Traffic Monitoring Tech Vulnerable To Hacking

Connected cars aren’t the only transportation innovation that’s coming down the pike (pun intended). As we’ve noted before: smart roads and smart infrastructure promise even more transformative changes than – say – having Siri read  your text messages to you through your stereo system.

Cesar Cerrudo
Cerrudo, of the firm IOActive, said that traffic management systems he audited were vulnerable to remote attacks that could cause large-scale civil disruption. (Photo courtesy of Cerrudo.)

The applications of smart road and connected infrastructure are almost limitless. But at this early stage (mostly proof of concept), much of the light and heat around smart roads is around applications of remote sensors at the roadside, or embedded in the road surface to identify problems like icy roads, the presence of liquids, traffic density, vehicle and pedestrian detection and more. For a nice overview of some sensor applications, check out this video from Liebelium.

But that doesn’t mean that attacks against smart infrastructure are problems for the future. The security researcher Cesar Cerrudo points out in a blog post over at that many major cities in Canada, the US, Europe and Australia are already using IP-enabled traffic management systems to control the operation of traffic signals, speed limit indicators, roadside information boards and more. And, guess what, these systems aren’t that well protected from would-be attackers.

Cerrudo reports on some research he’s completed into the security of field-deployed devices that feed information to traffic control systems used in major metropolitan areas, including Boston, Washington D.C., New York City and Seattle. The devices proved vulnerable to remote, wireless attacks – including some launched by a modified drone, hovering 650 feet above the target equipment.

According to Cerrudo, it’s possible to  manipulate the behavior of traffic signals (keeping a green or red light on permanently, or to cause electronic signs to display incorrect speed limits and instructions or allow cars on the freeway faster or slower than needed.

Cerrudo has reported the issues to both the vendor and the Department of Homeland Security’s ICS (Industrial Control System) CERT. However, to date he hasn’t been able to convince the vendor to address the issues. In some cases, the equipment vendor has argued that the features are designed insecure because ‘that’s how customers want them.’ In other cases, the vendor claims that a new version of the product removes the vulnerability – requiring customers to do a so-called ‘forklift upgrade’ just to get security.

Cerrudo will be presenting the fruits of his labor at this month’s Infiltrate Conference in Miami, at which time he will disclose the affected vendor and equipment.

This isn’t the first time that traffic management hardware has been found wanting. In 2012, ICS-CERT issued an advisory for customers of Post Oak Traffic Systems, noting that the company’s AWAM Bluetooth-based traffic monitoring hardware were susceptible to remote hacks that would allow attackers to impersonate the device, siphoning off administrative credentials that would give them direct access to the traffic monitoring system. That access could then be abused to create phantom traffic jams (or mask the existence of actual traffic jams) from engineers at a central traffic monitoring facility.

The U.S. government is investing heavily in this technology. The U.S. Department of Transportation’s “Intelligent Transportation Systems” (or ITS) program is looking to implement technologies that will increase traffic flow, improve travel times and reliability and optimize the capacity of the U.S. transportation network.

The government has noted the issue of connected vehicle and smart road technology security. In a statement in February, U.S. Transportation Secretary Anthony Foxx gave a green light to the development of vehicle-to-vehicle technology that could help drivers avoid crashes and drive more efficiently on the nation’s highways – despite reservations about the possibility that it could be manipulated.

“V2V technology does not involve exchanging or recording personal information or tracking vehicle movements,” the Department said in a published statement. “The information sent between vehicles does not identify those vehicles, but merely contains basic safety data. In fact, the system as contemplated contains several layers of security and privacy protection to ensure that vehicles can rely on messages sent from other vehicles,” he said.

Spread the word!

Comments are closed.