Dutch Hackers Found a Simple Way to Mess With Traffic Lights

by Andy Greenberg, WIRED magazine

By reverse engineering apps intended for cyclists, security researchers found they could cause delays in at least 10 cities from anywhere in the world.

In movies like Die Hard 4 and The Italian Job, hijacking traffic lights over the internet looks easy. But real-world traffic-light hacking, demonstrated by security researchers in years past, has proven tougher, requiring someone to be within radio range of every target light. Now a pair of Dutch researchers has shown how hackers really can spoof traffic data to mess with traffic lights easily from any internet connection—though luckily not in a Hollywood style that would cause mass collisions.

At the Defcon hacker conference Thursday, Dutch security researchers Rik van Duijn and Wesley Neelen will present their findings about vulnerabilities in an “intelligent transport” system that would allow them to influence traffic lights in at least 10 different cities in the Netherlands over the internet. Their hack would spoof nonexistent bicycles approaching an intersection, tricking the traffic system into giving those bicycles a green light and showing a red light to any other vehicles trying to cross in a perpendicular direction. They warn that their simple technique—which they say hasn’t been fixed in all the cases where they tested it—could potentially be used to annoy drivers left waiting at an empty intersection. Or if the intelligent transport systems are implemented at a much larger scale, it could potentially even cause widespread traffic jams………………………………..

Hacking traffic lights isn’t entirely new, though it’s rarely been so simple. Cesar Cerrudo, a researcher at security firm IOActive, revealed in 2014 that he had reverse engineered and could spoof the communications of traffic sensors to influence traffic lights, including those in major US cities. Researchers at the University of Michigan published a paper the same year on hacking the traffic controller boxes located at street intersections, which receive the inputs from road sensors. The vulnerabilities that Cerrudo and the Michigan researchers found likely affected far more traffic lights than those exposed by the Dutch researchers at Defcon. Cerrudo also says that he tested his technique in San Francisco a year after disclosing it to the affected sensor companies and found that it still worked there……………………

But even when the vulnerabilities they found are fixed, they say their research should serve as a warning about the more general risks of “smart” transportation infrastructure, as those systems roll out as key parts of optimizing urban traffic beyond a mere convenience for bicycles. “Imagine you could create hundreds of fake trucks across cities. If the wrong traffic lights start turning red, you have an issue, and it would cause huge delays,” van Duijn says. “Now that we’re talking about building these intelligent transport systems, we need to be damn sure to think more about security.”  Full article

DCL:  Spoofing sensors that control critical systems is an old old event processing trick that goes back to the great Australian sewage disaster of 2002. However it is still a mater of national concern for the power grid and other critical infrastructures so many years later — see  NIPC-6-15-2002