In movies like Die Hard 4 and The Italian Job, hijacking traffic lights over the internet looks easy. But real-world traffic-light hacking, demonstrated by security researchers in years past, has proven tougher, requiring someone to be within radio range of every target light. Now a pair of Dutch researchers has shown how hackers really can spoof traffic data to mess with traffic lights easily from any internet connection—though luckily not in a Hollywood style that would cause mass collisions.
At the Defcon hacker conference Thursday, Dutch security researchers Rik van Duijn and Wesley Neelen will present their findings about vulnerabilities in an "intelligent transport" system that would allow them to influence traffic lights in at least 10 different cities in the Netherlands over the internet. Their hack would spoof nonexistent bicycles approaching an intersection, tricking the traffic system into giving those bicycles a green light and showing a red light to any other vehicles trying to cross in a perpendicular direction. They warn that their simple technique—which they say hasn't been fixed in all the cases where they tested it—could potentially be used to annoy drivers left waiting at an empty intersection. Or if the intelligent transport systems are implemented at a much larger scale, it could potentially even cause widespread traffic jams.
"We were able to fake a cyclist, so that the system was seeing a cyclist at the intersection, and we could do it from any location," says Neelen. "We could do the same trick at a lot of traffic lights at the same time, from my home, and it would allow you to interrupt the traffic flow across a city."
Neelen and van Duijn, who are cofounders of the applied security research firm Zolder, say they got curious earlier this year about a collection of smartphone applications advertised to Netherlanders that claimed to give cyclists more green lights when the app is activated. In pilot projects across the Netherlands, cities have integrated traffic signals with apps like Schwung and CrossCycle, which share a rider's location with traffic systems and, whenever possible, switch lights to green as they approach an intersection. The system functions as a smartphone-based version of the sensors that have long been used to detect the presence of a vehicle waiting at a red light, optimized so that a bike rider doesn't have to stop.
But given that the information about the cyclist's location comes from the user's smartphone, the two researchers immediately wondered if they could inject spoofed data to wreak havoc. "We were just surprised that user input is getting allowed into systems that control our traffic lights," says Neelen. "I thought, somehow I’ll be able to fake this. I was really curious how they were preventing this."
As it turns out, some of the apps weren't preventing it at all. Neelen and van Duijin found they could reverse engineer one of the Android apps—they declined to tell WIRED which apps they tested, since the problems they found aren't yet fixed—and generate their own so-called cooperative awareness message, or CAM, input. That spoofed CAM data, sent using a Python script on the hackers' laptop, could tell traffic lights that a smartphone-carrying cyclist was at any GPS location the hackers chose.
Initially, the app whose CAM inputs Neelen and van Duijn spoofed only worked to influence a couple of traffic lights in the Dutch city of Tilburg. In the videos below, the pair demonstrates changing the light from red to green on command, albeit with a delay in the first demo. (The nonexistent bicycle doesn't always get immediate priority in Tilburg's smartphone-optimized traffic system.)
Neelen and van Duijn later found the same spoofing vulnerability in another, similar app with a much wider implementation—they say it had been rolled out to hundreds of traffic lights in 10 Dutch cities, although they tested it only in the West Netherlands city of Dordrecht. "It's the same vulnerability," Neelen says. "They just accept whatever you put into them."
Hacking traffic lights isn't entirely new, though it's rarely been so simple. Cesar Cerrudo, a researcher at security firm IOActive, revealed in 2014 that he had reverse engineered and could spoof the communications of traffic sensors to influence traffic lights, including those in major US cities. Researchers at the University of Michigan published a paper the same year on hacking the traffic controller boxes located at street intersections, which receive the inputs from road sensors. The vulnerabilities that Cerrudo and the Michigan researchers found likely affected far more traffic lights than those exposed by the Dutch researchers at Defcon. Cerrudo also says that he tested his technique in San Francisco a year after disclosing it to the affected sensor companies and found that it still worked there.
But those earlier techniques required communicating via radio with the vulnerable equipment, so that a hacker needed to be within radio range, limiting the attack to a range of a couple thousand feet at maximum. Neelen and van Duijn's technique works remotely over the internet, so it can be carried out at many intersections simultaneously, from anywhere in the world. "This attack sounds very easy to do," Cerrudo says. "It's very cool that you can just reverse engineer an app and start sending fake locations about ghost bikes and cause problems with traffic."
Neelen and van Duijn say they've now warned the makers of both apps they found to be vulnerable to their spoofing. In the case of the more widely deployed system, though, they told the company just one month ago.
But even when the vulnerabilities they found are fixed, they say their research should serve as a warning about the more general risks of "smart" transportation infrastructure, as those systems roll out as key parts of optimizing urban traffic beyond a mere convenience for bicycles. "Imagine you could create hundreds of fake trucks across cities. If the wrong traffic lights start turning red, you have an issue, and it would cause huge delays," van Duijn says. "Now that we’re talking about building these intelligent transport systems, we need to be damn sure to think more about security."