverage, the modern-day equivalent of A-Team. Both series can be watched repeatedly without ever getting old, and both left us far too soon (writers issues with A-Team nothwithstanding). I’m thankful that ION (OTA TV, FTW!) still airs Leverage!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 94,415 other followers