Reverse Engineering Traffic Lights with Software Defined Radio

Construction crews tearing up the street to lay new internet fiber optic cable created a unique opportunity for [Bastian Bloessl]. The workers brought two mobile traffic lights to help keep the road safe while they worked. [Bastian] had heard that these lights use the 2 meter band radios, so he grabbed his RTL-SDR USB stick and started hacking. Mobile traffic lights are becoming more common in Europe. They can be controlled by a clock, traffic volume via an on-board camera, wire or radio. They also transmit status data, which is what [Bastian] was hoping to receive.

A quick scan with GQRX revealed a strong signal on 170.760 MHz. Using baudline and audacity, [Bastian] was able to determine that Audio Frequency Shift Keying was used to modulate the data. He created a simple receiver chain in GNU radio, and was greeted with a solid data stream from the lights. By watching the lights and looking at the data frames, [Bastian] was able to determine which bits contained the current light status. A quickly knocked up web interface allowed him to display the traffic light status in real-time.

It’s a bit scary that the data was sent in plaintext, however this is just status data. We hope that any command data is sent encrypted through a more secure channel.

32 thoughts on “Reverse Engineering Traffic Lights with Software Defined Radio

        1. Yes. And my irritation comes from the fact that we’ve had mobile ones for decades, too. When did you think the glorious invention of a timer, three lights at each end and a cable in between came along? Last year?

    1. Nope! I live in NJ and can testify that they DON’T pay a cop to watch all day. They pay 2 cops: one on each side of the crew. Sometimes they try to hide it by having cops from different jurisdictions watch but it almost always 2 cops

    2. In Wisconsin usually members of the work crew manage the flags. The only time I’ve seen mobile lights is when the lane has to be closed for long periods or overnight. In Wyoming, I’ve seen them use lead cars, some guy with a big ‘Follow Me’ sign drives back and forth, usually for long stretches of country highway construction, or on the side of a mountain.

  1. “It’s a bit scary that the data was sent in plaintext”

    Yeah, just like the huge, brightly-coloured lamps which ANYONE can decode with their eyes? You’re right, it’s totally insane to have unencrypted road safety signalling.

    1. Well, you should have quoted the whole paragraph “…however this is just status data. We hope that any command data is sent encrypted through a more secure channel.”

      The problem is not so much about status data (i.e. the green/orange/red light), which anyone can indeed see. However if someone starts playing with command data (e.g. put all light to green), then it becomes a problem.

  2. They could be timer controlled, where the radio commands are only used to ensure they don’t go out of sync.

    Its very rare that these lights do have any means of external input (eg car sensor, pedestrian button), instead they are just plain time (eg let traffic A pass för 10 sec, let traffc B pass for 10 sec, and to the beginning again).

    The radio commands are then only used as a emergency to disable the lights if they ever would collide due to desync.
    Eg, if signal 1 is red and signal 2 is green. If the signal 2 gets a radio signal that signal 1 is green, then signal 2 will disable itself and spread a “pollution” that causes signal 1 to disable too.
    But the light will then still follow its timer, it would not “honor” if you spoofed signal 2’s status to “red”, signal 1 would still be red according to its Clock timer.
    And signal 2 would of course detect that and disable itself since its radio status contradict to the real status. And the FFSK and adress codes are simply used to prevent that the lights disable itself just because it come some garbage in the air, lets say a Lightning storm, or any other radio garbage.
    And of course, the lights would disable itself if they don’t hear from everyone else either.

    So even if the radio band is no security at all, its possible to build a secure system without encryption. The security lies in that the data transmitted is only used as a failsafe. Tampering with the signals would not lead to anything except that if one of the Clocks accidentially go faster or slower, then the lights would not disable itself.

    Imagine tampering with the signals like blocking a emergency exit. It would not cause any harm except if it really comes to a bad day.

    Thus there is no need for security in the radio signals.

    1. So all you could do is to “DoS” the traffic lights, but that you could do even if it was encrypted by RSA 4096, by simply jamming the signal.

      With “Disable itself”, this is a “safe state” for both traffic lights. For most traffic lights in sweden, there is signs posted what the drivers should so incase the lights are out of order. Such lights will fail to a “yellow flashing light”, which means (proceed with caution).

      In other cases, the lights will Always fail to “both red” and never change. Possibility it will “call home” and tell “im broken” so some guys can get out and repair.

      1. I’ve seen the both red condition. A windy day, loose cables kept causing the lights to reset. Had to have a cop come out and direct traffic till it was fixed.It was on a rural highway, traffic had already backed up about a mile.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s