How a hacker could cause chaos on city streets by Antone Gonsalves
Traffic is chaotic enough in major cities, but imagine how much worse it would be if a criminal hacker got control of the traffic lights.
That Hollywood scenario is what researchers at the University of Michigan proved could happen given the security flaws in today's traffic infrastructure.
[Survey: Most hackers do it for the lulz]
In a paper released this month, the researchers described how they were able to commandeer roughly 100 lights in an unnamed Michigan town. The study was done in cooperation with local authorities.
"Our attacks show that an adversary can control traffic infrastructure to cause disruption, degrade safety, or gain an unfair advantage," the research said.
As hacking goes, the task of breaking into the traffic system wasn't difficult.
The first step is to buy the same radio found in a separate box or on one of the traffic lights on an intersection. Oftentimes, the manufacturer's name is on an external label at the radio's location.
The radio receives instructions from a city control room and passes it on to a controller that operates the lights. Each intersection has a radio and controller and all the radios are capable of passing instructions to each other.
For example, if traffic control officials want to time green lights on a particular road to keep traffic flowing during certain times of the day, they can do that by sending the instructions to one radio, which will pass them along to the others on the street.
Like many cities, the one where the research took place communicated with traffic lights wirelessly. By purchasing the same radio used by the city, the researchers were sure to use the same communications protocol.
In this case, it was NTCIP 1202, which is often used for radio to controller communications.
Manufacturers of traffic-light radios are suppose to sell these products only to governments, but "there's been a lot of literature on how easy it is to social engineer these people into selling you a radio," Branden Ghena, a doctorate student and co-author of the report, said.
Once the researchers had the radio and plugged it into a laptop, controlling the traffic lights was easy, because getting on the network did not require a password and the communications between radios and controllers were unencrypted.
The researchers blame the latter problem on the standards body that sets the NTCIP, which stands for the National Transportation Communications for Intelligent Transportation System (ITS) Protocol.
The NTCIP is a joint standard set by the National Electronics Manufacturers Association (NEMA), the American Association of State Highway and Transportation Officials (AASHTO), and the Institute of Transportation Engineers (ITE).
"The standards that define how you communicate with the traffic controller really don't go the distance in providing the security and access controls for these systems," Ghena said.
Once in the network, an attacker would not be able to switch lights to red, green and yellow. A safety feature called a malfunction management unit and required in all controllers is hardcoded to know all the safe patterns for traffic lights.
Trying an unsafe configuration would automatically send the light to blinking red. Therefore, a hacker would be limited to changing lights to red.
Nevertheless, a city filled with red lights would cause major traffic jams and chaos on the streets. To fix the mess, city workers would have to go to each intersection to reset the lights.
[How hackers used Google in stealing corporate data]
"The cost would be real in terms of man hours and money, but it wouldn't be as dangerous as a four-way green light would be," Ghena said.
Whether other towns and cities would be susceptible to the same attack would depend on their individual security mechanisms.
"There's lots of little simple things you can do to improve your security," Ghena said. "But to really fix the problem involves the standards organizations and the vendors getting together and really trying to make sure their systems are designed with security in mind."