Widely used gear in the US and abroad vulnerable to low-cost attacks
by Dan Goodin
Hacks that allow spies, villains, or terrorists to manipulate traffic signals may seem like the exclusive province of action movies, but a well-known security researcher says they’re not as far-fetched as many people may think.
Cesar Cerrudo of security penetration testing firm IOActive said he has identified more than 50,000 devices in New York, Washington DC, Los Angeles, and cities in at least seven countries around the world that can be hacked using inexpensive gear that’s easy and—at least in the US—legal to obtain and operate. The equipment Cerrudo used included a drone flying at heights of 650 feet and radio hardware that sells for $100. With more sophisticated transmitters, antennas, and other hardware, he said an attacker could be as far away as two miles from the targeted signals.
In a blog post published Wednesday, he wrote:
The attacks are made possible by traffic control devices that can be monitored or tampered with by unauthorized parties who are nearby. Elsewhere in the post, Cerrudo wrote:
Cerrudo omitted the maker of the traffic devices and the techniques for carrying out the attacks. According to an article published by Wired, however, the manufacturer is Sensys Networks. The hack works by monitoring the radio signals sent and received by sensors that measure environmental variables such as the amount of traffic at an intersection and the travel speeds of vehicles in the area. The proprietary radio protocol communicates with no encryption, making it possible for people to monitor or tamper with the signal contents, which are used to determine whether a traffic light should stay green or turn red, display a particular message, or alert authorities to a potential emergency.
Traffic control systems are only the latest devices shown to be vulnerable to hacks that could compromise public safety. Two weeks ago, IOActive demonstrated how mission-critical satellite communications used by Western militaries and international aeronautics and maritime systems were also open to attacks. And as long ago as 2007, researchers demonstrated a hack for spoofing travel information messages displayed on satellite navigation systems used by Italian drivers.
Cerrudo said he alerted the device manufacturer through ICS-CERT, which is connected to the US Department of Homeland Security. He said the company “said they didn’t think the issues were critical nor even important.” One vulnerability, he added, was reported as fixed on newer versions of the device, a move that saddles cities and states that have vulnerable gear in place with the considerable cost of ripping out old devices and installing new ones.
“I tried several times to make ICS-CERT and the vendor understand that these issues were serious, but I couldn’t convince them,” Cerrudo wrote. “In the end I said, if the vendor doesn’t think they are vulnerable then OK, I’m done with this; I have tried hard, and I don’t want to continue wasting time and effort.”