Feeds

Traffic light vulns leave doors wide open to Italian Job-style hacks

Never mind blowing the bloody doors off, what about screwing up the rush hour?

Reducing security risks from open source software

Hackers may be able to create traffic chaos, just like Michael Caine's loveable rogue in classic Brit film The Italian Job, thanks to an alarming series of flaws discovered in traffic control systems.

Cesar Cerrudo, CTO at embedded security experts IOActive Labs, discovered that traffic control systems in cities around the world (US, UK, France, Australia, China, etc) were vulnerable to exploitation.

The vulnerabilities he uncovered could allow anyone to take complete control of the devices, to potentially chaotic effect. According to Cerrudo there are more than 50,000 traffic control devices out there that could be hacked.

IOActive contacted the affected vendor in September 2013 through ICS-CERT (the Industrial Control Systems Cyber Emergency Response Team). The unnamed vendor downplayed the seriousness of the flaws, stating that the devices were working as designed, and customers (state/city governments) "wanted the devices to work that way (insecure)". The vendor added that it had resolved one of the issues in new equipment, without providing a means to update older kit, while stating the the flaws were neither critical nor important.

Cerrudo strongly disputes this assessment, arguing that an attacker could exploit the problems to cause traffic jams and problems at intersections. Part of the problem involves the ability to mess with electronic signs and traffic light signals, as Cerrudo explains.

It's possible to make traffic lights (depending on the configuration) stay green more or less time, stay red and not change to green. It’s also possible to cause electronic signs to display incorrect speed limits and instructions and to make ramp meters allow cars on the freeway faster or slower than needed.

These traffic problems could cause real issues, even deadly ones, by causing accidents or blocking ambulances, fire fighters, or police cars going to an emergency call.

IOActive has a solid back catalogue of heavyweight research into security flaws in industrial control, including the discovery that hardware powering the US Emergency Alert System can be easily tricked into broadcasting bogus apocalyptic warnings. El Reg is therefore inclined to take its concerns seriously, even absent of the ability to grill the unnamed vendor involved.

Manual overrides and secondary controls might limit the scope for mischief, though it would be something of a gamble to rely on those – especially since exploits might be possible with a minimum of skill and investment, as Cerrudo explains.

The vulnerabilities I found allow anyone to take complete control of the devices and send fake data to traffic control systems. Basically anyone could cause a traffic mess by launching an attack with a simple exploit programmed on cheap hardware ($100 or less).

I even tested the attack launched from a drone flying at over 650 feet [200m], and it worked! Theoretically, an attack could be launched from up to 1 or 2 miles [2-3km] away with a better drone and hardware equipment, I just used a common, commercially available drone and cheap hardware. Since it seems flying a drone in the US is not illegal and anyone will be able to get drones on demand soon, I would be worried about attacks from the sky in the US.

It might also be possible to create self-replicating malware (worm) that can infect these vulnerable devices in order to launch attacks affecting traffic control systems later. The exploited device could then be used to compromise all of the same devices nearby.

What worries me the most is that if a vulnerable device is compromised, it's really, really difficult and really, really costly to detect it. So there could already be compromised devices out there that no one knows about or could know about.

Passive tests ("no hacking and nothing illegal") by Cerrudo on real-life deployments of traffic control systems in Seattle, New York, and Washington DC confirmed that devices were vulnerable, just as Cerrudo feared. Real-life deployments could have different configurations (different hardware/software versions) that might have thwarted attacks, but no such relief was discovered in the field.

"This should be another wake up call for governments to evaluate the security of devices/products before using them in critical infrastructure, and also a request to providers of government devices/products to take security and security vulnerability reports seriously," Cerrudo concludes.

A blog post featuring pictures and videos explaining Cerrudo's research can be found here.

Cerrudo is due to present more details on his research at the Infiltrate 2014 Conference in Miami Beach, USA next week. ®

Update

IOActive has identified the vendor who supplied kit it alleges to be vulnerable as Sensys Networks. El Reg has invited Sensys to comment on the research but has yet to hear back.

Bootnote

IOActive references scenes from Live Free or Die Hard (Die Hard 4) where "terrorist hackers" manipulate traffic signals. However, we make no apologies for referencing The Italian Job when it comes to talk of unleashing traffic chaos.

Mobile application security vulnerability report

More from The Register

next story
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Microsoft: You NEED bad passwords and should re-use them a lot
Dirty QWERTY a perfect P@ssword1 for garbage websites
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
NUDE SNAPS AGENCY: NSA bods love 'showing off your saucy selfies'
Swapping other people's sexts is a fringe benefit, says Snowden
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
British data cops: We need greater powers and more money
You want data butt kicking, we need bigger boots - ICO
Crooks fling banking Trojan at Japanese smut site fans
Wait - they're doing online banking with an unpatched Windows PC?
NIST told to grow a pair and kick NSA to the curb
Lrn2crypto, oversight panel tells US govt's algorithm bods
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Mobile application security vulnerability report
The alarming realities regarding the sheer number of applications vulnerable to attack, and the most common and easily addressable vulnerability errors.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.