It's pretty easy to hack traffic lights

DCF 1.0

Researchers from the University of Michigan EE/Computer Science Department (previously) presented their work on hacking traffic signals at this year's Usenix Security Symposium (previously), and guess what? It's shockingly easy to pwn the traffic control system.

The researchers targeted the wireless control systems at each intersection, avoiding any tampering with the actual junction boxes, which might be detected by passers-by (though seriously, some high-viz vests and a couple of traffic cones would likely serve as perfect camouflage), and worked with the permission of a local Michigan traffic authority.

Some of the systems they probed operated in the "open" spectrum at 900MHz and 5.8MHz, and some on a designated safety band at 4.9GHz. These radio channels were used to network the traffic signals together. The networking protocol is proprietary and unencrypted, and uses non-modifiable default passwords that are published online by the systems' vendors. By default these systems have the debugging port turned on, which allows untrusted parties to seize control over the system. Controlling a traffic signal also yields control over its sensors, including traffic cameras.

Once inside a traffic light, attackers can alter the light timing, making the lights very short or very long, or permanently freezing them in one state.

However, the lights do have a hardware-based governor that disallows potentially lethal configurations (four-way greens) and trips when there are too many alterations in too short a time.

Denial of Service A denial of service attack in this context refers to stopping normal light functionality. The most obvious way to cause a loss of service is to set all lights to red. This would cause traffic congestion and considerable confusion for drivers. Alternatively, the attacker could trigger the MMU to take over by attempting an unsafe configuration. This would cause the lights to enter a safe but suboptimal state. Since this state can be triggered remotely, but cannot be reset without physical access to the controller, an adversary can disable traffic lights faster than technicians can be sent to repair them. These attacks are overt and would quickly be detected by road agency personnel, who would be left with the recourse of disabling network connections between intersections.

Traffic Congestion More subtly, attacks could be made against the entire traffic infrastructure of a city which would manipulate the timings of an intersection relative to its neighbors. The effect would be that of a poorly managed road network, causing significant traffic congestion but remaining far less detectable than overt actions. This type of attack could have real financial impacts on a community. One study by the city of Boston calculated that simply reconfiguring the timings of 60 intersections in one district of the city could save $1.2 million per year in person-hours, safety, emissions, and energy costs [2].

Light Control An attacker can also control lights for personal gain. Lights could be changed to be green along the route the attacker is driving. Since these attacks are remote, this could even be done automatically as she drove, with the lights being reset to normal functionality after she passes through the intersection. More maliciously, lights could be changed to red in coordination with another attack in order to cause traffic congestion and slow emergency vehicle response.

Green Lights Forever: Analyzing the Security of Traffic Infrastructure[Branden Ghena, William Beyer, Allen Hillaker, Jonathan Pevarnek, and J. Alex Halderman/Usenix]