Hacking Traffic Systems for Fun and Chaos

The devices that control traffic lights and electronic signs in many cities are vulnerable to a number of attacks, can be exploited quite easily and used to spread malware from device to device.

It has been a running joke in the tech industry for years that the hacking scenes in movies are, well, a joke. Hackers in hoodies pushing a few keys and taking down the power grid or causing massive traffic pileups by turning all the stoplights green at once. While those scenes provide endless entertainment for security folks, it turns out some of those attacks aren’t so far-fetched.

Cesar Cerrudo, a researcher and CTO at IOActive, decided to take a look at the security of some of the devices that control traffic lights and electronic signs in many cities around the world, and found that not only were the devices vulnerable to a number of attacks, but they could be exploited quite easily and perhaps could be used to spread malware from device to device. Cerrudo said that the vulnerabilities he identified can be exploited from up to a mile or two away with the right equipment.

Cerrudo said that the vulnerabilities he identified can be exploited from up to a mile or two away with the right equipment.

“The vulnerabilities I found allow anyone to take complete control of the devices and send fake data to traffic control systems. Basically anyone could cause a traffic mess by launching an attack with a simple exploit programmed on cheap hardware ($100 or less),” he wrote in a blog post on the research he conducted.

“I even tested the attack launched from a drone flying at over 650 feet, and it worked! Theoretically, an attack could be launched from up to 1 or 2 miles away with a better drone and hardware equipment, I just used a common, commercially available drone and cheap hardware. Since it seems flying a drone in the US is not illegal and anyone will be able to get drones on demand soon, I would be worried about attacks from the sky in the US.”

Cerrudo is not identifying the vendor involved in the research, or the specific vulnerabilities he discovered, until next month when he presents the results at the Infiltrate security conference. But he has reported the flaws to the vendor, through the ICS-CERT, and the vendor said it does not consider the issues to be security vulnerabilities, but rather expected behavior from the products.

Traffic lights and electronic signs on highways and streets are controlled by automated systems in many cities, and Cerrudo discovered that the vendor he was investigating has deployments of vulnerable systems in a number of countries, including the United States, China, the U.K., Australia and Canada. After doing some initial research, Cerrudo traveled to several U.S. cities, including New York and Washington, D.C., to confirm that the attacks he’d developed would work in the real world. He found that it was no problem to cause issues with traffic control systems by using the vulnerabilities he’d identified.

“It’s possible to make traffic lights (depending on the configuration) stay green more or less time, stay red and not change to green (I bet many of you have experienced something like this as a result of driving during non-traffic hours late at night or being on a bike or in a small car), or flash. It’s also possible to cause electronic signs to display incorrect speed limits and instructions and to make ramp meters allow cars on the freeway faster or slower than needed,” he said.

While the vulnerable devices are made by one vendor, Cerrudo said that there are a number of resellers who rebrand them and sell to customers directly. He said via email that getting the devices to test was not difficult. The response he got from the vendor, he said, was disheartening.

“I tried several times to make ICS-CERT and the vendor understand that these issues were serious, but I couldn’t convince them. In the end I said, if the vendor doesn’t think they are vulnerable then OK, I’m done with this; I have tried hard, and I don’t want to continue wasting time and effort. Also, since DHS is aware of this (through ICS-CERT), and it seems that this is not critical nor important to them, then there isn’t anything else I can do except to go public,” he said.

“This should be another wake up call for governments to evaluate the security of devices/products before using them in critical infrastructure, and also a request to providers of government devices/products to take security and security vulnerability reports seriously.”

Image from Flickr photos of William Warby.

Suggested articles


  • Sal D'Agostino on

    Is it really news that these are vulnerable. In most cases you have local device controllers tied up to a supervisory. If you can get into a traffic cabinet in most cases you will be able to open a terminal and do about anything in maintenance modes. Doing this through the network is something else and depends one common threat occurs when these are segregated subnets with shoddy un pw, roles, etc.
  • Deramin on

    Here's a great use of hacking for a bad heist flick: A big robbery is pulled off and the crooks manipulate the streetlights to stay green for them while they make their escape and lock red in all directions behind or around them to block the police from responding. Add a bit of digital safe cracking, and I'd totally watch that.
    • Alan Clelland on

      It's called the Italian Job and it's been made twice .....
    • Cafe Hunk on

      Deramin - Already done - have you seen the Italian Job (2003)? Or did you steal the idea from Sean Fanning in his sleep?
  • Dave Aitel on

    INFILTRATE is in Miami on May 15th - www.infiltratecon.com
  • Jeff on

    It's already been done in a bad heist film: See The Italian Job (2003)
  • Mike Hamilton on

    Worse: creating traffic snarl so that public safety / emergency response can't get to the scene of a (e.g.) bombing, making it a force multiplier. Vendors that deploy this stuff never gave a thought to security, and too often the IT footprint is managed not by the IT organization, but by the traffic management staff themselves. These are the easiest control systems to compromise, because 2/3 of the work has been done for you by vendors and owner/operators.
  • AC on

    This is a feature not a bug. Police/Fire/Ambulance have devices in their vehicles that tell the sensors to change the lights. There used to be kits sold online that let you utilize the same system, but they were banned/ forced off the market. Anyone with a basic understanding of how the emergency control system on traffic lights work has know about the potential for misuse for years.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.