Hacking Traffic Lights for Fun and Profit!

Dan Wallach
by Dan Wallach
hacking traffic lights for fun and profit

In a few weeks, at WOOT (the USENIX Workshop on Offensive Technologies — an academic conference where security researchers demonstrate broken stuff), a team from the University of Michigan will be presenting a lovely paper, Green Lights Forever: Analyzing the Security of Traffic Infrastructure. It’s a short and fun read. In summary, it’s common for traffic light controllers to speak to each other over a 5.8GHz wireless channel (much like WiFi, but a dedicated frequency) with no cryptography, default usernames and passwords, and well-known and exploitable bugs. Oh boy. And what can we do with that?

We want our traffic lights to coordinate with one another. This streamlines the flow of traffic. If an attacker can mess with that coordination in an arbitrary fashion, then they can for example ensure they always have green lights. They can ensure others don’t. The opportunities for mayhem may seemingly allow your imagination to wander to the low point of Bruce Willis’s career: Live Free or Die Hard, wherein cyber-baddies redirected traffic in a vain attempt to squish our action hero. In reality, probably not. One of the curious things about the computer design for traffic light controllers is that there are really two computers stacked one atop the other. The “MMU” computer has a bunch of basic rules it has to enforce (e.g., minimum duration of yellow lights) and if the fancy controller tries to create panic at the disco, the MMU says “umm, no” and goes into flashing red, requiring somebody to manually come out and reset it. Which is to say, an attacker who wants to do more than a little tweaking here and there is likely to just dump all the lights into blinking-red mode and just piss everybody off.

So… I’m sure you’ve got questions. Let me see if I can anticipate them and act like I know what I’m talking about:

How hard is it to pull this off? Surprisingly easy. About the only thing that’s non-trivial is getting hold of the proper radio hardware, and that’s a pretty low bar.

How hard is it to fix this? Harder than you’d think. These radios do support WPA2 (the same crypto standard used to protect WiFi networks), and cities could deploy it. They’d inevitably end up using the same key material everywhere, but that’s certainly better than doing everything in the clear. More importantly, these signal lights were never really engineered to be easy to apply software updates, unlike your smartphone or something that happily updates itself in the background. This means that latent bugs can be more easily found and exploited, simply by rummaging around in the list of bugs fixed in newer versions of the system.

Come on, nobody’s going to really do this. Sure, you go ahead and believe that, but wouldn’t you like to know that somebody can’t just arbitrarily screw with traffic? I can think of all sorts of nefarious reasons why an attacker might be financially incentivized to create carefully chosen local traffic jams.

This kind of information is too dangerous to be out in public! Whoa there. Just because it’s new to you doesn’t mean it’s new to the nefarious sorts. Sometimes, a little bit of public pressure is a very good thing to push vendors to fix their products and push customers to adopt the fixes. (There’s also an analogy here to the argument that gun control only limits the good guys’ guns. That particular argument is generally stronger when we’re talking about cyber weapons versus the traditional kinetic variety.)

Gosh, what would happen if future traffic light controllers didn’t have the MMU contraption? Arguably the MMU saved their bacon. Otherwise, the U. Michigan team would have been able to do much nastier things. Also, if we ever get autonomous intersections (great work from UT Austin, by the way), where self-driving robo-cars are negotiating their paths well in advance, getting rid of traditional stop lights altogether, then the security vulnerabilities would be a much, much more serious concern. Just watch the video below and cringe a bit.

Join the conversation
2 of 22 comments
  • Kyree Kyree on Jul 29, 2014

    Huh. Suddenly I have an itch to go buy stuff at RadioShack and I don't know why...

  • Lorenzo Lorenzo on Jul 29, 2014

    The problem is real, but the solution is relatively cheap and simple: the controller designs are ancient and should have been upgraded ages ago, but weren't because the issue isn't sexy enough for bureaucrats and lawmakers. From what I've seen, when lawmakers DO get involved, the problem gets worse before it gets better. It's amazing how scientifically and technically illiterate our elected officials are. They're fiscally incompetent too, and that's actually part of their jobs. Expect a high profile crisis, probably terrorist-inspired (but not terrorist created) and the solution installed quickly, with federal funding and a bunch of new laws for Homeland Security to oversee, with stiff penalties.

  • ToolGuy CXXVIII comments?!?
  • ToolGuy I did truck things with my truck this past week, twenty-odd miles from home (farther than usual). Recall that the interior bed space of my (modified) truck is 98" x 74". On the ride home yesterday the bed carried a 20 foot extension ladder (10 feet long, flagged 14 inches past the rear bumper), two other ladders, a smallish air compressor, a largish shop vac, three large bins, some materials, some scrap, and a slew of tool cases/bags. It was pretty full, is what I'm saying.The range of the Cybertruck would have been just fine. Nothing I carried had any substantial weight to it, in truck terms. The frunk would have been extremely useful (lock the tool cases there, out of the way of the Bed Stuff, away from prying eyes and grasping fingers -- you say I can charge my cordless tools there? bonus). Stainless steel plus no paint is a plus.Apparently the Cybertruck bed will be 78" long (but over 96" with the tailgate folded down) and 60-65" wide. And then Tesla promises "100 cubic feet of exterior, lockable storage — including the under-bed, frunk and sail pillars." Underbed storage requires the bed to be clear of other stuff, but bottom line everything would have fit, especially when we consider the second row of seats (tools and some materials out of the weather).Some days I was hauling mostly air on one leg of the trip. There were several store runs involved, some for 8-foot stock. One day I bummed a ride in a Roush Mustang. Three separate times other drivers tried to run into my truck (stainless steel panels, yes please). The fuel savings would be large enough for me to notice and to care.TL;DR: This truck would work for me, as a truck. Sample size = 1.
  • Art Vandelay Dodge should bring this back. They could sell it as the classic classic classic model
  • Surferjoe Still have a 2013 RDX, naturally aspirated V6, just can't get behind a 4 banger turbo.Also gloriously absent, ESS, lane departure warnings, etc.
  • ToolGuy Is it a genuine Top Hand? Oh, I forgot, I don't care. 🙂