It has been a running joke in the tech industry for years that the hacking scenes in movies are, well, a joke. Hackers in hoodies pushing a few keys and taking down the power grid or causing massive traffic pileups by turning all the stoplights green at once. While those scenes provide endless entertainment for security folks, it turns out some of those attacks aren’t so far-fetched.
Cesar Cerrudo, a researcher and CTO at IOActive, decided to take a look at the security of some of the devices that control traffic lights and electronic signs in many cities around the world, and found that not only were the devices vulnerable to a number of attacks, but they could be exploited quite easily and perhaps could be used to spread malware from device to device. Cerrudo said that the vulnerabilities he identified can be exploited from up to a mile or two away with the right equipment.
“The vulnerabilities I found allow anyone to take complete control of the devices and send fake data to traffic control systems. Basically anyone could cause a traffic mess by launching an attack with a simple exploit programmed on cheap hardware ($100 or less),” he wrote in a blog post on the research he conducted.
“I even tested the attack launched from a drone flying at over 650 feet, and it worked! Theoretically, an attack could be launched from up to 1 or 2 miles away with a better drone and hardware equipment, I just used a common, commercially available drone and cheap hardware. Since it seems flying a drone in the US is not illegal and anyone will be able to get drones on demand soon, I would be worried about attacks from the sky in the US.”
Cerrudo is not identifying the vendor involved in the research, or the specific vulnerabilities he discovered, until next month when he presents the results at the Infiltrate security conference. But he has reported the flaws to the vendor, through the ICS-CERT, and the vendor said it does not consider the issues to be security vulnerabilities, but rather expected behavior from the products.
Traffic lights and electronic signs on highways and streets are controlled by automated systems in many cities, and Cerrudo discovered that the vendor he was investigating has deployments of vulnerable systems in a number of countries, including the United States, China, the U.K., Australia and Canada. After doing some initial research, Cerrudo traveled to several U.S. cities, including New York and Washington, D.C., to confirm that the attacks he’d developed would work in the real world. He found that it was no problem to cause issues with traffic control systems by using the vulnerabilities he’d identified.
“It’s possible to make traffic lights (depending on the configuration) stay green more or less time, stay red and not change to green (I bet many of you have experienced something like this as a result of driving during non-traffic hours late at night or being on a bike or in a small car), or flash. It’s also possible to cause electronic signs to display incorrect speed limits and instructions and to make ramp meters allow cars on the freeway faster or slower than needed,” he said.
While the vulnerable devices are made by one vendor, Cerrudo said that there are a number of resellers who rebrand them and sell to customers directly. He said via email that getting the devices to test was not difficult. The response he got from the vendor, he said, was disheartening.
“I tried several times to make ICS-CERT and the vendor understand that these issues were serious, but I couldn’t convince them. In the end I said, if the vendor doesn’t think they are vulnerable then OK, I’m done with this; I have tried hard, and I don’t want to continue wasting time and effort. Also, since DHS is aware of this (through ICS-CERT), and it seems that this is not critical nor important to them, then there isn’t anything else I can do except to go public,” he said.
“This should be another wake up call for governments to evaluate the security of devices/products before using them in critical infrastructure, and also a request to providers of government devices/products to take security and security vulnerability reports seriously.”
Image from Flickr photos of William Warby.