Are Traffic Lights A Cyber-Security Issue?
If you’ve seen the movie, The Shawshank Redemption, you saw an old-school version of a high-tech problem. The film's hero, played by actor Tim Robbins, escapes from prison by taking a route nobody thought to secure: the facility's sewer line.
High-tech criminals are constantly looking for ways to infiltrate the most secure and critical environments in unlikely places as well. An one route, according to Wired, may be through traffic lights.
In his blog post, security researcher Cesar Cerrudo says vulnerabilities in traffic light systems “found allow anyone to take complete control of the devices and send fake data to traffic control systems. Basically anyone could cause a traffic mess by launching an attack with a simple exploit programmed on cheap hardware ($100 or less).”
According to a Cerrudo, it’s not the actual traffic lights that are unsecure. Instead, it’s the sensor embedded in the road that controls the signal.
Related: Netflix And Comcast in War of Words
When the magnetic sensors send data to the traffic signal, that data is completely unencrypted. And while the hacker can’t gain direct control of the traffic light, they can send fake data. For example, if the attacker wants to tie up traffic in a certain area, he or she could manipulate the data sent to the light to cause it to turn red -- and stay that way as long as they wanted.
When you start thinking about the implications of such control, the problem quickly moves it from a minor annoyance to a major security event. To think of a worst-case scenario, what if somebody were attacking a building and wanted to tie up traffic around it to cause more causalities? What if somebody was attacking a high profile person and wanted to pin them inside a certain area?
Sure, those two scenarios are extreme -- something you've probably seen in Hollywood movies -- but as the world becomes increasingly more sensitive to cyber terrorism, the second part of the story is even more intriguing.
When Cerrudo took his findings to ICS-CERT, a Department of Homeland Security office that address security issues, they told him the lack of encryption was intentional and that newer systems are now encrypted. According to Cerrudo’s blog post, Sensys -- the company that makes the sensors -- told him that, since the sensor doesn’t directly control the signal, there’s no need for the data to be encrypted.
Sensys told Wired they were happy with the system and that they had nothing to add.
Cerrudo acknowledges that newer models are encrypted, but says that the tens of thousands of older models can only be upgraded by replacing the sensors -- something not currently in the works. And while he acknowledges that hacking the system takes some specialized equipment, he was able to call the company and order it without issue.
It's true that, at least for now, gaining control of critical government computers isn’t going to happen through a traffic light-- but as cities become more connected, criminals will look for the most unlikely places to find ways to steal data.
What surprised Cerrudo the most was the lack of urgency on the part of the company or the government offices he contacted. He described all of the “excuses” that Sensys and ICS-CERT gave him as, “crazy.”
© 2014 Benzinga.com. Benzinga does not provide investment advice. All rights reserved.