We’ve all seen the scenes in movies or games where attackers hack traffic lights to set the colors to their liking, but could this scenario be real?
Bad actors change the colors for various reasons, to stop someone, to go faster, or to create traffic accidents, all of these just by typing some commands on the laptop. We probably thought that an attack like this would not be so easy because it is not something we see every day, but is it at least possible?
First, we have to understand how traffic lights work.
1. Types of Traffic Lights
Pedestrian Button
If the traffic light is installed to allow pedestrians to cross, it is most likely based on a button and will show the red light to vehicles when a pedestrian wants to cross.
Based on Timing
At a set time interval, the colors will switch from green to red, giving priority to the other roads.
Inductive-loop Detectors
The detectors are installed in the asphalt and can detect vehicles crossing or stopping. Usually the traffic light is set to red on a secondary road and will change to green when a vehicle arrives. Detectors can also be installed at the end of the street to detect heavy traffic, thus it is understood that the street has been filled with waiting cars, and the traffic light will be able to keep the green light longer to streamline the traffic.
Webcams
Intelligent webcams can be used to detect how heavy is the traffic and to adjust the light timing based on that.
Other types of sensors exist, such as:
- Rubber hoses filled with air
- Infrared sensors
- Microwave sensors
- Lasers
Choosing the right solution depends of the intersection, for example timing based traffic light will be more efficient in urban areas. In a rural area if such a solution will be used, the vehicles can get a red light for no reason.
Another example is about Microwave sensors which are easier to install and maintenance, but can face difficulties when obstructions or extreme weather appear.
Multiple solutions that work together can be implemented in one intersection, this is actually what can we find in a modern intersection. Multiple sensors are used to ensure that the information received from the traffic is accurate, regardless of car speed, bad weather, or a sensor failure.
2. Communication
A Traffic Control Cabinet/Traffic Signal Controller/Traffic Light Controller (TLC), is a cabin mounted near the intersections and is used to manage the traffic lights commands. The TLC receives information from the sensors installed and then it sends commands further to the traffic lights. Based on the traffic, the TLC can change signals phases, adjust the signal timing, adjust the cycle length and much more.
A single cabinet can manage multiple intersections and these are periodically maintain by authorized persons in order to verify that everything is working properly. In a TLC we can find a controller, switches, communication module, power supply, Malfunction Management Unit (MMU) and others.
More about what is inside a traffic controller can be found at:
- https://www.sebagotechnics.com/wp-content/uploads/TS2-Signal-Cabinet-Equipment-1.pdf
- https://www.youtube.com/@Trafficlightdoctor
Traffic Management Centers (TMCs) or Traffic Signal Control Center (TSCC), is a specialized center equipped with technologies and systems to monitor, manage and control traffic flow. These centers use real-time data from sensors and cameras in order to optimize the signal timing. The TMC primary goal is to optimize traffic conditions, enhance safety, and respond efficiently to incidents or emergencies. Even if a center like this can control the traffic light remotely, it is not possible to change the color of a traffic light instantaneous, usually it can modifies the signal timing.
Now that we understood how traffic lights work, how can they be hacked?
3. Methods of Hacking
Accessing the Traffic Light Control Cabinet physically
Even if is not a great idea, with access to TLC someone can prioritize a road turning the light up to green. This is a done by authorized people when emergency vehicles need to skip the red lights. The information sent by the traffic lights is sent via special protocols, and persons authorized for maintenance only need to connect via ethernet to a local cabinet to be part of the network.
Using an opticom emitter
This is again a method used by emergency vehicles to change the color to green. The intersection needs to have installed an opticom in order to work. An authorized person can send signals using an opticom emitter, the receiver will send this information to the TLC and this will prioritize the specific road to get instantly a green light.
Is a common myth that flashing with the headlights to the traffic lights will turn the light to green, but this is not true, the opticom is working on a specific frequency. A similar emitter can be craft using a Flipper Zero:
A Flipper Zero can not change the traffic lights using only his functionality, but can be used to modify frequency for an infrared led.
We will talk now on 3 researches made on this subject in the last years:
Sensys Networks VDS240 wireless vehicle detection systems
In some intersections of the world, wireless sensors mounted in the ground are used, which are basically magnetometers. In this configuration, an Access Point is also installed and has the role to take the information from the sensors and send it to a TLC. Another device used is the Repeater, which transmit the information further to other nearby intersections.
In DEF CON 22 conference from 2014, Cesar Cerrudo presents how these devices do not use encryption in communication and do not require authentication. The Access Points must be accessed from an internal network, but the Repeaters and the sensors can be accessed through wireless. These sensors began to be implemented in large numbers at that time in America, and Cesar Cerrudo demonstrates how you can take over the traffic between an Access Point and a sensor if you own such a device (which he managed to obtain through phishing). He showed how fake data can be sent to the sensors to simulate the presence of a car, thus changing the color of the traffic light to green. The data can be intercepted also with a wireless transceiver, but need to be analyzed to understand the protocol, this is why the Access Point was used.
The conference can be found below:
The firmware updates started to be encrypted for the new versions of the sensors, but those who are already mounted in the streets will remain vulnerable. The company said that the battery would run for 10 years, so it’s possible during the next years all the sensors to be changed.
As we can see, technology is evolving and new traffic management solutions are starting to be researched. Because of the distance, the installation and maintenance of the usual infrastructure started to be more complicated and this is why it was chosen to use new communication methods.
The paragraph below is from the next research:
Traffic signals were originally designed as standalone hardware, each running on fixed timing schedules, but have evolved into more complex, networked systems. Traffic controllers now store multiple timing plans, integrate varied sensor data, and even communicate with other intersections in order to better coordinate traffic. Studies have shown the benefits of a well-coordinated traffic signal system in terms of wasted time, environmental impact, and public safety, but coordination has been difficult to achieve due to the geographic distribution of roadways and the cost of physical connections between intersections. Wireless networking has helped to mitigate these costs, and many areas now use intelligent wireless traffic management systems. This allows for new capabilities including real-time monitoring and coordination between adjacent intersections. However, these improvements have come with an unintended side effect. Hardware systems that had previously been only physically accessible are now remotely accessible and software controlled, opening a new door for attackers.
https://jhalderm.com/pub/papers/traffic-woot14.pdf
Wireless Traffic Signal System
In another research by University of Michigan from 2014, Branden Ghena, William Beyer, Allen Hillaker, Jonathan Pevarnek, and J. Alex Halderman, made a security evaluation on the wireless traffic signal system deployed in the United States. They manage to connect to the network, to access the TLC and then to control the traffic lights from there. The TLCs are communicating with each other or with a central server through wires, but becomes difficult to maintain this on longer distances. In this scenario, the researchers said that radios are used in a point-to-point or point-to-multipoint configuration in order to provide connectivity. “The system we investigated uses commercially available radios that operate on the ISM band at either 5.8 GHz or 900 Mhz. One intersection acts as a root node and connects back to a management server under the control of the road agency”. 5.8 GHz radios provide higher data rates and 900 Mhz radios are used when obstructions exists between the intersections.
The vulnerabilities found by the researchers were that the network is unencrypted, the devices are using default credentials and the TLC is vulnerable to known exploits. They managed to access the network using a radio produced by the same vendor. Then, for the TLC they used a debug port that was left open and as a second method, a remote control functionality built into the controller. After gaining access to the TLC the researchers explained what types of attacks could a bad actor perform:
- Denial-Of-Service – setting all lights to red
- Traffic Congestion – manipulating timings of an intersection relative to its neighbors which can cause significant financial impact
- Light Control – manipulating lights for personal gain
Maybe you expected that once an attacker is in the possession of the TLC remotely, attacks such as making multiple traffic lights to get a green light would be possible, but not really. Every TLC has a MMU mechanism installed and in case an unsafe configuration is detected (such as multiple green lights), the MMU overrides the TLC into a safe configuration. This safe configuration will make the traffic lights to blink on a red light and manual intervention is required to reset this state. The MMU was designed to intervene for multiple scenarios that could put lives in danger. However, with the physical access to a TLC, a bad actor can remove the fail-safe equipment and perform dangerous attacks.
The full research can be found below:
Mobile Application Used in Communication with Traffic Lights
Wesley Neelen and Rik van Duijn present at DEF CON 2020 how they perform tests in Netherlands on a new application developed to exchange information between traffic elements. They said that the traffic lights started to be replaced with intelligent traffic lights. The devices used in traffic control and vehicles are connected to a cloud service and the vehicles could use a mobile application or an on-board computer installed on them to communicate. Vehicles send various information about themselves using CAM messages and thus depending on the type of vehicle it will be concluded which vehicle has a higher priority. Automatically, emergency vehicles will have the highest priority.
The two researchers noticed that there are applications that a cyclist can use to communicate in this infrastructure, so when he approaches a traffic light he will send the appropriate signals and receive the green color. Their research consists of analyzing an application used for cyclists, and using Frida they discovered that they can manipulate certain data before being sent further. The two managed to simulate the existence of a bicycle and send a signal to change the color of the traffic light to green. The good part is that there is no conflict, if the traffic is intense, the cyclist will have to wait a while to receive priority of passage. However, this can be abused by sending false data making intersections more difficult and making real traffic participants wait for the red color for no reason.
The main problem they found is that there is no authentication, and traffic participants are not distinguished from each other, no one knows who you are or if you are authorized or not.
The conference can be found below:
Hacking the Traffic Management Center
The last method of hacking traffic lights will be to hack into the Traffic Management Center 😂. If an attacker would compromise the TMC will be able to remotely control the traffic lights, but as I mentioned previously, not instantly.
Usually the communication between TLC and TMC is made through wires, but configurations of remote control could exist as well. In case the communication is not encrypted, an attacker could perform Man-in-the-middle attacks, DoS or jamming to the traffic lights.
I hope is clear that all techniques described above are illegal if you are unauthorized.
4. Conclusions
From the researches conducted by professionals we conclude that hacking traffic lights depends very much of the configuration that exists on-site. We have to understand how is that intersection communicating and what are the sensors used? There are many things that must be taken into account and we can see that new technologies are starting to be implemented. Even if wireless devices seem to be the new target, these are not present all over the world and old methods are still used in small cities. In most of the intersections these new wireless communication devices will not be installed and physically access will still be required. Anyway, the main problem found is that the security is not taken seriously, and these solutions are put in production without taking the necessary security measures. Attacks can be prevented just by fixing common issues like using encryption during the communication or changing the default credentials of the devices. As the researchers from Michigan said in their article:
The vulnerabilities we discover in the infrastructure are not a fault of any one device or design choice, but rather show a systemic lack of security consciousness.
https://jhalderm.com/pub/papers/traffic-woot14.pdf
如有侵权请联系:admin#unsafe.sh