Researcher Finds Potholes In Vehicle Traffic Control SystemsHundreds of thousands of road traffic sensors and repeater equipment are at risk of attack, researcher says.
LAS VEGAS — DEF CON 22 — Smart traffic sensor systems that help regulate and automate the flow of traffic and lights contain security weaknesses that could be manipulated by hackers and result in traffic jams or even crashes, a researcher showed here today.
Cesar Cerrudo, CTO at IOActive, here at the DEF CON 22 hacker conference, detailed how he was able to build a prototype access point device that could communicate with the network of sensors, repeaters, and access point devices stationed along roads and highways in some major cities in the US. Cerrudo said he found that the devices communicate traffic information wirelessly in clear text and don't authenticate the data they receive, leaving them open to potential sabotage.
He said there are some 200,000 wireless Sensys Networks sensors buried below roadways plus repeaters mounted on poles, mostly in the US. The sensors detect vehicles, and that data ultimately dictates the timing of traffic lights and electronic traffic event alerts on the highway.
"It's about $100 million worth of equipment that can probably be bricked and cause a traffic jam. You can send fake data that there's no traffic there, and cause a big mess."
An attacker would need to know the configuration of the road intersection, for example, where the access point, repeaters, and sensors are stationed. "You can sniff the wireless data, learn how the system was configured, how it was working, and then just launch an attack with fake data." The access point will accept the phony traffic data, he said.
Because the sensors don't authenticate the origin of the data they receive, an attacker could push them malware-laden firmware as an update, for example. Nor is the sensor's firmware digitally signed, he said, leaving the door open for malicious code installation. Cerrudo reported his findings to ICS-CERT, which handles vulnerability disclosures in critical infrastructure systems.
"The problem is the firmware is not encrypted, and the communications channel is not encrypted," Cerrudo said. "That makes the device vulnerable, so anyone can update the firmware wirelessly without encryption."
But Sensys Networks, meanwhile, says it has built-in features in its traffic control equipment that would protect against the download of unauthorized code to its sensors, as well as "attempts to insert false detection data." The company said in a statement that customers are notified if any rogue activity occurs with the devices.
Cerrudo said Sensys, in response to his research, the bulk of which was first made public in April, maintained that it had originally included encryption in the sensors, but ultimately removed the feature after its customers requested it. "That's a really crazy answer," said Cerruto.
Sensys Networks had not responded to the encryption issue as of this posting.
The devices operate over the 802.15 PHY wireless protocol, which provides a low data rate and low power consumption option for this type of network traffic. Cerrudo said the sensors include a Texas Instruments MSP430 microcontroller that runs a version of Linux.
Cerrudo was able to carry in a backpack his prototype access point to passively test access to the traffic control systems in major cities, including Washington and New York. He was able to reach them by pointing his backpack at the APs, from a maximum of 150 feet from the real access point.
But he was also able to access the traffic control equipment from about 650 feet, using a drone he rented. "I'm sure you can go higher… you just need a line of sight."
Like other researchers who are rooting out security bugs and flaws in embedded devices in critical infrastructure equipment, home automation systems, automobile automation features, and smart medical devices, Cerrudo acknowledges his work is likely well ahead of the real risk of malicious attacks. "Some of this hardware is very difficult to get -- you can't go to the store and buy it. That's good, because for the bad guys, it's not easy."
But Cerrudo says a determined attacker could do what he did -- "social-engineer" the equipment vendor to purchase the equipment, or even steal it.
Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio