We all know that any smart device or computer system can be hacked these days, but if you start actually enumerating all of the vulnerable gadgets, it gets a bit overwhelming. Phones, smart appliances, fitness trackers all connect to an app that stores your personal information. But that’s not all. Researchers at the University of Michigan recently published a paper in which they show how easy it is to hack traffic lights. Wonderful.
With the help of a Michigan road agency, the team hacked actual stoplights in a city in Michigan. They demonstrated that the current system of IP-based networked traffic lights that send and receive information from a central point might save money, but that its use of wireless radios is a vulnerability that’s troublingly easy to exploit.
The team used the same radio model as in the traffic network, which while not publicly available, wasn’t hard to obtain. All they had to do then was access the network at any point, and they could then control any of the network’s intersections. They demonstrated that a single hacker using a single entry point could wreak havoc on the “entire traffic infrastructure of a city.”
You know how some lights are timed so that if you follow the speed limit you pass under a series of green lights (and how some are timed such that you get one red light after another)? A hacker could make that happen, thus increasing his own chances of cruising through traffic or creating traffic slogs for others. Depending on where it happened, such a breach could case major traffic issues—in fact, they city a study showing that if 60 intersection timings were reconfigured in an area of Boston, the city could save $1.2 million a year, which means that the opposite could happen, too. Such hacks would also be difficult for law enforcement to identify.
In short, the three major vulnerabilities they found were the lack of network encryption, the lack of secure authentication of networked devices (they used default passwords), and the vulnerability of the central controller. But the good news is that the problem shouldn’t be too difficult or expensive to fix.
Wireless network encryption is a good first step, though they recommend a few back-ups, such as firewalls. Changing the default username and passwords on the networked devices would help too. Essentially, this is pretty basic stuff, and while it wouldn’t necessarily prevent all attacks, especially those “by a determined adversary,” it would make it a lot harder to break in. But the traffic controller vendor to whom the team spoke said that it “has followed the accepted industry standard and it is that standard which does not include security.” Well, that’s a great party line, no? I bet all it would take is one major traffic hack to change industry standard.