In a few weeks, at WOOT (the USENIX Workshop on Offensive Technologies — an academic conference where security researchers demonstrate broken stuff), a team from the University of Michigan will be presenting a lovely paper, Green Lights Forever: Analyzing the Security of Traffic Infrastructure. It’s a short and fun read. In summary, it’s common for traffic light controllers to speak to each other over a 5.8GHz wireless channel (much like WiFi, but a dedicated frequency) with no cryptography, default usernames and passwords, and well-known and exploitable bugs. Oh boy. And what can we do with that?
We want our traffic lights to coordinate with one another. This streamlines the flow of traffic. If an attacker can mess with that coordination in an arbitrary fashion, then they can for example ensure they always have green lights. They can ensure others don’t. The opportunities for mayhem may seemingly allow your imagination to wander to the low point of Bruce Willis’s career: Live Free or Die Hard, wherein cyber-baddies redirected traffic in a vain attempt to squish our action hero. In reality, probably not. One of the curious things about the computer design for traffic light controllers is that there are really two computers stacked one atop the other. The “MMU” computer has a bunch of basic rules it has to enforce (e.g., minimum duration of yellow lights) and if the fancy controller tries to create panic at the disco, the MMU says “umm, no” and goes into flashing red, requiring somebody to manually come out and reset it. Which is to say, an attacker who wants to do more than a little tweaking here and there is likely to just dump all the lights into blinking-red mode and just piss everybody off.
So… I’m sure you’ve got questions. Let me see if I can anticipate them and act like I know what I’m talking about:
How hard is it to pull this off? Surprisingly easy. About the only thing that’s non-trivial is getting hold of the proper radio hardware, and that’s a pretty low bar.
How hard is it to fix this? Harder than you’d think. These radios do support WPA2 (the same crypto standard used to protect WiFi networks), and cities could deploy it. They’d inevitably end up using the same key material everywhere, but that’s certainly better than doing everything in the clear. More importantly, these signal lights were never really engineered to be easy to apply software updates, unlike your smartphone or something that happily updates itself in the background. This means that latent bugs can be more easily found and exploited, simply by rummaging around in the list of bugs fixed in newer versions of the system.
Come on, nobody’s going to really do this. Sure, you go ahead and believe that, but wouldn’t you like to know that somebody can’t just arbitrarily screw with traffic? I can think of all sorts of nefarious reasons why an attacker might be financially incentivized to create carefully chosen local traffic jams.
This kind of information is too dangerous to be out in public! Whoa there. Just because it’s new to you doesn’t mean it’s new to the nefarious sorts. Sometimes, a little bit of public pressure is a very good thing to push vendors to fix their products and push customers to adopt the fixes. (There’s also an analogy here to the argument that gun control only limits the good guys’ guns. That particular argument is generally stronger when we’re talking about cyber weapons versus the traditional kinetic variety.)
Gosh, what would happen if future traffic light controllers didn’t have the MMU contraption? Arguably the MMU saved their bacon. Otherwise, the U. Michigan team would have been able to do much nastier things. Also, if we ever get autonomous intersections (great work from UT Austin, by the way), where self-driving robo-cars are negotiating their paths well in advance, getting rid of traditional stop lights altogether, then the security vulnerabilities would be a much, much more serious concern. Just watch the video below and cringe a bit.