It may explain how Jack Bauer of "24" is able to cruise from one end of Los Angeles to the other in under 15 minutes, but the ability to control traffic lights with a laptop is neither fiction or a difficult task, according to the results of a study conducted by researchers at the University of Michigan.
The researchers performed close to 100 attacks on networked traffic lights during their case study, which was sanctioned by an undisclosed road agency in Michigan.
"While traffic control systems may be built to fail into a safe state, we have shown that they are not safe from attacks by a determined adversary," stated the study. "With the appropriate hardware and a little effort, an adversary can reconfigure a traffic controller to suit her needs."
The study found the traffic lights, and others like them around the country, were vulnerable in three areas. The traffic control systems operated on unsecured wireless connections, their poor authentication used default credentials, and their traffic controller could be modified with existing software.
The wireless radios in the traffic lights operated on common frequencies, such as 900 MHz and 5.8 GHz, frequencies that are accessible by laptops and smartphones. With a recognized 16-bit ID, a Wi-Fi-enabled device could imitate a traffic light and exchange information with a traffic controller, researchers found.
The researchers determined that the vulnerability of networked traffic lights could be exploited to overtly launch denial of service attacks or subtly to create traffic jams. An attacker could also hack into networked traffic lights for personal gain, such as setting lights to green to keep traffic flowing along a personal route or harassing an individual with roadways lit with stop signals.
"The industry as a whole needs to understand the importance of security, and the standards it follows should be updated to reflect this," the study stated. "Security must be engineered into these devices from the start rather than bolted on later. Until these systems are designed with security as a priority, the security of the entire traffic infrastructure will remain at serious risk."
With infrastructure elements steadily progressing toward networked states, the researchers stated they plan to study other traffic control models and to investigate "connected vehicles."
Back in June, security firm Symantec warned that an Eastern European group of hackers it dubbed Dragonfly intruded into the U.S. and European energy community, attacking multiple organizations through various avenues. While Symantec said the group's motive appeared to be cyberespionage, it stated that the group, also known as Energetic Bear, had the potential to inflict serious damage on the systems it compromised. The sophistication of the hacker's attacks indicate they could be state sponsored, Symantec said.
