Construction crews tearing up the street to lay new internet fiber optic cable created a unique opportunity for [Bastian Bloessl]. The workers brought two mobile traffic lights to help keep the road safe while they worked. [Bastian] had heard that these lights use the 2 meter band radios, so he grabbed his RTL-SDR USB stick and started hacking. Mobile traffic lights are becoming more common in Europe. They can be controlled by a clock, traffic volume via an on-board camera, wire or radio. They also transmit status data, which is what [Bastian] was hoping to receive.
A quick scan with GQRX revealed a strong signal on 170.760 MHz. Using baudline and audacity, [Bastian] was able to determine that Audio Frequency Shift Keying was used to modulate the data. He created a simple receiver chain in GNU radio, and was greeted with a solid data stream from the lights. By watching the lights and looking at the data frames, [Bastian] was able to determine which bits contained the current light status. A quickly knocked up web interface allowed him to display the traffic light status in real-time.
It’s a bit scary that the data was sent in plaintext, however this is just status data. We hope that any command data is sent encrypted through a more secure channel.
We had the same thing in my neghborhood and I really wanted to attempt this but just didn’t have the time.
Nice to see someone get down and dirty to pull this off.
Nah, most countries here in Europe still stick with coloured flashlights duct taped to trained giraffes.
Yes, that’s right. Here in the UK, we don’t even have giraffes. We have to rely on men with stop/go boards and hope they don’t fall asleep on the job.
I appreciate the humor, but I think the key word here is “mobile” – as in temporary.
That’s why they need the giraffes. If they were permanent installations they could just rely on hippos on bamboo stalks like everyone else does.
Permanent hippo installations are not cost effective in comparison to primates. Lot of people don’t know this.
Yes. And my irritation comes from the fact that we’ve had mobile ones for decades, too. When did you think the glorious invention of a timer, three lights at each end and a cable in between came along? Last year?
In the US, mobile lights in construction zones are rare. Usually, it’s two guys with “Stop” and “Slow” signs, communicating with hand signals or radios.
in NJ they pay a cop to watch the work crew all day
Nope! I live in NJ and can testify that they DON’T pay a cop to watch all day. They pay 2 cops: one on each side of the crew. Sometimes they try to hide it by having cops from different jurisdictions watch but it almost always 2 cops
Insert NJ left turn joke here. Insert NJ self serve gas joke here. Insert “the smell that comes up from jersey” joke here.
Ok, I’ve done my duty as a New Yorker. Everyone move along… :)
What’s an NJ left turn joke? In NJ, left turns ARE the joke.
That would be the “Jug handle”, where you turn right to turn left.
Yup, typically they’re making around 60/hr. Must be nice
Yep, same in Toronto too, must be nice to get paid +$65 dollars an hour to do a job that can be done by a sign on a stick.
And you assume that a work crew in Jersey is actually living up to their name??? Highway dept vehicles there sleep four, sometimes five.
In Wisconsin usually members of the work crew manage the flags. The only time I’ve seen mobile lights is when the lane has to be closed for long periods or overnight. In Wyoming, I’ve seen them use lead cars, some guy with a big ‘Follow Me’ sign drives back and forth, usually for long stretches of country highway construction, or on the side of a mountain.
> We hope that any command data is sent encrypted through a more secure channel.
HAHAHAHAHAHAHA no.
Does anyone else see a trick of the eye when staring at the laptop representation of the lights, a blue left after the red changes? (I’m sure this is a known response, just interesting)
“It’s a bit scary that the data was sent in plaintext”
Yeah, just like the huge, brightly-coloured lamps which ANYONE can decode with their eyes? You’re right, it’s totally insane to have unencrypted road safety signalling.
Well, you should have quoted the whole paragraph “…however this is just status data. We hope that any command data is sent encrypted through a more secure channel.”
The problem is not so much about status data (i.e. the green/orange/red light), which anyone can indeed see. However if someone starts playing with command data (e.g. put all light to green), then it becomes a problem.
Is he so sure it isn’t the actual command data he’s witnessing?
Of course it’s the actual commands. One of the signals is the master and the other is the slave. That’s how they keep in sync.
The lights can’t all go to green, even if you command them to.
But all the (traffic) lights can go to green, even if the lights can’t all go to green. :)
Here’s a link to the manufacturer’s product page – maybe helpful:
http://www.fabema.de/en/products/traffic-lights/radio-controlled-traffic-lights.html
Quoth: “””high interference immunity to outside sources through producer-related address codes and interference-immune FFSK transmission. “””
To me, that sounds like preshared seeds in a device combo – i’d not call THAT encryption ;)
Ive been able to capture signals like this but I haven’t the slightest idea how to start interpreting what they mean. Then how do I have software interpret it?
They could be timer controlled, where the radio commands are only used to ensure they don’t go out of sync.
Its very rare that these lights do have any means of external input (eg car sensor, pedestrian button), instead they are just plain time (eg let traffic A pass för 10 sec, let traffc B pass for 10 sec, and to the beginning again).
The radio commands are then only used as a emergency to disable the lights if they ever would collide due to desync.
Eg, if signal 1 is red and signal 2 is green. If the signal 2 gets a radio signal that signal 1 is green, then signal 2 will disable itself and spread a “pollution” that causes signal 1 to disable too.
But the light will then still follow its timer, it would not “honor” if you spoofed signal 2’s status to “red”, signal 1 would still be red according to its Clock timer.
And signal 2 would of course detect that and disable itself since its radio status contradict to the real status. And the FFSK and adress codes are simply used to prevent that the lights disable itself just because it come some garbage in the air, lets say a Lightning storm, or any other radio garbage.
And of course, the lights would disable itself if they don’t hear from everyone else either.
So even if the radio band is no security at all, its possible to build a secure system without encryption. The security lies in that the data transmitted is only used as a failsafe. Tampering with the signals would not lead to anything except that if one of the Clocks accidentially go faster or slower, then the lights would not disable itself.
Imagine tampering with the signals like blocking a emergency exit. It would not cause any harm except if it really comes to a bad day.
Thus there is no need for security in the radio signals.
So all you could do is to “DoS” the traffic lights, but that you could do even if it was encrypted by RSA 4096, by simply jamming the signal.
With “Disable itself”, this is a “safe state” for both traffic lights. For most traffic lights in sweden, there is signs posted what the drivers should so incase the lights are out of order. Such lights will fail to a “yellow flashing light”, which means (proceed with caution).
In other cases, the lights will Always fail to “both red” and never change. Possibility it will “call home” and tell “im broken” so some guys can get out and repair.
I’ve seen the both red condition. A windy day, loose cables kept causing the lights to reset. Had to have a cop come out and direct traffic till it was fixed.It was on a rural highway, traffic had already backed up about a mile.
I disagree. If the lights are using the signal for timing, then that is a potentially exploitable weakness. If you can overpower the signal reaching a specific light, you could drift its timing until otherwise-impossible combinations of lights become possible.
See the following for a similar idea previously posted on Hackaday http://hackaday.com/2014/03/22/build-your-own-radio-clock-transmitter/
Anyone has the similar audio sample of the wave file so that I can try to understand what it looks like in Audacity or Baudline?
Thanks very much in advance