Jim Christy, special agent, director, Futures Explorati... Jim Christy, special agent, director, Futures Exploration, briefs reporters at the Department of Defense Cyber Crime Center in Linthicum, Md., Thursday, Aug. 11, 2011. (AP Photo/Cliff Owen)
A teenage computer whiz hacked into software that controlled traffic lights in a southwestern US city. Once inside the program, the 16-year-old boy accessed systems that could wreak havoc. An investigator said the boy could have turned all the lights to a blinking-red default that would snarl traffic. Or worse, turned them all green.

That was 25 years ago.

The case opened the eyes of Jim Christy, one of the arresting officers. He would go on to become the head of the cyber crime center within the US Department of Defense. Now Christy is warning automakers and transportation officials that not much has changed in the past quarter-century.

While the auto industry has begun addressing cyber-security holes in critical systems that run vehicles, Christy said during an appearance at the Los Angeles Auto Show the greater threats to motorists could lie in the sprawling infrastructures that communicate with cars or govern their movement.

Whether it's traffic lights, GPS or the digital short-range communications that will handle the upcoming autonomous car era, these systems may be more attractive targets for hackers or terrorists because they hold the potential to cause greater harm and because they're cheaper entry points.
"We hear connectivity in our vehicles is going to make life so much easier," he said. "It's actually a jungle out there ... So this talk about connected cars makes me nervous."

Automakers have increased their focus on cyber threats, forming a network to share information on security threats earlier this year. The National Highway Traffic Safety Administration opened a division that examines vehicle cyber-security issues in 2012.

Traffic lights have become central targets. Already this year, two cyber-security research teams have gained access to traffic-light systems across the country and manipulated their signals.

Researcher Cesar Cerrudo demonstrated how he accessed traffic-light systems in dozens of cities earlier this summer, and last week, University of Michigan students announced they conducted similar experiments, manipulating more than 1,000 lights in one city alone.

In both cases, the researchers said the traffic-light systems are vulnerable because they're using unencrypted signals. "It was surprisingly easy," one student told NBC-TV.

"There Are No Rules"

The Department of Homeland Security issued an advisory earlier this year in the wake of Cerrudo's study. But Christy, who has debriefed the White House on cyber-security concerns throughout his career and now runs his own consulting group, said federal officials are ill-prepared to deal with these security lapses. Private contractors usually administer and operate these systems; the government knows little about their security precautions.

"There are no rules on how they protect them," he said.

That vacuum poses a problem not just for traffic lights, but also other critical infrastructure components, like dams, water-treatment facilities, oil pipelines and power grids. Christy likens the lack of federal standards to an era in which building codes had not yet been adopted and sprinklers weren't yet required.

He believes it is naive to think infrastructure systems haven't already been probed, and as connected cars develop, they'll be targeted too.

"With the connected car, they think all this will be used for good, but I come from the other side of the house and watch how people exploit these," he said. "A lot of systems depend on GPS. What if that goes away or is corrupted? There are nation-states that spend tons of money to exploit this when they need to."

LA Auto Show

Cars Take More Effort To Hack

Increasingly, it may be cheaper for them to target traffic systems rather than cars themselves.

Chris Valasek, director of vehicle research at IOActive Security who has published two studies on car hacking, says the process of infiltrating a vehicle's systems can be both laborious and expensive. Software used to govern vehicle components is unfamiliar and more complex, so there's a longer learning curve for hackers.

"If you want to attack a browser, you download it for free," he said. "If you want to attack a car, you have to buy a car."

Third-party devices brought into a car, such as a smartphone that pairs with Bluetooth or OBD port plug-ins, can provide entry points at a fraction of the time or financial investments. To that end, both Christy and Valasek are skeptical that OEMs and transportation officials can corral the growing cyber threats faced by motorists. Whether it's by directly manipulating car controls or by attacking the overall traffic environment, the entry points keep expanding and these systems are inherently vulnerable to breaches.

"I don't think there is ever a solution in security," Valasek said. "There's taking acceptable levels of risk."

Put more bluntly, Christy said, "Everything that has been built has been broken."

Share This Photo X