Alarming new research released this week details how cyber hackers can infiltrate and manipulate traffic-control systems that govern traffic lights and other road systems in more than 40 major cities across the United States, including New York, Los Angeles and Washington D.C.
Cyber attackers could change light colors, delay signal changes and alter digital speed limits, causing traffic jams, gridlock or – in a worst-case scenario – car accidents. Cesar Cerrudo, a cyber researcher at IOActive, said security measures in the traffic-control devices were practically nonexistent.
"This is a really big problem in security that these devices are not secure," he told AOL Autos. "Sooner or later, attacks on these devices will impact more of our regular life, because we depend on these devices and these products."
Cerrudo, who will present his detailed research at the Infiltrate Security Conference on May 15 and 16, said it was both easy and cheap to intervene in the necessary data streams when conducting his experiments on the streets Washington D.C. and New York. In one case, he even breached traffic-control systems from a drone flying 650 feet overhead.
Here's how it works: Sensors embedded in many roads gather data on how many cars pass by in a given time period and measure anomalies in traffic flow – whether there's no traffic or traffic jams. That information is then wirelessly passed to an access point, which then sends it to a traffic-control system that gathers data from multiple access points. Based on that information, the control system can determine whether adjustments in light cycles need to be made. In an everyday scenario, such systems may make adjustments on light-cycle timing as traffic increases or tapers throughout the day.
Cerrudo didn't directly infiltrate the traffic lights. Rather, he infiltrated the access points that provide the system data. He notes that he passively watched the data flow during his experiments, and never actively tinkered with real-life traffic. Had he held nefarious intentions, he could have, and that is his point.
"The data goes out over the air without any encryption, so you can basically, with some specific hardware, capture all the information sent over the air," he said. "At the same time, you could send information over the air and make the access points believe you are a sensor. If you're an attacker sending fake data, you can manipulate the system. And they don't have any security."
What's worse: Cerrudo said there's no way for authorities to necessarily detect an attack. The first indication would be an unexplained traffic jam or reports of malfunctioning lights. If someone was monitoring the data streams or making subtle adjustments, no one would know. It could be happening right now.
More than 50,000 of the systems have been deployed across the globe, most of them in the U.S., Cerrudo estimated. Sensys Networks, maker of the VDS240 wireless vehicle detection system, did not return a request for comment. Earlier this week, Brian Fuller, the company's vice president of engineering, told WIRED magazine, which first reported the on the research, that Homeland Security was "happy with the system,' and that he had nothing more to add on the matter."
While the severity of the mischief that could be caused by hacking into the traffic-control system is debatable in the present day, Cerrudo's research is something of a cyber canary in the coal mine.
Increasingly, cars and traffic systems are both run by computers and wirelessly connected to the online world. Consequently, they're more vulnerable to cyber security breaches or attacks. The Department of Homeland Security monitors such threats, and last year, the National Highway Traffic Safety Administration opened a division that deals with electronic security.
Last year, Chris Valasek and Charlie Miller, two of Cerrudo's colleagues at IOActive, published a white paper in which they describe how they hacked into a Ford Escape and Toyota Prius and manipulated the controls of the vehicles.
As the United States moves more toward a transportation environment in which vehicles communicate with both other vehicles and infrastructure, like traffic lights, the potential ramifications for a hacker gaining access to the system at various entry points grow more pronounced.
Cerrudo, in a blog post, writes that for now, "traffic departments in states/cities with vulnerable devices should pay special attention to traffic anomalies when there is no apparent reason, and closely watch the device's behavior."
Pete Bigelow is an associate editor at AOL Autos. He can be reached via email at email@example.com and followed on Twitter @PeterCBigelow.
This is what the traffic-control data looks like as it comes across Cesar Cerrudo's computer. (Photo: YouTube).