Is it possible that a hacker could hack the traffic signals and make it work in a notorious way to cause traffic jams and reroute vehicles? The answer is in affirmative according to findings due to be presented at Infiltrate conference in Florida by an Argentinian security researcher, Cesar Cerrudo, who works with IoActive. The traffic light signals are not the direct target. Instead, the sensors associated with the signals could be tricked into sending false data which may lead to misleading the traffic controller. In response, the traffic controller might diverge a traffic to a congestion area or lead the traffic to a bottleneck such as a bridge or turn that may cause accidents.
Cerrudo successfully caught the signals of Sensys Networks VDS240 wireless vehicle detection systems which are installed in 40 states, according to company documents, and has more than 50,000 sensors operating in 10 countries–including the United Kingdom, China, Canada, Australia, and France. The system consists on magnetic sensors which are embedded in roadways and send signals wirelessly to nearly located access points and repeaters. These signals are then sent to traffic signal controllers. Cerrudo acquired access point from Sensys Networks deceivably for 4000 USD, which is in principle only supposed to be sold to governments, and then placed it in a back-pack or in the car’s dashboard. The software for the access point is freely downloadable from the website of Sensys Networks which makes it easy to read the signals.
The wireless signals do not follow any security protocol and are not even encrypted thus anyone with a simple transceiver can read them. A powerful antenna could increase the range from 150 feet to even 1,500 feet. He himself used a drone and could send signals for up to 600 feet in the air.
“By sniffing 802.15.4 wireless traffic on channels used by Sensys Networks devices,” Cerrudo wrote in an advisory he sent to the Department of Homeland Security’s ICS-CERT division last year, “it was found that all communication is performed in clear text without any encryption nor security mechanism. Sensor identification information (sensorid), commands, etc. could be observed being transmitted in clear text. Because of this, wireless communications to and from devices can be monitored and initiated by attackers, allowing them to send arbitrary commands, data and manipulating the devices.”
Brian Fuller, Sensys Networks’ vice president of engineering, responded to WIRE on the matter that the DHS was “happy with the system,” and he did not want to comment anything else on the matter.