In films like Die Hard 4 and The Italian Job, hijacking traffic lights over the Internet looks easy. But the actual hacking of traffic lights, demonstrated by security researchers last year, proved to be more labor-intensive, requiring someone to be within radio range of the device.
Now, a pair of Dutch researchers have shown how hackers can actually manipulate traffic data to easily connect to a traffic light from anywhere in the world, though thankfully not in the Hollywood style that could cause massive clashes.
At Thursday’s Defcon hacker conference, Dutch security researchers Rick van Duijn and Wesley Nielen will present their findings on vulnerabilities in an "intelligent transportation" system that would allow them to influence traffic lights over the Internet in at least 10 different cities in the Netherlands. Their hacker could create non-existent bikes ostensibly approaching an intersection by tricking the traffic system into giving those bikes a green light and showing a red light to any other vehicles attempting to cross the road in a perpendicular direction. They warn that their simple technique could potentially be used to annoy drivers who are left waiting at an empty intersection. Or, if intelligent transportation systems are implemented on a much larger scale,
“We were able to get the system to see a cyclist at an intersection that isn’t actually there, and we could do it from anywhere," Nilen says. “We could do the same trick at multiple traffic lights at the same time from the comfort of our home, and that would allow us to interrupt traffic in the city.”
Nielen and van Duijn, co-founders of security applied research firm Zolder, say they were curious earlier this year about a collection of smartphone apps advertised to residents in the Netherlands who claimed that when the app was activated, cyclists were given more green light. In the Netherlands, cities have integrated traffic lights with apps like Schwung and CrossCycle, which tell the driver’s location and, when possible, turn the lights to green as they approach an intersection.
But given that the location information of the cyclist comes from his smartphone, the two researchers immediately wondered if they could tamper with the data to cause damage.
“We were just surprised that user input was allowed in systems that control traffic lights,” says Neelen. “I thought I could fake it somehow. I was really curious how they prevent that.”
It turns out that some applications did not interfere with this at all. Neelen and van Duijin found they could reverse engineer one of the Android apps—they didn’t say which apps they were testing because the issues they found had not yet been fixed. Fake data sent from a hacker’s laptop could tell a traffic light that a cyclist with a smartphone is in any location chosen by the hackers on the GPS.
Initially, the app, whose data was spoofed by Neelen and van Duijn, only worked to affect a couple of traffic lights in the Dutch city of Tilburg. The videos below demonstrate the light color change from red to green on command, albeit with a delay in the first demo. (The bike does not always get immediate priority)
Later, Nielen and van Duijn discovered the same spoofing vulnerability in another similar application with a much broader implementation – they say it was deployed at hundreds of traffic lights in 10 Dutch cities, although they only tested it in the western Dutch city of Dordrecht.
Hacking traffic lights is not new, although rarely is it so easy. Neelen and van Duijn say they have now alerted the developers of both apps, which they have found to be vulnerable to their spoofing.
But even when the vulnerabilities they found have been patched, they say their research should serve as a warning about the broader risks of smart transportation infrastructure, as these systems become key elements in urban traffic optimization beyond mere bike-friendliness. “Imagine if you could create hundreds of fake trucks in different cities. If the wrong traffic light turns red, you have a problem and it causes huge delays,” says van Duijn. "Now that we’re talking about building these intelligent transportation systems, we need to be damn sure we’re thinking more about safety."