Traffic control systems ‘vulnerable to hacking’

Devices used by traffic control systems are vulnerable to being hacked, according to computer security specialist IOActive. Hackers could gain complete control of these devices and cause traffic issues for the cities in the US, UK, France, Australia, China and beyond.
Air Quality & Weather Systems / May 1, 2014
Devices used by traffic control systems are vulnerable to being hacked, according to computer security specialist IOActive. Hackers could gain complete control of these devices and cause traffic issues for the cities in the US, UK, France, Australia, China and beyond.

IOActive researcher CESAR Cerrudo, who examined the systems, said the hackers would not target the traffic lights directly but rather magnetic sensors embedded in streets that feed data to traffic control systems.

Cerrudo found that the systems lack basic security protections, such as data encryption and authentication, allowing the data to be monitored, or, theoretically, replaced with false information. So, although an attacker can’t control traffic signals directly through the sensors, he might be able to fool the control systems into reading congested roadways as clear or free-running roadways as congested, causing traffic signals to respond accordingly.

By exploiting the vulnerabilities he found, Cerrudo feels an attacker could cause traffic jams and problems at intersections, on freeways, highways and other areas.

Depending on the configuration it is possible to make traffic lights stay green for more or less time, stay red and not change to green or flash. Electronic signs could display incorrect speed limits and instructions, while ramp meters could allow cars on the freeway faster or slower than needed.  

Although manual overrides and secondary controls can be used if anomalies are detected, Cerrudo said the possibility of a real attack shouldn’t be disregarded as launching an attack is simple. Making an attack have a bigger impact would be more complex but not impossible.

Cerrudo said the vendor had been contacted in September 2013 through the 1742 Department of Homeland Security’s ICS-CERT. “I was told by ICS-CERT that the vendor said they didn't think the issues were either critical or even important.”

Regarding one of the vulnerabilities, the unnamed vendor is reported to have said the devices were designed that way as customers (state/city governments) wanted them to work that way and they were working as designed, so there wasn't a security issue.
“Yes that was the answer, I couldn't believe it,” he said.

His findings will be presented to the forthcoming Infiltrate conference in Florida.
For more information on companies in this article