Hello,

We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.

Intelligent Machines

Researchers Hack Into Michigan’s Traffic Lights

Security flaws in a system of networked stoplights point to looming problems with an increasingly connected infrastructure.

Vulnerable traffic infrastructure could lead to accidents and congestion.

Ever get lucky enough to hit three or four green lights in a row on your way home from work? It turns out it might not be so hard to make that happen all the time.

Traffic hack: Researchers gained control of these traffic lights after hacking into a system of nearly 100 networked intersections.

With permission from a local road agency, researchers in Michigan hacked into nearly 100 wirelessly networked traffic lights, highlighting security issues that they say are likely to pervade networked traffic infrastructure around the country. More than 40 states currently use such systems to keep traffic flowing as efficiently as possible, helping to reduce emissions and delays.

The team, led by University of Michigan computer scientist J. Alex Halderman, found three major weaknesses in the traffic light system: unencrypted wireless connections, the use of default usernames and passwords that could be found online, and a debugging port that is easy to attack.

“The vulnerabilities we discover in the infrastructure are not a fault of any one device or design choice, but rather show a systemic lack of security consciousness,” the researchers report in a paper they’re presenting this week at a computer security conference. They did not disclose exactly where in Michigan they did the research.

Although the road agency responsible for implementing the system has never faced serious computer security threats, the possibility will become more worrisome as transportation authorities and car makers test new ways for infrastructure and vehicles to communicate in order to reduce congestion and accidents (see “The Internet of Cars Is Approaching a Crossroads”).

“They need to be worrying about this and think about security—it needs to be one of their top priorities,” says Branden Ghena, a graduate student who worked on the project. “It’s hard to get people to care about these things in the same way that it’s hard to get people to change their passwords.”

Wirelessly networked traffic lights have four key components. There are sensors that detect cars, controllers that use the sensor data to control the lights at a given intersection, radios for wireless communication among intersections, and malfunction management units (MMUs), which return lights to safe fallback configurations if an “invalid” configuration occurs. For example, if somehow every light at an intersection is green, the system might fall back to having them all become flashing red lights.

The Michigan researchers found that anyone with a computer that can communicate at the same frequency as the intersection radios—in this case, 5.8 gigahertz—could access the entire unencrypted network. It takes just one point of access to get into the whole system.

After gaining access to one of the controllers in their target network, the researchers were able to turn all lights red or alter the timing of neighboring intersections—for example, to make sure someone hit all green lights on a given route. They could also trigger the lights’ MMUs by attempting invalid configurations.

At the end of their report, Halderman and his group propose simple recommendations for improving the security of traffic infrastructure. First and foremost, traffic-system administrators should not use default usernames and passwords. Also, they should stop broadcasting communications unencrypted for “casual observers and curious teenagers” to see.

The researchers note that their study has implications beyond traffic lights. More and more devices like voting machines (see “Why You Can’t Vote Online”), cars, and medical devices are computer controlled and will ultimately be networked. This “phase change,” as they call it, comes with “potential for catastrophic security failures.”

Another researcher who has investigated traffic infrastructure, Cesar Cerrudo, the chief technology officer of the computer security company IOActive Labs, says he was not surprised by the Michigan group’s findings.

“We have been finding vulnerabilities for a long time, but hardware vendors still don’t seem to ‘get it,’” Cerrudo wrote in an e-mail. “They continue doing the same mistakes that software vendors did 10 years ago.”

Tech Obsessive?
Become an Insider to get the story behind the story — and before anyone else.

Subscribe today

Uh oh–you've read all of your free articles for this month.

Insider Premium
$179.95/yr US PRICE

More from Intelligent Machines

Artificial intelligence and robots are transforming how we work and live.

Want more award-winning journalism? Subscribe to Insider Plus.
  • Insider Plus {! insider.prices.plus !}*

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus ad-free web experience, select discounts to partner offerings and MIT Technology Review events

    See details+

    What's Included

    Bimonthly magazine delivery and unlimited 24/7 access to MIT Technology Review’s website

    The Download: our daily newsletter of what's important in technology and innovation

    Access to the magazine PDF archive—thousands of articles going back to 1899 at your fingertips

    Special discounts to select partner offerings

    Discount to MIT Technology Review events

    Ad-free web experience

/
You've read all of your free articles this month. This is your last free article this month. You've read of free articles this month. or  for unlimited online access.