Green Light Your Commute with America’s Unsecured Traffic Lights

Remember that episode of Leverage (season 5, episode 3), where Alec uses Marvin to wirelessly change all the street lights green so they can catch up to an SUV? And you scoffed and said “that’s so not real!”… well actually they got it right. A new study out of the University of Michigan (PDF warning), shows just how easy it is to make your morning commute green lights all the way.

The study points out that a large portion of traffic lights in the United States communicate with each other wirelessly over the 900Mhz and 5.8Ghz ISM band with absolutely no encryption. In order to connect to the 5.8Ghz traffic signals, you simply need the SSID (which is set to broadcast) and the proper protocol. In the study the researchers used a wireless card that is not available to the public, but they do point out that with a bit of social engineering you could probably get one. Another route is the HackRF SDR, which could be used to both sniff and transmit the required protocol. Once connected to the network you will need the default username and password, which can be found on the traffic light manufacturer’s website. To gain access to the 900Mhz networks you need all of the above and a 16-bit slave ID. This can be brute forced, and as the study shows, no ID was greater than 100. Now you have full access, not to just one traffic signal, but EVERY signal connected to the network.

Once on the network you have two options. The completely open debug port in the VxWorks OS which allows you to read-modify-write any memory register. Or by sending a(n) UDP packet where the last byte encodes the button pressed on the controller’s keypad. Using the remote keypad you can freeze the current intersection state, modify the signal timing, or change the state of any light. However the hardware Malfunction Management Unit (MMU) will still detect any illegal states (conflicting green or yellow lights), and take over with the familiar 4-way red flashing. Since a technician will have to come out and manually reset the traffic signal to recover from an illegal state, you could turn every intersection on the network into a 4-way stop.

So the next time you stop at a red light, and it seems to take forever to change, keep an eye out for the hacker who just green lit their commute.

Thanks for the tip [Matt]

85 thoughts on “Green Light Your Commute with America’s Unsecured Traffic Lights

  1. It’s not April fools day is it? I hope no one installs a raspi near my traffic light to delay my bus when I’m running late.

  2. I thought that Hackaday discouraged illegal behavior? Doing this where I live, and probably in most other places as well, will land you in jail.

    Come on HAD, I thought you guys were trying to protect the reputations of us hackers, not ruin them by encouraging criminal activities.

    1. Pretend there’s a standard disclaimer all over hack-a-day: Breaking this seal will void your warranty. Personally I see one of HaD’s strengths as being making information available to you and me that the manufacturer doesn’t want to give us for fear of liability issues.

      1. I agree — there’s no point in hiding the truth; bad security is what it is. if HAD said nothing, we would be naive and assume something was secure when it actually was not.

    2. I see it more as exposing a glaring lack of basic security by manufacturers/municipalities. Even the password on their website is open…

      1. I second that.

        Quote: “default username and password, which can be found on the traffic light manufacturer’s website”

        Seriously, can it get worse than that.

        These things don’t get fixed until they become publicly known and HAD is playing a role in getting the problem fixed by (re)publishing.

        The “head in the sand” approach doesn’t work. Here in Aus they banned guns so all the law abiding people handed their guns in. The crims kept theirs.

        1. Taking guns does help prevent a law abiding citizen from becoming a gun toting maniac when they have a bad day. It also makes it harder for the criminals obtain guns.

          HaD does have a history of publishing guides for illegal activities in the interests of education.

          1. Law abiding citizens don’t become gun toting maniacs when they have a bad day. The introduction of gun controls did not reduce crime or homicides. Criminals now have more guns because they’re harder to trace now that they’re underground items. Violent crimes by criminals such as criminal bikie gangs has increased. The fear of guns held by the general public has increased and peoples perceptions of personal safety have reduced. So in reality it was a failed experiment that was based on opinions (perhaps like yours) and not facts. It’s like the death penalty in the US. It has the opposite effect.

          1. Ok, there are hundreds of angles you can take on this and some will reflect on gun control positively and others will reflect on gun control negatively however none of these angles can change the fact the gun control has not reduced homicide.

            It’s the same basic principle that applies to the US where you have more serial murders in states that support the death penalty. Things don’t always work as expected.

            Using your suggested principle, I could argue that all knives should be banned, including kitchen knives as it would reduce stabbings. What would be the point if it has no effect on homicides. You can go on banning things forever.

            What about the whiskey a go go mass murder? Should we ban matches?

        2. What I am wondering about souch laws, how is one financially compensated for have to giva away ones handguns? I mean, I bet they wont give me the full Retail price, but who is judging if my customized glock worth …say a hundred bucks or a thousand bucks even if the standard one retails at 600 (I dont own a gun, so the prices are just guessed)

          Do you know how that was handled? Or were they just confiscated and all owners asked for refound wer just told “well, fuck you!” O.o?

    3. They discourage illegal behavior, but hackers sure don’t believe in security by obscurity. Why would you even use the default password on a real implementation? Posts as these prompt people to actually set passwords and security measures.

      1. Most sites have default passwords because the people installing the system don’t run the system. As such they don’t know what password the operators will want on the system. Usually no one asks until the end of a job and the operators can’t decide so the installers walk away with the default password installed. The operators say they will change them but they get busy with other projects and move on. Just work load and the lack of understanding that passwords need to be higher priority.

    4. @DainBramage1991 if you’re complaining abou Hackaday, then you should complain on dozens of websites. I’ve seen this study maybe a week before getting published here, so…

    5. Well, at least a warning that it is illegal would be nice. I think the article is valid, its good information to have, but a reminder to people that there are legal consequences to hacking these systems.

        1. Brian, my concern was for the general reputation of the hacker/maker community. The vast, moronic majority of people already see us as evil subversives, and have ever since the word “hacker” was coined decades ago. In the last few years our community has finally started to get a bit of good press…

          But if you don’t care, why should I?

        1. Questions of legality didn’t stop phone phreakers like Steve Jobs and Steve Wozniak and so many others. Most of them never got prosecuted. The telcos just altered their systems to make all those hacks no longer work.

    6. It would have hurt a lot of people if the open SSL vulnerability was hidden. Same here but I bet this doesn’t get fixed anytime soon.

  3. Scary stuff. I hope manufacturers / installers / cities take note of this and come up with a secure / encrypted / wired protocol.

    1. No. No. No.

      Proper security doesn’t even *start* with designing proper protocols. It starts with configuration management and education. If you get that right (which clearly they have not in this case), then the rest is just software updates.

      The system they’ve described here *could* be made sufficiently resilient to attack without changing the specifications at all.

      1. “It starts with configuration management and education. If you get that right ”

        Maybe if you replace humans with space aliens! Since when did human beings gain the ability to act competently?

      2. I don’t think you know how technology is created. Configuration and education is the last step before ongoing maintenance. Do you really want to start worrying about security after everything was designed, developed, manufactured, sold, and installed? Of course not.

    2. What’s so scary?
      Someone doing that would not make the lights stay red all the time. It would just trigger them for a succession of greens on the route of whoever hacked it.
      It wouldn’t be much different than a emergency vehicle tripping them for it’s route.

      1. Disclaimer: I worked for a European traffic-light producer a few years ago.
        Traffic-lights have an “all red all the time” state. And you can remotely force it into that state. It’s sometimes done for software updates. With a tech at the intersection.

        Now, we never rolled out wireless systems. all our systems where wired, hooked up to central servers, with intrusion detection. But, that these systems are hacked does not surprise me at all. As the one I worked on had more holes then I could count. Securing it would be a nightmare.
        (But it was all based on linux, which was nice. All the same root passwords was less nice from a security standpoint)

        But if you want scary, with access to all the code I had, with all the information I had, I could have made a remote exploit which I think could have caused a remote-code-execution in the protection CPU (called MMU in the article here). I did harden that code against the bugs I found, but there are lots of units with old code out there.

  4. Get caught doing it and the cops will drag you out of your car and then you’d be doing your best Rodney King impersonation.

        1. In my region of California, they’ve all been removed. There are little to no locations with traffic cameras. Also, the intelligent would have it trigger before reaching the intersection so you just drive on through…

      1. I believe I read a story about someone being arrested for just that a while back. Definately not something you should try out.

      1. What about a laser miniturret that via machine vision tracks the receiver, and is well-shielded against scattered light at its output? The camera won’t see the light as the beam is low-power and precision-aimed. Granted, much more involved than a bunch of IR LEDs…

  5. As much as I would wish that a HackRF could pretend to be an off spec wireless card, with it’s default firmware it can not. The firmware would need some hacking to allow it to respond to ACK’s faster than it could currently do via USB to stop the connection from timing out. A BladeRF or a USRP would have the same kind of issue if sending the ACK’s via USB. But with their onboard FPGA’s avoiding ACK time outs could probably be implemented easier.

  6. Maybe a legal use for this is to use a receive only device (like the cheap RTL SDRs for the 900MHz band) to sniff the light timing information and allow hypermilers to time the traffic lights right in the middle of the cycle?

    1. Unfortunately decrypting wireless signals is technically illegal. The way it is worded makes listening in on digital signals out of public bands illegal. That is what made the scanner community sad when cellphones switched to digital. No more legal listening.

      1. These signals aren’t encrypted. The only signals that are illegal to receive are analog cellular phones, which don’t exist anymore.

  7. @DainBramage1991 — hackaday’s take on this is the security — or lack there of. I believe they do discourage illegal activies, but they more or less want to — bring to the public’s attention–that the security people, think they have, is like cake, it’s a lie.

    1. Hackers was good — with Angelina Jolie.
      However, one would be best of using: Gone In Sixty Seconds (Nicolas Cage, 2000)
      They did a green light when they stole a particular car and needed to get away from the cops — they also reg-lighted the cops.

  8. So you’re telling me that unchanged default passwords and unsecured wireless networks might be a problem? I’m expecting to see a writeup about how to hack Linksys routers by connecting to the SSID ‘linksys’ with no password, then connecting to the web interface using the password ‘admin’ (Which is scarily enough printed right on the manufacturer’s site!).

    I’m sorry for the snarky sarcasm, but the only real security news in the article is the vxworks debug port still being open. That needs to be fixed. Everything else is the result of people not changing the default passwords. All the wireless technology they tested has encryption modes available, but the city elected not to turn it on.

    Much of the technology in the traffic industry is 10-15 years behind the curve. The point of many of these city-wide fiber networks is simply to move 1200 baud serial from point A to point B. These devices are riddled with vulnerabilities. Many of them will default back to that 4-way flash after an aggressive NMAP scan or a quick pass with Nessus. I would love to see a writeup involving a real security analysis covering more than just a default password.

    1. I would rather that the system works fine for incompetent ambulance drivers who are too busy or too lazy to update their codes

      I am happier with a hackable system than I would be with a system that could potentially fail when it is most needed

      “risk / benefit” ratio is something that is meaningful in the real world

    2. CC_DKP says:
      August 31, 2014 at 10:53 am
      ‘I’m sorry for the snarky sarcasm, but the only real security news in the article is the vxworks debug port still being open. That needs to be fixed. Everything else is the result of people not changing the default passwords. All the wireless technology they tested has encryption modes available, but the city elected not to turn it on.’

      What, not changing a default password, not using encryption — if available.
      That isn’t security news???
      That is the whole point of security, as something is only secure, if everyone does there part.

  9. Don’t fuck with this shit.

    I know (knew, haven’t spoke to him in years) someone who was mucking around with this shit long before these guys ever thought to. He was messing around with the preemption system that we’ve got up here in Canada (which isn’t hard to “hack”- in fact, as I recall it was easier to fool then this stuff since you didn’t need an SDR).

    Anyways, the cops showed up on his doorstep the first day he got the brilliant idea to green light his entire drive to work. Turns out we’ve got quite a few traffic cameras everywhere, and there are actual people sitting on the other end. It wasn’t hard for them to figure out who it was (assuming they couldn’t just see the IR emitter on the traffic camera) and they were not happy about having someone messing around with their system.

    There were some pretty stiff fines involved and I’m amazed to this day that they didn’t throw him in jail. I suppose this might be different in the States, but I have a feeling that even though these systems are wide open, they are closely monitored and you don’t want to piss off the people on the other end (especially when the usual USA knee jerk reaction these days is to label everything as a terrorist and get the DHS involved).

    1. Yep, you’d be a fool to put this on your own vehicle.

      Better to put it on a vehicle belonging to someone you don’t like. In which case you have the option of causing a fault that results in four-way flash, which sounds easier than green lighting. It will also annoy and inconvenience the mark. Plus maximize the time they spend under the watchful eye of any traffic cameras, and likelihood of identification. If caught and found guilty, in addition to any criminal penalties, I bet they’d be sued by the DOT to recover any costs incurred in diagnosis and reset of affected lights. And by anyone else who got into an accident caused by lights suddenly going to four-way flash.

      Welcome to alt.revenge, HAD Edition.

      1. Until they interviewed the guy and realized he has absolutely no clue about the technology, but this one guy that doesn’t like him does. So they look for fingerprints and other tamper evidence. Sometimes, they do actually “investigate” before bringing charges and I bet those charges for doing this would be much higher than putting it on your own car and getting caught, including even charging you with intent to do bodily harm or wreckless endangerment by trying to affect an accident. The DOT and FAA do not fuck around.

        1. Written straight and true for sure, but in response to something that was not; the alt.revenge reference was intended as my hint I was being sardonic. Someone would be a fool to play around with this for any reason.

      2. better make sure you don’t leave you fingerprints on the marks car.
        The cops will probably pull fingerprints off the car and device, as SOP.
        And when they claim they didn’t do it — this will give them probable cause to consider a 3rd-party — they will find you, eventually.

  10. Reminds me of that scene in hackers. I can see where normal people would simply be discouraged from doing it for their own benefit for legal reasons, but someone with malicious intent could use this to create or add to a state of chaos in a major metro area. Not good. Its something that should be fixed, sooner than later.

    1. The pdf issue is download. You can watch html in browser, but you need to download pdf, even if it is the inbrowser viewer (crappy). + Size (some do read the internet from mobile phones where traffic is metered and the connection is slow).

    2. A few possibilities:

      1) You’re on a work, cafe, or library computer on which you want to prevent or erase traces of your activity; especially when related to topics of questionable legality. Loading content in a separate PDF app makes this more difficult.
      2) Your browser-integrated PDF viewer sometimes crashes the browser, and you might want to save a couple of things before opening a PDF. Or open it using another method.
      3) You’re a developer that’s been testing your own app with for compatibility with various PDF programs/versions, and are taking a break to read HAD, but don’t want the pirated version currently loaded to “phone home” while you have the network connection enabled. Or maybe it’s an old version that has a known, unpatched exploit.
      4) You don’t trust the content. After all, it was made by someone who specializes in exploits.
      5) You believe Adobe is run by the Illuminati, and PDFs inherently emit subliminal mind control rays, that you must put on a tinfoil hat to block before viewing. Or some other such nonsense. (HAD attracts the nutters.)

      Even if the warning is rarely actually needed, many still consider it polite to provide a warning when a link may do something unexpected; including but not limited to opening another app. I don’t personally have a problem with PDFs, but do appreciate warnings for other things. Powerpoint documents. Anything that may suddenly start blasting audio at disproportionate volume to my music. And so on.

  11. We could have a story about the insecure locks on the gum machines in front of the supermarket, and how the planet would be a much better place if these locks had better security.

    1. Ah, figuring out the toy plastic money we played with at school would fit into those machines was possibly my first hack! And probably my first nefarious act, but I felt like a GENIUS for figuring that one out.

      I was poor, and only maybe 30 plastic pence went through there. Proving the concept was enough.

  12. I think a buncha you guys are either confused or responding to other comments. This isn’t the opticon system used by police and emergency responders, this is the back way in through wireless communication. So it wouldn’t be something mounted on your vehicle, at least that’s not how I envision it. I see a RasPi or something similar waiting for a command to start exploiting your route. If you could get root inside one of their servers, no hardware even needed, just set a timer and watch the fun(if I recall, this is how they did it in Hackers)

  13. In my town the programming of many traffic lights is awful. So it would be damn cool if someone hacked it and fixed the timing to reflect the traffic flow. And fix it to not have situations where everybody is pointlessly waiting for minutes from all directions simultaneously.

    It would be downright magnificent.

    1. Hey, fibre is a higher bar to hacker entry than wifi or tones down a wire. Quite future-proof too, it’ll be much cheaper for them to bolt a shitload of cameras to the traffic lights down the line…

  14. So this is surprising news because all other industrial control systems in existence turned out to be so very well secured?

    I don’t want to encourage people, but really 99% of everything networked, outside of “teh interwebs”, relies purely on security by obscurity.

    Mind you, when it’s also locked in a metal cabinet by the side of the road it does make life harder – making shit like this wireless is just asking for trouble.

    1. With half of those “locked” metal cabinets by the road you can use a standard ratchet as a key. 1/4 twist clockwise and they pop open.

  15. sometimes they have that strobe-light sensor from the 80’s still working…
    if ever find waiting over 5 mins to use a crosswalk…
    must turn it off to use crosswalk !

    what?
    walking down the sidewalk with a strobe-light flashing (edit: and beer) is not normal???
    oh dang
    my bad!

  16. Leverage, the modern-day equivalent of A-Team. Both series can be watched repeatedly without ever getting old, and both left us far too soon (writers issues with A-Team nothwithstanding). I’m thankful that ION (OTA TV, FTW!) still airs Leverage!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s