Feeds

Traffic light vulns leave doors wide open to Italian Job-style hacks

Never mind blowing the bloody doors off, what about screwing up the rush hour?

Top 5 reasons to deploy VMware with Tegile

Hackers may be able to create traffic chaos, just like Michael Caine's loveable rogue in classic Brit film The Italian Job, thanks to an alarming series of flaws discovered in traffic control systems.

Cesar Cerrudo, CTO at embedded security experts IOActive Labs, discovered that traffic control systems in cities around the world (US, UK, France, Australia, China, etc) were vulnerable to exploitation.

The vulnerabilities he uncovered could allow anyone to take complete control of the devices, to potentially chaotic effect. According to Cerrudo there are more than 50,000 traffic control devices out there that could be hacked.

IOActive contacted the affected vendor in September 2013 through ICS-CERT (the Industrial Control Systems Cyber Emergency Response Team). The unnamed vendor downplayed the seriousness of the flaws, stating that the devices were working as designed, and customers (state/city governments) "wanted the devices to work that way (insecure)". The vendor added that it had resolved one of the issues in new equipment, without providing a means to update older kit, while stating the the flaws were neither critical nor important.

Cerrudo strongly disputes this assessment, arguing that an attacker could exploit the problems to cause traffic jams and problems at intersections. Part of the problem involves the ability to mess with electronic signs and traffic light signals, as Cerrudo explains.

It's possible to make traffic lights (depending on the configuration) stay green more or less time, stay red and not change to green. It’s also possible to cause electronic signs to display incorrect speed limits and instructions and to make ramp meters allow cars on the freeway faster or slower than needed.

These traffic problems could cause real issues, even deadly ones, by causing accidents or blocking ambulances, fire fighters, or police cars going to an emergency call.

IOActive has a solid back catalogue of heavyweight research into security flaws in industrial control, including the discovery that hardware powering the US Emergency Alert System can be easily tricked into broadcasting bogus apocalyptic warnings. El Reg is therefore inclined to take its concerns seriously, even absent of the ability to grill the unnamed vendor involved.

Manual overrides and secondary controls might limit the scope for mischief, though it would be something of a gamble to rely on those – especially since exploits might be possible with a minimum of skill and investment, as Cerrudo explains.

The vulnerabilities I found allow anyone to take complete control of the devices and send fake data to traffic control systems. Basically anyone could cause a traffic mess by launching an attack with a simple exploit programmed on cheap hardware ($100 or less).

I even tested the attack launched from a drone flying at over 650 feet [200m], and it worked! Theoretically, an attack could be launched from up to 1 or 2 miles [2-3km] away with a better drone and hardware equipment, I just used a common, commercially available drone and cheap hardware. Since it seems flying a drone in the US is not illegal and anyone will be able to get drones on demand soon, I would be worried about attacks from the sky in the US.

It might also be possible to create self-replicating malware (worm) that can infect these vulnerable devices in order to launch attacks affecting traffic control systems later. The exploited device could then be used to compromise all of the same devices nearby.

What worries me the most is that if a vulnerable device is compromised, it's really, really difficult and really, really costly to detect it. So there could already be compromised devices out there that no one knows about or could know about.

Passive tests ("no hacking and nothing illegal") by Cerrudo on real-life deployments of traffic control systems in Seattle, New York, and Washington DC confirmed that devices were vulnerable, just as Cerrudo feared. Real-life deployments could have different configurations (different hardware/software versions) that might have thwarted attacks, but no such relief was discovered in the field.

"This should be another wake up call for governments to evaluate the security of devices/products before using them in critical infrastructure, and also a request to providers of government devices/products to take security and security vulnerability reports seriously," Cerrudo concludes.

A blog post featuring pictures and videos explaining Cerrudo's research can be found here.

Cerrudo is due to present more details on his research at the Infiltrate 2014 Conference in Miami Beach, USA next week. ®

Update

IOActive has identified the vendor who supplied kit it alleges to be vulnerable as Sensys Networks. El Reg has invited Sensys to comment on the research but has yet to hear back.

Bootnote

IOActive references scenes from Live Free or Die Hard (Die Hard 4) where "terrorist hackers" manipulate traffic signals. However, we make no apologies for referencing The Italian Job when it comes to talk of unleashing traffic chaos.

Internet Security Threat Report 2014

More from The Register

next story
'Kim Kardashian snaps naked selfies with a BLACKBERRY'. *Twitterati gasps*
More alleged private, nude celeb pics appear online
Home Depot ignored staff warnings of security fail laundry list
'Just use cash', former security staffer warns friends
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.