Traffic light vulns leave doors wide open to Italian Job-style hacks
Never mind blowing the bloody doors off, what about screwing up the rush hour?
Hackers may be able to create traffic chaos, just like Michael Caine's loveable rogue in classic Brit film The Italian Job, thanks to an alarming series of flaws discovered in traffic control systems.
Cesar Cerrudo, CTO at embedded security experts IOActive Labs, discovered that traffic control systems in cities around the world (US, UK, France, Australia, China, etc) were vulnerable to exploitation.
The vulnerabilities he uncovered could allow anyone to take complete control of the devices, to potentially chaotic effect. According to Cerrudo there are more than 50,000 traffic control devices out there that could be hacked.
IOActive contacted the affected vendor in September 2013 through ICS-CERT (the Industrial Control Systems Cyber Emergency Response Team). The unnamed vendor downplayed the seriousness of the flaws, stating that the devices were working as designed, and customers (state/city governments) "wanted the devices to work that way (insecure)". The vendor added that it had resolved one of the issues in new equipment, without providing a means to update older kit, while stating the the flaws were neither critical nor important.
Cerrudo strongly disputes this assessment, arguing that an attacker could exploit the problems to cause traffic jams and problems at intersections. Part of the problem involves the ability to mess with electronic signs and traffic light signals, as Cerrudo explains.
It's possible to make traffic lights (depending on the configuration) stay green more or less time, stay red and not change to green. It’s also possible to cause electronic signs to display incorrect speed limits and instructions and to make ramp meters allow cars on the freeway faster or slower than needed.
These traffic problems could cause real issues, even deadly ones, by causing accidents or blocking ambulances, fire fighters, or police cars going to an emergency call.
IOActive has a solid back catalogue of heavyweight research into security flaws in industrial control, including the discovery that hardware powering the US Emergency Alert System can be easily tricked into broadcasting bogus apocalyptic warnings. El Reg is therefore inclined to take its concerns seriously, even absent of the ability to grill the unnamed vendor involved.
Manual overrides and secondary controls might limit the scope for mischief, though it would be something of a gamble to rely on those – especially since exploits might be possible with a minimum of skill and investment, as Cerrudo explains.
The vulnerabilities I found allow anyone to take complete control of the devices and send fake data to traffic control systems. Basically anyone could cause a traffic mess by launching an attack with a simple exploit programmed on cheap hardware ($100 or less).
I even tested the attack launched from a drone flying at over 650 feet [200m], and it worked! Theoretically, an attack could be launched from up to 1 or 2 miles [2-3km] away with a better drone and hardware equipment, I just used a common, commercially available drone and cheap hardware. Since it seems flying a drone in the US is not illegal and anyone will be able to get drones on demand soon, I would be worried about attacks from the sky in the US.
It might also be possible to create self-replicating malware (worm) that can infect these vulnerable devices in order to launch attacks affecting traffic control systems later. The exploited device could then be used to compromise all of the same devices nearby.
What worries me the most is that if a vulnerable device is compromised, it's really, really difficult and really, really costly to detect it. So there could already be compromised devices out there that no one knows about or could know about.
Passive tests ("no hacking and nothing illegal") by Cerrudo on real-life deployments of traffic control systems in Seattle, New York, and Washington DC confirmed that devices were vulnerable, just as Cerrudo feared. Real-life deployments could have different configurations (different hardware/software versions) that might have thwarted attacks, but no such relief was discovered in the field.
"This should be another wake up call for governments to evaluate the security of devices/products before using them in critical infrastructure, and also a request to providers of government devices/products to take security and security vulnerability reports seriously," Cerrudo concludes.
A blog post featuring pictures and videos explaining Cerrudo's research can be found here.
Cerrudo is due to present more details on his research at the Infiltrate 2014 Conference in Miami Beach, USA next week. ®
IOActive has identified the vendor who supplied kit it alleges to be vulnerable as Sensys Networks. El Reg has invited Sensys to comment on the research but has yet to hear back.
IOActive references scenes from Live Free or Die Hard (Die Hard 4) where "terrorist hackers" manipulate traffic signals. However, we make no apologies for referencing The Italian Job when it comes to talk of unleashing traffic chaos.