×

Announcing: Slashdot Deals - Explore geek apps, games, gadgets and more. (what is this?)

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

It's Easy To Hack Traffic Lights

Soulskill posted about 4 months ago | from the looking-forward-to-the-mobile-app dept.

Transportation 144

An anonymous reader notes coverage of research from the University of Michigan into the ease with which attackers can hack traffic lights. From the article: As is typical in large urban areas, the traffic lights in the subject city are networked in a tree-type topology, allowing them to pass information to and receive instruction from a central management point. The network is IP-based, with all the nodes (intersections and management computers) on a single subnet. In order to save on installation costs and increase flexibility, the traffic light system uses wireless radios rather than dedicated physical networking links for its communication infrastructure—and that’s the hole the research team exploited. ... The 5.8GHz network has no password and uses no encryption; with a proper radio in hand, joining is trivial. ... The research team quickly discovered that the debug port was open on the live controllers and could directly "read and write arbitrary memory locations, kill tasks, and even reboot the device (PDF)." Debug access to the system also let the researchers look at how the controller communicates to its attached devices—the traffic lights and intersection cameras. They quickly discovered that the control system’s communication was totally non-obfuscated and easy to understand—and easy to subvert.

Sorry! There are no comments related to the filter you selected.

Old news (4, Informative)

neglogic (877820) | about 4 months ago | (#47728255)

This was central to the plot of the Italian Job. The real Napster took care of it.

Re:Old news (1)

ArcadeMan (2766669) | about 4 months ago | (#47728271)

This only proves that Italian traffic lights are easy to hack.

Re: Old news (0)

Anonymous Coward | about 4 months ago | (#47729481)

Watch the movie. The last job is like the Italian job only in how they relocate the safe. The last job takes place in LA.

Re:Old news (2)

Kozar_The_Malignant (738483) | about 4 months ago | (#47729813)

This only proves that Italian traffic lights are easy to hack.

Who cares? No one pays attention to Italian traffic lights anyway. A red light is not even a suggestion; it's an insult.

Re:Old news (1)

davester666 (731373) | about 4 months ago | (#47731211)

A red light is a request to accelerate.

Re:Old news (1)

k6mfw (1182893) | about 4 months ago | (#47730115)

This only proves that Italian traffic lights are easy to hack.

but how many young techies know how to hack something like this,
http://www.wired.com/wp-conten... [wired.com]

Re:Old news (1)

the_skywise (189793) | about 4 months ago | (#47728563)

ptphpt... Zero Cool did it while the real Napster was still in diapers.

Re:Old news (0)

Anonymous Coward | about 4 months ago | (#47729387)

Professor Peach did it before Zero Cool was a gleam in his father's eye.

(Good name: Zero Cool is quite descriptive of how cool he actually is.)

Re: Old news (1)

andy_spoo (2653245) | about 4 months ago | (#47728829)

The 'Italian Job' was the first thing I thought of when I read that as well. It's got to be done, sorry, but "You're only ment to blow the bloody doors off" :-)

Re: Old news (2)

k6mfw (1182893) | about 4 months ago | (#47729905)

same with me, hacking traffic lights and reminded me of Benny Hill as the professor inserting hacked tape into the control system deck. Michael Caine said to the other members of his team though professor had "interesting reading material" to not make fun of him because he is very important for the job. I saw the movie last month (previously saw it in 1970s), featured the Mini Coopers that were screamers (back in the days almost all small cars were slow), Italian constantly honking horns (most in those little Fiats). In real life they do that even when traffic isn't moving.

Re: Old news (1)

rHBa (976986) | about 4 months ago | (#47730641)

Sorry, mis-moderated...

See: Hackers(1995) (0)

Anonymous Coward | about 4 months ago | (#47728283)

n/t

Welcome to the Information Age! (5, Insightful)

sinij (911942) | about 4 months ago | (#47728285)

It is scary how many industries (e.g. autos, "smart" electronics, control systems) are decades behind state of the art security. We will have a lot of growing pains to get out "only computer guys need to do this".

Re:Welcome to the Information Age! (5, Informative)

Mr D from 63 (3395377) | about 4 months ago | (#47728393)

From TFA,

In fact, the most upsetting passage in the entire paper is the dismissive response issued by the traffic controller vendor when the research team presented its findings. According to the paper, the vendor responsible stated that it "has followed the accepted industry standard and it is that standard which does not include security."

Don't blame the vendor, blame the standard. The vendor that includes security in his bid will have a higher price and lose to the vendor that doesn't.

Re:Welcome to the Information Age! (4, Insightful)

sinij (911942) | about 4 months ago | (#47728475)

"Acceptable industry standard" is not a standard, it is status quo. You have to blame municipalities for complete lack of understanding of these security concerns.

Next, script kiddies causing couple fender-benders and every municipality having to upgrade traffic light systems at a "I want it yesterday" premium. Then higher property taxes to pay for such monumental lack of planning and foresight.

Re:Welcome to the Information Age! (3, Insightful)

Chris Mattern (191822) | about 4 months ago | (#47728495)

And who will be blamed? Why, the researchers who discovered this incredible negligence, of course! "If you hadn't shown the hackers how to do it, we never would have this problem!"

Re:Welcome to the Information Age! (1)

sinij (911942) | about 4 months ago | (#47728535)

This is indeed the likely outcome of this debacle. If it comes to court, I will personally pitch-in for defense fund.

Still, it is surprising that nobody looked into these systems before. The technology to do so existed for many years.

Re:Welcome to the Information Age! (0)

Anonymous Coward | about 4 months ago | (#47728811)

What makes you think we haven't? You know all those "lucky" people who rarely get a red light? It's not luck.

Re:Welcome to the Information Age! (3, Insightful)

Mr D from 63 (3395377) | about 4 months ago | (#47728537)

Most of those who do the purchasing are required to enforce the standards. Deviating, even with the intent of improvement, can bring unintended consequences and blame. For instance, add security, then all of the sudden maintenance access doesn't work because its different, complaints and blame fly. Just one possible example of many things that can happen, thus they have standards and are required to use them.

Re:Welcome to the Information Age! (1)

aaarrrgggh (9205) | about 4 months ago | (#47729759)

"Standard of Care" would be the correct term.

Re:Welcome to the Information Age! (1)

Belial6 (794905) | about 4 months ago | (#47730079)

This is just a "on a computer" issue. If I want traffic lights to behave badly, I could easily do it without connecting into the automation side of it. A few colored LED disks attached in front of the existing lights and I get the same effect with no hacking involved. It is like people worrying that their car's drive by wire breaking system will get hacked because they believe it is so much more likely than having their break line cut.

Re:Welcome to the Information Age! (1)

sinij (911942) | about 4 months ago | (#47730293)

If I can mess with your drive-by-wire system remotely, then yes, it is A LOT more likely to happen than having line cut.

Re: Welcome to the Information Age! (0)

Anonymous Coward | about 4 months ago | (#47731475)

Good thing my car doesn't have these "break" lines you (and other dumb people) seem to have.

Re:Welcome to the Information Age! (1)

omnichad (1198475) | about 4 months ago | (#47731699)

I think it's a bit more likely to go undetected if you do it wirelessly.

Re:Welcome to the Information Age! (1)

michelcolman (1208008) | about 4 months ago | (#47730147)

And how exactly would a simple password result in a higher price?

They are using standard IP software (as evidenced by the fact that the "attackers" could join without the slightest effort), and I'm sure that software has the option of requiring a password to join the network. All they had to do is tick the box, pick a password, and hardcode the password into the traffic lights software. I know, not the best solution, but surely better than using no password at all.

So don't tell me cost was the reason. Basic negligence (and possibly bad intentions, hoping for a new juicy contract for an "improved" system once someone exploits it) are the real reasons.

Re:Welcome to the Information Age! (1)

Mr D from 63 (3395377) | about 4 months ago | (#47730273)

And how exactly would a simple password result in a higher price?

That completely misses the point, even if adding a simple password were the answer. If a standard is not sufficient, it should be changed. Don't blame the buyer or the vendor. For things like traffic lights, you want them all to be as alike as possible to save costs, be it purchasing requirements, maintenance and troubleshooting, and operation. That is why there are standards and why they are followed and why there are costs associated with deviating from the standard.

Re:Welcome to the Information Age! (1)

omnichad (1198475) | about 4 months ago | (#47731713)

What makes you think there are standards? I can almost guarantee that you're vendor-locked the moment you start building the system.

Re:Welcome to the Information Age! (0)

Anonymous Coward | about 4 months ago | (#47728421)

Not really that scary unless you are paranoid.

The effort to kill someone is far less than the effort needed to hack the traffic lights. Why don't we put more effort in making it harder to kill people? Well, the main reason is that the vast majority of the population has no interest in killing.
You can walk around feeling safe, knowing that no one has any particular interest in killing you. If they wanted to they could have shot you years ago when you went to the grocery store.

Re:Welcome to the Information Age! (2)

sinij (911942) | about 4 months ago | (#47728441)

This is not "going after you" concern, this is general mayhem concern.

Single stoplight can easily add +10 minutes of traffic to my commute. I imagine once Metasploit module for this comes out, some script kiddie would be able to turn everyone's commute to living hell for a considerable period of time.

Re:Welcome to the Information Age! (0)

Anonymous Coward | about 4 months ago | (#47728775)

You can not afford the safety you are asking for, unless I have misunderstood you and your only concern is the functionality of traffic lights in which case I consider you a nutjob.
To secure everything around you from the elevator control panel to every building wall to the extent that it won't harm you even if intentionally tampered with.. well.. have a look at the health care system. We are willing to let people die for costs that aren't even a fraction of what you are asking for.

Re:Welcome to the Information Age! (1)

aaarrrgggh (9205) | about 4 months ago | (#47729825)

I started to rebut your comment... but then actually came to agree. The cost of fixing this problem is huge; any traffic light pedestal could be an entry point from a "trusted" point on the system, and I have seen several in Los Angeles unlocked. Effectively the problem is reduced to if you have physical access to the machine there isn't much you can do for security.

Re:Welcome to the Information Age! (1)

aaarrrgggh (9205) | about 4 months ago | (#47729861)

There is one option; the PLCs fail to a "safe" mode and ignore the network if the validation PLC (not networked) detects an anomaly. Stoplight timing is out the window, but green lights in all directions would not be possible.

Re:Welcome to the Information Age! (1)

sinij (911942) | about 4 months ago | (#47730181)

Understandably, I 100% disagree. It is possible to secure almost everything. How? Use the goddamn airgap! Don't network what you can't reasonably secure from tampering.

Everything from the elevator control panel to SCADA have no place being remotely accessible! If you do need remote functionality, you better secure it!

Re:Welcome to the Information Age! (2)

gtall (79522) | about 4 months ago | (#47728463)

A tree limb falls on a vehicle and kills the driver. When asked about it, the county highway department issued a statement saying that tree had never shown any intent to fall before and hence there was no reason to suspect that it would fall this time. The public can feel safe knowing that trees do not have any particular interest in killing you. If they wanted to do, they could have fallen on you years ago when you went to the grocery store.

Re:Welcome to the Information Age! (2)

rmdingler (1955220) | about 4 months ago | (#47728515)

Nothing will be done until the vulnerability is exploited, and even then it will be measured against a cost/benefit actuarial table.

"Since a clean room will eventually devolve into a dirty room, there's no point in cleaning it."

Re:Welcome to the Information Age! (1)

Anonymous Coward | about 4 months ago | (#47728973)

"Not really that scary unless you are paranoid.
The effort to kill someone is far less than the effort needed to hack the traffic lights."

Indeed. I'd prefer it if they'd sell an 'always green' gadget on aliexpress for 25 bucks.

Re:Welcome to the Information Age! (3, Insightful)

nine-times (778537) | about 4 months ago | (#47728569)

No, it's scary how much we still don't care about security. These things could definitely be fixed, we just don't care to fix them. We don't demand security in the first place, we aren't willing to pay for security, and we aren't really willing to fix security when it's broken. People will run around looking for blood for 5 minutes when it's discovered that there are huge security flaws, but nobody will fix them.

Remember all the news when it was discovered that a person could easily and untraceably hack voting machines? Do you think that was ever fixed? The way we use credit cards is insecure. Most email is unencrypted. We use Social Security Numbers as both an identifier and a form of authentication.

Most of what we do is completely insecure, and it's actually kind of amazing how rarely people take advantage of it. But it's really disturbing that we aren't remotely willing to secure things that would be relatively easy to secure, and would solve lots of problems.

Re:Welcome to the Information Age! (4, Insightful)

Lumpy (12016) | about 4 months ago | (#47728713)

"we aren't willing to pay for security" It's worse than that. IT also stems from the fact that people in charge. The guys making big bucks making decisions are horribly undereducated.

If you ask the guy that is in charge of the city's traffic lights to explain in detail how the system works he will NOT be able to tell you. We as a society do not put in leadership positions the best and brightest. WE instead promote those that can suck up the best and schmoose the best.

And it's now biting us in the ass because the decision makers in general are dumb as a box of rocks. And when faced with a problem they simply say "I dont know" or try to scream how we need more laws instead of actually learning what the problem is and fixing it.

people charge of traffic lights are engineers but (1)

Joe_Dragon (2206452) | about 4 months ago | (#47728801)

people charge of traffic lights are engineers but not likely to be EE's or tech people. They may know some what about how they work but maybe not the deep tech parts. The engineers in charge are traffic / construction engineers.

Re:people charge of traffic lights are engineers b (1)

TWX (665546) | about 4 months ago | (#47729001)

Civil engineers that design traffic flow systems are looking at the problem from a macro-scale, and from a traffic-perspective, not from a security or physical device perspective.

It's the job of the designer/implementer to put the security into the system. In that sense the vendor and manufacturer should be held liable, not the customer.

Re:people charge of traffic lights are engineers b (0)

Anonymous Coward | about 4 months ago | (#47730199)

Yes, but the customer should probably be specifying some level of security in their requirements.
From the standpoint of managing or architecting the product, if there isn't a specific requirement for such a feature, then you don't actually have any spec to design it to, and it's one more thing that you have to document and test before you can release your product.

Re:people charge of traffic lights are engineers b (1)

ortholattice (175065) | about 4 months ago | (#47730017)

I once knew a traffic-light engineer who was an EE with a BS. I mentioned that I thought it was annoying not to have sensors on lights in rarely-used cross streets, since it wastes a lot of gas to have the main throughway traffic constantly stopping for no reason, not to mention wasting people's time. He said that if you put in a sensor, people will get used to the light always being green, and in the rare case it turns red they will tend not to stop and will cause more accidents. He was very strongly opposed to such sensors - arguing supposedly from experience as a professional and an expert - and our argument started to become, well, heated, so I just let it go. I really doubt what he said is supported by statistics, but his attitude was an example of the thinking of the people designing the lights.

(This was a couple of decades ago. Maybe the thinking has changed since I do see more sensors these days, but still not nearly enough. Often they seem poorly designed, such as unnecessarily waiting a full cycle before changing even if there is no cross traffic.)

Re:people charge of traffic lights are engineers b (1)

cnaumann (466328) | about 4 months ago | (#47730339)

You would be surprised how conditioned you can become to traffic patterns always being a certain way. I nearly caused an accident last week when I turned left in front of a car that was going straight. I am a good driver... why did I do that? The intersection was where two small neighborhood roads intersect the main road. After I screwed up, I realized that In the last 25 years, I had _never_ seen a car go straight through that particular intersection. I unconsciously assumed that he was waiting for the light so that he could turn left, like cars always do.

Traffic engineering is not about saving gas. It is mostly about preventing accidents. That is one of the reasons you see so few Yield signs these days.

Re:people charge of traffic lights are engineers b (1)

tlhIngan (30335) | about 4 months ago | (#47730563)

You would be surprised how conditioned you can become to traffic patterns always being a certain way. I nearly caused an accident last week when I turned left in front of a car that was going straight. I am a good driver... why did I do that? The intersection was where two small neighborhood roads intersect the main road. After I screwed up, I realized that In the last 25 years, I had _never_ seen a car go straight through that particular intersection. I unconsciously assumed that he was waiting for the light so that he could turn left, like cars always do.

The intersection on our street has two lanes on the cross street - one dedicated right-turn lane, and a combined left-turn/straight-through lane.

We usually go straight through, but it's some where we never go through without being cautious because a straight-through/left-turn lane is a rarity. It's usually more common as a left-turn, and a right-turn/straight lane. People just don't seem to understand that after the car turns left, the car behind might want to go straight.

We've nearly had accidents where people would assume we'd be turning left.

Had a right-turn from the main road assume the same thing - the light was red, we headed straight, and the guy never looked to his left and continued making the right turn. He never figured out that people might not be turning and didn't look.

These days more traffic goes through there so people are more used to not assuming that most people turn. But geez.

It's apparently common enough that it's why they have "Traffic Pattern Changed" signs to warn drivers that they've mucked with the lights, lanes, etc.

Re:people charge of traffic lights are engineers b (2)

bored_engineer (951004) | about 4 months ago | (#47731233)

Unfortunately, those sensors sometimes fail. With no "call," then one direction may never get a green light. (Of course, if this happens, then the tech will call an engineer to get a timing plan, then go out and reprogram the faulty controller, if it's not networked.) Freezing conditions, et c. can ruin in-ground loop sensors, and optical sensors can become befuddled by fog, snow and sun. Radar-based sensors are becoming more common, and because they're mounted on an arm or on a pole, they can be replaced more easily than the inductive loops.

Re:Welcome to the Information Age! (1)

nine-times (778537) | about 4 months ago | (#47729891)

I don't know. I my experience, a lot of poor security isn't caused by incompetence. It's caused by someone saying, "But that will cost more money..." or "That will take too much time..." or "But I want to buy from this supplier because the owner is my brother-in-law..."

I mean, they don't necessarily say those things out loud, but those are often the reasons. It's not necessarily that they're too dumb to understand that it's bad security. They just don't care. They're not thinking about the potential for problems down the road. They're not thinking about long-term maintenance. They're not really thinking about public safety. They're just thinking about, "I have to get this job done in a way that makes my life better/easier. I want to work less and make a big bonus."

Not that I work in a traffic-related industry. That's just been my general professional experience as to why security is usually terrible.

Re:Welcome to the Information Age! (0)

Belial6 (794905) | about 4 months ago | (#47730131)

You can not secure the lights. It is simply impossible without placing security guards at every corner.

Re:Welcome to the Information Age! (2)

nine-times (778537) | about 4 months ago | (#47730841)

Did you not read the summary, even?

The network is IP-based, with all the nodes (intersections and management computers) on a single subnet. In order to save on installation costs and increase flexibility, the traffic light system uses wireless radios rather than dedicated physical networking links for its communication infrastructure ... The 5.8GHz network has no password and uses no encryption; with a proper radio in hand, joining is trivial. ... The research team quickly discovered that the debug port was open on the live controllers and could directly "read and write arbitrary memory locations, kill tasks, and even reboot the device.

Yes, ultimately physical security is always an issue. They can try to make the devices difficult to access, but as you've pointed out, that's always going to be a problem.

But this is a different level of "insecure". These things are controlled through open, unencrypted wireless networking. There are no passwords. It's like the difference between saying, "Your home is never completely secure, since someone can always break a window or crowbar the door open," vs. "Let's just leave our valuables sitting out on the lawn, completely unattended."

Re:Welcome to the Information Age! (1)

jonwil (467024) | about 4 months ago | (#47728597)

I recon if you were trying to convince someone to take security of critical infrastructure, one way to do it would be to show them Die Hard 4.0 (best example I know of when it comes to hackers breaking into infrastructure) and say "this may only be a Hollywood movie but do you want to be the one who said "no" to better security when that shit happens for real?"

Re:Welcome to the Information Age! (2)

mlts (1038732) | about 4 months ago | (#47728707)

I know what the reply will be:

"The hackers would have gotten in no matter what we would have done."

Re:Welcome to the Information Age! (1)

GameboyRMH (1153867) | about 4 months ago | (#47729117)

Haha I see you also work in a business where you have this kind of discussion often!

Re:Welcome to the Information Age! (0)

Anonymous Coward | about 4 months ago | (#47729109)

It has nothing to do with "computer guys" needing to do anything. I worked at a major software outfit where I discovered a major security flaw in their enterprise product. Basically any user on the network could connect to the database and edit critical financial information with no audit trail and no evidence that it had ever occurred. Management's response to my discovery? "Nobody's going to think of doing that," and they never bothered to fix it. The flaw, the database server's username and password stored in plaintext on every single client machine. All you had to do was open that file with Notepad and copy and paste. Nobody will think of that when there are thousands or millions of dollars at stake, nope.

The point is that most people just don't believe security is an issue.

Re:Welcome to the Information Age! (1)

DidgetMaster (2739009) | about 4 months ago | (#47729889)

I think I read somewhere that traffic lights are designed so that it is impossible for both sides to get a simultaneous green light. They have some kind of physical switch that enforces this. In other words, even if the system is hacked, you can't make cars crash by changing all the lights to green. That doesn't mean that a hacker can't cause some problems by making the lights stay red for 10+ minutes or other such mischief.

Re:Welcome to the Information Age! (0)

Anonymous Coward | about 4 months ago | (#47730285)

I think I read somewhere that traffic lights are designed so that it is impossible for both sides to get a simultaneous green light.

Conflicting greens are cross-wired. If the lamps are powered simultaneously...for any reason...it causes a short circuit that trips the breakers. You can't turn those greens on at the same time. They'll just go dark.

It's a slick, simple safety feature that's almost as old as electric traffic lights themselves. When rats get in, chew insulation, pee everywhere, and snuggle up between live wires, you need a failsafe that can handle anything.

Re:Welcome to the Information Age! (2)

Rogue974 (657982) | about 4 months ago | (#47730191)

I agree with you. I am a Controls Engineer. Until recently, my controls security was decades behind. Fortunately, Stuxnet happened, our CEO noticed the news stories and started asking questions and took an interest. A small group of controls engineers and an IT person who also did the controls network at the small plants he supports made a team, did research, made recommendations and were given money to start securing our network properly.

We need to start realizing security through obscurity is no security at all and make the changes starting with the vendors all the way through the end users.

A huge problem I have experienced is actually a lack of understanding of security and networking on the part of controls engineers, and a lack of understanding of controls systems by IT staff. I think this is actually one of the biggest problems that creates the security problems. Every place I have worked at or in (did a stint as a contract CE and went many places) there is a stand off between controls and IT. Controls knows what we need to do to make our system work and IT tries to tell us how we have to do things and they don't realize that it is not the same as a buisness network because it will shut the plant down to do some things they would like us to. CEs don't understand enough to secure the networks themselves so we do the best we can and keep IT away from our stuff and muddle through.

We need education on both sides so controls people know what they need to do and IT people who understand the differences between business networks and controls networks. Unfortunately, of all the IT professionals I have worked with, only 2 have understand the controls world enough, or been willing to even listen) to help so we just shut them out. I would much rather work with IT and not have to learn all of this security stuff myself when we have IT professionals who know the security. Granted, they probably don't want to learn about my world the same way I would rather not have to learn theirs, so we are right back at the stand off.

What are they waiting for? (1)

Hamsterdan (815291) | about 4 months ago | (#47728325)

Deaths? multiple injured people? Why isn't that secured in the first place? With all the news about stuff getting *hacked*, why are they still doing this?

Re:What are they waiting for? (3, Insightful)

Nyder (754090) | about 4 months ago | (#47728413)

Deaths? multiple injured people? Why isn't that secured in the first place? With all the news about stuff getting *hacked*, why are they still doing this?

They are waiting for the first part, because unless there is a big uproar about it (which there won't be until it gets abused enough to cause deaths) it costs too much money to fix.

How this is a surprise to anyone by now is a surprise to me, this has been standard operating procedures with pretty much everyone since computers have come out. That is, security is non existent or an afterthought. Paying money to make sure everything is secure for any sort of attacks/compromise/whatever takes away from the bottom line, so shareholders don't like that stuff. And management is kissing the shareholders ass, so it's not as important.

Now for government work, it's a bidding process and well, you aren't going to make any money on the job by having to hire some sort of computer type to make sure the system is secure. And since the contract probably didn't state it needed to be done, well, this is what we have.

So wait until it gets abused bad enough to kill people, nothing will get done.

Re:What are they waiting for? (3, Interesting)

mlts (1038732) | about 4 months ago | (#47729073)

I remember this crossroads in the 1990s. Would firms in general focus on security, even though the worst threats at that time were college students looking to rm -rf / a box or two for kicks.

It came out worse than I could imagine. I heard the "security has no ROI" mantra many a time (although the past couple places I worked at, they actually take it seriously.) When working as a consultant, I asked companies what they had for something if they were hacked. The response was, "We will call Geek Squad or Infosys, and have the problem fixed."

I have read people hoping for a "Warhol event" that would get businesses focusing on security. However, I would say that a "cyber 9/11" (to use a buzzword" would do far more harm to security in general than help.

Take this scenario:

A hurricane has a populated city in its sights. Evacuations are starting. As people are getting on the roads, Elbonian actors hack the anti-theft disable mechanism of a major car maker, disabling random cars at a time on all major roads. When those are towed, another set of cars get turned off. Havoc happens.

Congress is then pushed to push some bills into law. Well, they do. However, they do little or nothing. Here are the bills:

1: A mandatory DRM stack on any device in the US accessing the Internet, enforced by endpoint routers, with mandatory 10-life if any are tampered with.

2: All "tools for cyber-warfare", even something as banal as tcpdump, would be removed from operating systems, and only allowed to registered people.

3: Similar to #1, all machines would run a scanner similar to an antivirus utility, but would use signatures to look for unlicensed MP3 files, movies, programs like Handbrake, and if detected, would automatically shut the machine down and notify the local authorities.

4: A central ID card, similar to a PIV/CAC would be requires on any/all devices so all transactions (even a web login) are positively identified. It would be a felony for someone to access the Internet without their packets being signed or attributed to an ID card.

Of course, none of this would actually -HELP- security, but it would keep it swept under the covers, and (using MBA speak) allow better monetization of existing revenue streams... i.e. your PC becomes a locked down console with only big name brands able to write software for it due to the legal barriers of entry.

Re:What are they waiting for? (0)

cyborg_monkey (150790) | about 4 months ago | (#47730491)

Oh bullshit. Why would it cost something to fix that should have been done right to begin with.

Re:What are they waiting for? (1)

beschra (1424727) | about 4 months ago | (#47731197)

You can't be serious. Fixing something after it's been done wrong is even more expensive than doing it right the first time. Take the current example of traffic signals. Physical access is a huge problem. How do you address that? Work out a new design and retrofit hardware and software. Not free. Not anywhere is that even approaching cheap.

Re:What are they waiting for? (0)

Anonymous Coward | about 4 months ago | (#47728595)

If you read the PDF, you would find unsafe scenarios, such as, green all directions is excluded on the hardware level. Why do you want to induce panic without even reading the literature associated with the article?

Re:What are they waiting for? (1)

Zmobie (2478450) | about 4 months ago | (#47729909)

This right here. The problem with any "unsafe" scenario is that these lights are usually logic controlled by PLCs or some such. I had a professor in college that used to work for one of the state roadway departments and he did work on traffic light controllers for a while. Most of them have to physically prevent anything like that from being possible just like how a civil engineer is supposed to prove their bridge is safe within x parameters. From what I understand this isn't even a concern for all traffic light controllers because ones outside of the big metro areas are not even interconnected to a central controller (this was just what I was told and know from the small towns I have lived in, if someone knows otherwise feel free to correct me here).

I personally am a huge security advocate and believe that, yes these things need to be secured to a reasonable extent, but it is overblown to think this is going to get a bunch of people easily killed just because someone wants to play around with it. Now, someone building a DIY "make light go green" device is not outside the realm of possibility... In fact, I may have a new project just to see if I can do it!

Re:What are they waiting for? (1)

Lumpy (12016) | about 4 months ago | (#47728723)

They don't care. There was a very dangerous intersection that people wanted stop signs at for years and asked several times and were denied. Until there was a major nasty accident that happened and the news covered it and got word that the city ignored requests for stop signs, the light of public anger was finally pointed at them and they suddenly had the signs installed.

Your city does not care one bit if you die or even if 100 people die, they only care if they look good to the public. This is the problem with our current election system,

Re:What are they waiting for? (0)

Belial6 (794905) | about 4 months ago | (#47730155)

Because the very nature of traffic lights make them insecure. It is physically impossible to secure traffic lights without placing an actual human guard at each corner.

White hat application to cycling (1)

tepples (727027) | about 4 months ago | (#47728341)

So can cyclists use this to proceed through an intersection with miscalibrated vehicle sensors without having to wait several minutes for a motor vehicle to pull up behind? I don't know about other countries, but not every US state has a dead red law [pineight.com] allowing one to proceed with caution through a malfunctioning signal.

Re:White hat application to cycling (0, Offtopic)

sinij (911942) | about 4 months ago | (#47728429)

I personally want to take Sicilian gondola everywhere I go, rowing it is good for your health and it is perfectly green. I advocate for all bike lanes to be turned into waterways to accommodate my craze.

Re:White hat application to cycling (1)

Greyfox (87712) | about 4 months ago | (#47728583)

Hah. In my town the traffic lights seem to be designed so that traffic stops at every goddamn one of them. I wonder if they could be fixed. I'm already not liking where this train of thought is going heh heh.

Re:White hat application to cycling (0)

Anonymous Coward | about 4 months ago | (#47729193)

Your city's stoplights are balanced for a different speed. Or you are speeding.

I had the same issue where I grew up. *ALWAYS* hitting the lights. I slowed down by ~3-5mph. Coasted thru every light, very little stopping. Only if you get caught on the back end of a flow you will hit a few reds. Until you are 'at the front' again. Think of red/green light design as a water flow thru a switch system. Then figure out how you would setup that flow to maximize thruput. Then stick to those rules. Go against the rules and you will sit at the red.

But when i saw this I was thinking in my best ace ventura voice *reaaaaaaaaaallllly* with a nice chin stroke...

Balanced for a different velocity (1)

tepples (727027) | about 4 months ago | (#47730971)

Your city's stoplights are balanced for a different speed.

Or they are balanced for the same speed in a different direction. On a two-way street whose signals are timed for 30 mph eastbound at a particular part of the day, westbound traffic is going to have a problem.

Or perhaps they are balanced for a different speed, the speed of the type of vehicle driven by the majority. Most signals are timed for people who drive cars, which means cyclists tend to hit more reds.

What would happen? (1)

khr (708262) | about 4 months ago | (#47728355)

My home town [waldport.org] only has one traffic light (and didn't get a left turn lane until after I moved away). I wonder what sort of damage hackers could do with that... Chaos where US 101 meets highway 34....

Re:What would happen? (1)

drinkypoo (153816) | about 4 months ago | (#47728603)

Your home town probably doesn't have a network-connected traffic light, either, since it only has one light to work with and there's not much point. Unless there's some compelling reason to do otherwise, these systems are only replaced when they fail. If you live in a major metro area then sure, there's reasons to upgrade before failure, involving traffic management.

Re:What would happen? (1)

Anonymous Coward | about 4 months ago | (#47728669)

Well, the security through scarcity will not slow them down. The meanies will just steal your stop signs and pee in Eckman creek, which are totally insecure and unguarded. This is a good thing. In most towns police guard the traffic lights and issue tax bills at random under the guise of security.
Hell, in some places, like where Eric Garner lived, packs of police officers will hunt you like wolves and beat you to death. Yup, if I were the ex janitor at the D.O.T. who found out how to hack a street light, I would keep my mouth shut till this blows over. Also you better start figuring out how to secure the remote on your T.V. I hear they are pretty easy to hack too.

Re:What would happen? (1)

freeze128 (544774) | about 4 months ago | (#47731081)

I'm just surprised that you even have INTERNET ACCESS.

What's the point of this? (1)

Anonymous Coward | about 4 months ago | (#47728367)

What is the point of this "research"? To prove that there are still many systems in our world that can be hacked easily? No shit.

The thing is that sometimes there is no incentive to hack things because it is a lot of work for very little gain, until some other asshat on the interwebs shows people how it can be done. Then the effort to hack it becomes less (as there is not a manual), and thus the freqnency of it occurring increases. I may exaggerate a little when call this a form of sponsored vandalism... but I am not sure what society will gain from this research.

The large majority of hacks are done by people trying to steal or just for entertainment. Terrorism is really not your #1 hacker. And anyway, I don't see Al Quaida making a statement by hacking the traffic lights on a particular crossing. Instead, what we get now is that all 18-year-olds who read ars technica will try this out.

They Might be Giants (2)

puddingebola (2036796) | about 4 months ago | (#47728467)

Red means stop. Do not go. No, no, no. Green in all directions means go. Oh no, Oh no, Oh no.

Re:They Might be Giants (1)

GTRacer (234395) | about 4 months ago | (#47729065)

Or, Monty Python:

I like traffic lights,
I like traffic lights,
I like traffic lights,
No matter where they've been.

I like traffic lights,
I like traffic lights,
I like traffic lights,
But only when they're green.

And so on in that fashion for several more verses...

Cool! (1)

AchilleTalon (540925) | about 4 months ago | (#47728555)

No more reasons to be late at work.

That's old news (0)

Anonymous Coward | about 4 months ago | (#47728617)

You just open up the junction boxes at the intersection, cross some wires and all the lights become green. The Gremlins [imdb.com] already knew how to do it. No hacking required.

Oh.. (0)

Anonymous Coward | about 4 months ago | (#47728637)

"Watchdogs" fan boys might get a kick out of this one.

This makes me happy (0)

Anonymous Coward | about 4 months ago | (#47728749)

Now I'm really happy that my area still uses dial-up to communicate with the traffic lights - the lights call in to a central controller a handful of times a day. I'd always thought that they should upgrade, but now I'm not so sure.

Security... (1)

Coditor (2849497) | about 4 months ago | (#47728765)

... is a job best done by people who understand it. Yet the security czar of the US Government bragged in an interview that since he didn't know anything about security he was better able to deal with it.

Watch Dogs was accurate! (0)

Anonymous Coward | about 4 months ago | (#47728821)

Looks like the security is so laughable (basically no security) that Watch Dogs portrayed mucking with traffic lights surprisingly accurately :)

why I oppose v2v and smart cars (0)

Anonymous Coward | about 4 months ago | (#47728879)

The people that will implement 'smart' cars, which use vehicle to vehicle communication, and communication with traffic lights will screw up, and be vulnerable to criminal hackers. The current dumb vehicle system works pretty well. Unless distractions, or ethanol is added to the biological computing unit.

I wonder if this means... (1)

kick6 (1081615) | about 4 months ago | (#47729183)

I can fix the the flashing reds that happen all. the. damn. time. In my hometown.

A lot of easy things are illegal (5, Insightful)

TomGreenhaw (929233) | about 4 months ago | (#47729333)

Its easy to exceed the speed limit. Its easy to shop lift. Its easy to buy a gun and shoot somebody.

Its probably easy to build a device that gives you green lights as though you were an emergency vehicle. This is definitely illegal.

While I think its irresponsible to design computer systems without basic and reasonable security measures, technology is not the final answer to antisocial behavior. Hacking somebody else's systems is illegal and wrong. Finding (sometimes ) esoteric ways to do it and making it easy for bad guys is just plain foolish.

My friend Neil and I have a law: You know you have enough security when you can't do your job anymore. Requiring the average stop light electrician to now be a computer networking security expert requiring tons of tech support would certainly drive up taxes.

Antisocial behavior is why we have laws and there is a reason we should obey them.

Re:A lot of easy things are illegal (1)

ogdenk (712300) | about 4 months ago | (#47730915)

Hey! I speed occasionally and I own a firearm or two *BUT* I don't shoplift or shoot everyone that pisses me off. So does that mean I'm only halfway antisocial?

Bringing security flaws that could get us killed to light in public view is NOT antisocial behavior. Hacking said systems and actually manipulating them to cause mayhem *IS* antisocial behavior.

Software security is VERY important. Anything can be hacked but irresponsibly making it blatantly easy for people to control these systems and cause loss of life or injury is insane. People that release knowledge of the flaws are not the enemy. It's the responsible thing to do as the people in charge of these systems will not act unless their ass suddenly depends on it.

Re:A lot of easy things are illegal (0)

Anonymous Coward | about 4 months ago | (#47731225)

Its probably easy to build a device that gives you green lights as though you were an emergency vehicle. This is definitely illegal.

It's actually *usually* not. It takes a significant expertise and effort to reverse engineer a proprietary protocol from the physical layer up through the application layer.

If you read the links, you'll notice that the researchers bypassed this effort by purchasing a off the shelf part.

That said, it's orders of magnitude easier to social engineer your way to obtain one of these public safety access points that don't just get sold to anyone, but it still wouldn't necessarily be easy.

So What? (1)

mjwaters (2749225) | about 4 months ago | (#47729363)

Wireless security doesn't mean much when people already have easy physical access to all of these traffic lights. It's not like they are guarded by more than a pad lock. I am guessing the greatest threat to traffic lights (in the eyes of the department of transportation) is still copper thieves.

Re:So What? (1)

pruss (246395) | about 4 months ago | (#47730421)

It's a lot easier to get caught when breaking into the padlock than when driving by with an RF device.

Of course it's easy to hack something... (0)

Anonymous Coward | about 4 months ago | (#47729637)

When you buy a off the shelf part that does 99% the work for you and have all the accompanying documentation on how to use the part shipped to you along with it.

It explicitly states that the sensors uses proprietary protocol.

The researchers decided to bypass all of the time and effort of reverse engineering the protocol; that is everything from the physical, link layer, transport, all the way up to the application.

Their rational to this is that it's easy to "trick" public safety companies who have to follow ITAR and EAR regulations into selling a part to any random dude. Their citation is a link to an article about one guy, who had a contract for conducting this sort of research, "social engineering" his way to obtain a off the shelf part.

Sure they pointed out some valid security concerns such as no encryption at the application layer and debug access to VxWorks, but it is absolute FUD to call it easy.

Try hacking one of these if you 1) don't work for the companies that make these 2) don't actually have the access point and documentation handed to you.

5.8 GHz? (0)

Anonymous Coward | about 4 months ago | (#47729689)

how come I don't see the networks on Wigle and my Android phone? Umm.

2600 (0)

Anonymous Coward | about 4 months ago | (#47729785)

2600 posted story about this back in the 90's. Things don't really change apparently.

Don't emergency vehicles use this? (1)

asylumx (881307) | about 4 months ago | (#47729867)

Don't emergency vehicles sometimes use this to their advantage to turn an intersection into a 4-way red light so that they can get through? I know I've heard of ambulances and fire trucks having a button that makes all stop lights near them turn red, but I have never tried to verify the truth of the claim.

Re:Don't emergency vehicles use this? (2)

k6mfw (1182893) | about 4 months ago | (#47730015)

I was thinking what do they use now. Years ago I remember fire engines and trucks had strobe light on top of cab that flashes sequences which causes traffic light to turn red on opposing traffic. In late 70s or early 80s I saw a Dodge van that was parked in Quement Electronics on Bascom Ave in San Jose (you old guys remember that store, favorite among geeks back in the days when Fry's was a grocery store). I guess this person got ahold of one of these and voila, never gets a red light. Question I always wondered if that was legal.

Fast forward to nowadays, do emergency vehicles use such a system and is it RF based?

Re:Don't emergency vehicles use this? (2)

bored_engineer (951004) | about 4 months ago | (#47731021)

It's called signal preemption. Opticom [gtt.com] is IR-based, and in fairly common use. There are several other systems available for signal preemption, including:

  • --GPS-equipped vehicles communicate with a control center, which does the preemption,
  • --audio-based, which react (hopefully) to a siren,
  • --rf-based.

There may be others, but these are the ones I'm familiar with.

So when are we going to hear (1)

Stan92057 (737634) | about 4 months ago | (#47729949)

So when are we going to hear about sob storys from idiots who hack traffic lights and get more then 33 months in jail for it?

Traffic Lights (0)

Anonymous Coward | about 4 months ago | (#47730277)

The traffic lights in our metropolitan area are connected via the 900MHZ ISM Band. We were able to use the XBee Pros to connect to them and see the (unencrypted) data streaming across coordinating the lights (and also changing them in the case of emergency vehicles). I never had the guts to issue commands to them, but it was cool to see...

Re:Traffic Lights (0)

Anonymous Coward | about 4 months ago | (#47731013)

What do you mean by connect to them? As in being identify yourself as a network node?

I'm pretty sure the XBees have some propietary form of DigiMesh. If you're just blindly demodulating signals, without knowing what the protocol is, how do you know the '1' you see in the end is really a '1'?

Phrack Magazine 2002 (0)

Anonymous Coward | about 4 months ago | (#47730909)

http://phrack.org/issues/60/14.html

Crosswalk hacks (2)

almitydave (2452422) | about 4 months ago | (#47731025)

Reminds me of the time when that list of crosswalk-button hacks was published - it created quite a stir [bbspot.com] .

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?