• 18
Cyber researcher Cesar Cerrudo stands on a street in Wa... Cyber researcher Cesar Cerrudo stands on a street in Washington D.C. near the Capitol Building, and monitors wireless data from traffic sensors. (Photo: YouTube).
The next time Gov. Chris Christie wants to create traffic problems on the George Washington Bridge, he may have more sophisticated options than a conjured-up study and orange cones.

Alarming new research released this week details how cyber hackers can infiltrate and manipulate traffic-control systems that govern traffic lights and other road systems in more than 40 major cities across the United States, including New York, Los Angeles and Washington D.C.

Cyber attackers could change light colors, delay signal changes and alter digital speed limits, causing traffic jams, gridlock or – in a worst-case scenario – car accidents. Cesar Cerrudo, a cyber researcher at IOActive, said security measures in the traffic-control devices were practically nonexistent.

"This is a really big problem in security that these devices are not secure," he told AOL Autos. "Sooner or later, attacks on these devices will impact more of our regular life, because we depend on these devices and these products."

Cerrudo, who will present his detailed research at the Infiltrate Security Conference on May 15 and 16, said it was both easy and cheap to intervene in the necessary data streams when conducting his experiments on the streets Washington D.C. and New York. In one case, he even breached traffic-control systems from a drone flying 650 feet overhead.

Here's how it works: Sensors embedded in many roads gather data on how many cars pass by in a given time period and measure anomalies in traffic flow – whether there's no traffic or traffic jams. That information is then wirelessly passed to an access point, which then sends it to a traffic-control system that gathers data from multiple access points. Based on that information, the control system can determine whether adjustments in light cycles need to be made. In an everyday scenario, such systems may make adjustments on light-cycle timing as traffic increases or tapers throughout the day.

Cerrudo didn't directly infiltrate the traffic lights. Rather, he infiltrated the access points that provide the system data. He notes that he passively watched the data flow during his experiments, and never actively tinkered with real-life traffic. Had he held nefarious intentions, he could have, and that is his point.

"The data goes out over the air without any encryption, so you can basically, with some specific hardware, capture all the information sent over the air," he said. "At the same time, you could send information over the air and make the access points believe you are a sensor. If you're an attacker sending fake data, you can manipulate the system. And they don't have any security."

What's worse: Cerrudo said there's no way for authorities to necessarily detect an attack. The first indication would be an unexplained traffic jam or reports of malfunctioning lights. If someone was monitoring the data streams or making subtle adjustments, no one would know. It could be happening right now.

More than 50,000 of the systems have been deployed across the globe, most of them in the U.S., Cerrudo estimated. Sensys Networks, maker of the VDS240 wireless vehicle detection system, did not return a request for comment. Earlier this week, Brian Fuller, the company's vice president of engineering, told WIRED magazine, which first reported the on the research, that Homeland Security was "happy with the system,' and that he had nothing more to add on the matter."

While the severity of the mischief that could be caused by hacking into the traffic-control system is debatable in the present day, Cerrudo's research is something of a cyber canary in the coal mine.

Increasingly, cars and traffic systems are both run by computers and wirelessly connected to the online world. Consequently, they're more vulnerable to cyber security breaches or attacks. The Department of Homeland Security monitors such threats, and last year, the National Highway Traffic Safety Administration opened a division that deals with electronic security.

Last year, Chris Valasek and Charlie Miller, two of Cerrudo's colleagues at IOActive, published a white paper in which they describe how they hacked into a Ford Escape and Toyota Prius and manipulated the controls of the vehicles.

As the United States moves more toward a transportation environment in which vehicles communicate with both other vehicles and infrastructure, like traffic lights, the potential ramifications for a hacker gaining access to the system at various entry points grow more pronounced.

Cerrudo, in a blog post, writes that for now, "traffic departments in states/cities with vulnerable devices should pay special attention to traffic anomalies when there is no apparent reason, and closely watch the device's behavior."

Pete Bigelow is an associate editor at AOL Autos. He can be reached via email at peter.bigelow@teamaol.com and followed on Twitter @PeterCBigelow.

This is what the traffic-control system data looks like as it flows across Cesar Cerrudo's computer. (Photo: YouTube).
This is what the traffic-control data looks like as it comes across Cesar Cerrudo's computer. (Photo: YouTube).


I'm reporting this comment as:

Reported comments and users are reviewed by Autoblog staff 24 hours a day, seven days a week to determine whether they violate Community Guideline. Accounts are penalized for Community Guidelines violations and serious or repeated violations can lead to account termination.


    • 1 Second Ago
  • 18 Comments
      hobie4790
      • 11 Months Ago
      Hey Pete, this is interesting stuff. Too bad you diluted the facts with your opening paragraph about "the next time Chris Cristie...". I'm not particularly a Christie fan, but you apparently don't know the difference between accusations and facts. This is something generally learned in Journalism school. I don't know what school you went to, but maybe you should ask for a refund.
      tmlbtb
      • 11 Months Ago
      Same with all of these automated houses. Lying in bed at night and your garage door is opening and closing non stop. Hack into the electronic locks and open the house up to intruders. This is going to be big business in the near future.
      Eric
      • 11 Months Ago
      We'd see less of such threats if we began life terms for the crimes. Hackers can and do destroy lives and because of this disregard for others have no business in a free society. With freedom and rights comes responsibilities, hackers choose to ignore those responsibilities. The price of keeping liberties safe is to be severe with those who so wantonly abuse those liberties. If ever I have the opportunity to beat a hacker to a bloody pulp, I will.
        dubricus
        • 11 Months Ago
        @Eric
        You don't really need to worry about the hackers who are doing it just for the hell of it. Worry about those that do it with a goal in mind.... For example, lets say a terrorist wanted to increase kill numbers.... cause gridlock, then set off a few car bombs. Want to commit a real-life crime, like a major robbery of some kind. Cause gridlock so police can't get there in time... but have it all fixed so your way out is clear. What if the Chinese or Putin want to cause problems or actually start a cyber war. If this can be done to street traffic, what can be accessed in the power grid? What hospital equipment can be messed with?
      mayabelle1107
      • 11 Months Ago
      vunerable?
      Genesis
      • 11 Months Ago
      This is a good example of IRRESPONSIBLE JOURNALISM. Why disseminate this information, to give more ideas to hackers? Just send information to the authorities, not the world!
      crazy ray
      • 11 Months Ago
      I love the way you use words like "tinker" to trivialize and downplay the idea of hacking traffic signals. In fact, this is potentially deadly and I doubt if the victims of these future crimes will find your quips quite as amusing.
      robmnn
      • 11 Months Ago
      Hey Pete Bigalow, You are making an ass of your self and your employer. Gov. Christie was cleared of any involvement in the traffic jam you refer to. Good to see such an unbiased reporter hard at work bringing us the NEWS.
      MRFOOT....LABAS!
      • 11 Months Ago
      ...OH THIS IS GREAT...;LETS SHOW THE REST OF THE WORLD....WE ARE ALL VULNERABLE....WAY TO GO NEWS MEDIA!...WHATS NEXT...?....
      jrgordon47
      • 11 Months Ago
      Hey Pete why not offer a free download of the software in your next journalistic effort. Don't you realize that there are people out there that will try this just for the fun of it. There are things to know and there are things that don't have to be known. You should consider that the next time you take hand to keyboard. Also...read the NEWS once and a while...Christie didn't do it.
      tom
      • 11 Months Ago
      Christie had nothing do do with a traffic jam. Do your homework, or are you just another one of those college kids with an agenda that got a low paying job?
      judy
      • 11 Months Ago
      I could not get past the first paragraph. Left-wing much? .. If you are so biased against a political figure, then go write about him. I see no reason to read anything you wrote about on traffic controls now. How about taking a course real writing for information. You are supposed to write about the truth, not lie. Trying to be funny? Find it in the truth.
      syonack
      • 11 Months Ago
      I knew there was a reason why I prefer older traffic signals from the 1960s better
    • Load More Comments