Experiment shows that hackers could take control of traffic lights

Image: Getty.

The growing extent to which our day-to-day infrastructure is computer-controlled and internet-connected leaves it open to the possibility that malicious hackers could intercept data or take control of devices.

Often this sort of critical infrastructure is obvious: for example in electricity generation or supply, in large datacentres where hundreds or thousands of web-based companies are based, or in financial services. But often it is the least obvious elements that are most open to attack. For example, attacking the air conditioning system at a datacentre could cause catastrophic overheating of the computers there. Or affecting the control of traffic around a city or region, reducing roads to gridlock.

As we move towards a situation where computers control and optimise our lives using the data they record about us, our dependence on them grows, as does their vulnerability to failure. Protecting the technology we rely on for our day-to-day lives from attack or failure must be a priority.

Traffic light hacking

To prove this point, a group of security researchers led by Alex Halderman at the University of Michigan published a report of how they managed to use a laptop and an off-the-shelf radio transmitter to break into and control more than 100 traffic light signals in Michigan City.

In order to be ethical in their approach they gained full permission from the road agency, and ensured there was no danger to drivers. The experiment was a test to see just how easily the traffic control infrastructure could be compromised.

In the US, the radio frequency used by traffic light controllers is typically in the industrial, scientific and medical (ISM) band at 900MHz or 5.8GHz. This means that the researchers were able to buy widely available wireless equipment to communicate with the devices.

What they found was weak wireless security with the use of open and unencrypted radio signals. This allows would-be intruders to eavesdrop on network traffic travelling over wireless radio signals to and from the traffic light controllers. In this way it’s possible to see the usernames and passwords being used – and they found that the usernames and passwords used were in any case set to factory defaults, and could be easily found on the internet. The controllers also had a physical port for debugging at street level that was physically accessible and easily compromised.



How traffic lights are controlled. Image: Bill Buchanan.

Traffic light controllers are linked to an induction loop buried in the ground that monitors traffic passing through the junction, and to cameras that provide the colour of lights to the controller and, via radio transmitters, a live visual feed to road agency staff.

A malfunction management unit (MMU) ensures that the lights are not put into an unsafe state, such as showing red and green at the same time. The lights change colour according to the information the controller receives from the induction loop and camera, so that, if there is a good deal of traffic at the lights, the flow will be adjusted accordingly.

If malicious attackers can gain control of the MMU the lights can be forced into unsafe states or to steady red or steady green, which could cause traffic chaos citywide. The researchers found that just making a single connection between two wires would provide full control of the traffic lights.

Too many open doors

A typical security problem with many control systems is that there is often a physical connector known as a debugging port, used for troubleshooting, that is unsecured and provides easy access or information to attackers. A debugging port typically outputs status or error messages to devices connected to it, and from this information attackers can work out what electronic devices are being used and what software is being run. This provides vital information that helps an attacker find flaws or vulnerabilities that can be used to take control. It can also allow commands to be sent to the controller.

The researchers also found that the controller and MMU don’t take any steps to verify that the messages they receive are from where they claim to be, and not from some other source. As the messages were not encrypted in any way, it was possible to analyse them and work out how to reproduce the correct commands, hijacking the channel and sending commands to operate the lights (a man in the middle attack). It was even possible to access the controller remotely, and ultimately the team was able to operate all the lights in the neighourhood.

They also found that you could attack the malfunction unit with incorrect signals to make it put the lights in a failure state, so for example all red - using a Denial of Service (DoS) method.

A metaphorical red light

Messing about with traffic lights may seem foolish, but this shows the system has several weaknesses, of design and implementation, that make it easy to attack. It’s clear that security was not a major concern in how it was designed and built – and therein lies the problem. This is not a small issue; this type of system is used in more than 60% of the traffic junctions in the US.

If a malicious hacker wanted to bring a city to a standstill, this is how they could do it, fairly easily. And this isn’t just about traffic – there are many other types of critical systems infrastructure – telecommunications, power transmission, and others – that have been designed and installed over many decades with the same lax approach to security. Engineers need to start designing infrastructure that is secure by design, or it will be more than just traffic jams to worry about.

Bill Buchanan is the head of the Centre for Distributed Computing, Networks and Security at Edinburgh Napier University. He does not work for, consult to, own shares in or receive funding from any company or organisation that would benefit from this article, and has no relevant affiliations.

This article was originally published on The Conversation. Read the original article.


Barnet council has decided a name for its new mainline station. Exciting!

Artist's impression of the new Brent Cross. Image: Hammerson.

I’ve ranted before about the horror of naming stations after the lines that they’re served by (screw you, City Thameslink). So, keeping things in perspective as ever, I’ve been quietly dreading the opening of the proposed new station in north London which has been going by the name of Brent Cross Thameslink.

I’ve been cheered, then, by the news that station wouldn’t be called that at all, but will instead go by the much better name Brent Cross West. It’s hardly the cancellation of Brexit, I’ll grant, but in 2017 I’ll take my relief wherever I can find it.

Some background on this. When the Brent Cross shopping centre opened besides the A406 North Circular Road in 1976, it was only the third large shopping mall to arrive in Britain, and the first in London. (The Elephant & Castle one was earlier, but smaller.) Four decades later, though, it’s decidedly titchy compared to newer, shinier malls such as those thrown up by Westfield – so for some years now, its owners, Hammerson, have wanted to extend the place.

That, through the vagaries of the planning process, got folded into a much bigger regeneration scheme, known as Brent Cross Cricklewood (because, basically, it extends that far). A new bigger shopping centre will be connected, via a green bridge over the A406, to another site to the south. There you’ll find a whole new town centre, 200 more shops, four parks, 4m square feet of offices space and 7,500 homes.

This is all obviously tremendously exciting, if you’re into shops and homes and offices and not into depressing, car-based industrial wastelands, which is what the area largely consists of at the moment.

The Brent Cross site. Image: Google.

One element of the new development is the new station, which’ll sit between Hendon and Cricklewood on the Thameslink route. New stations are almost as exciting as new shops/homes/offices, so on balance I'm pro.

What I’ve not been pro is the name. For a long time, the proposed station has been colloquially referred to as Brent Cross Thameslink, which annoys me for two reasons:

1) Route names make rubbish modifiers because what if the route name changes? And:

2) It’s confusing, because it’s nearly a mile from Brent Cross tube station. West Hampstead Thameslink (euch), by contrast, is right next to West Hampstead tube.

Various other names have been proposed for the station. In one newsletter, it was Brent Cross Parkway; on Wikipedia, it’s currently Brent Cross South, apparently through confusion about the name of the new town centre development.

This week, though, Barnet council quietly confirmed it’d be Brent Cross West:

Whilst the marketing and branding of BXS needs to be developed further, all parties agree that the station name should build upon the Brent Cross identity already established. Given the station is located to the west of Brent Cross, it is considered that the station should be named Brent Cross West. Network Rail have confirmed that this name is acceptable for operational purposes. Consequently, the Committee is asked to approve that the new station be named Brent Cross West.

Where the new station will appear on the map, marked by a silly red arrow. Image: TfL.

That will introduce another irritating anomaly to the map, giving the impression that the existing Brent Cross station is somehow more central than the new one, when in fact they’re either side of the development. And so:

Consideration has also been given as to whether to pursue a name change for the tube station from “Brent Cross” to “Brent Cross East”.

Which would sort of make sense, wouldn’t it? But alas:

However owing to the very high cost of changing maps and signage London-wide this is not currently being pursued.

This is probably for the best. Only a handful of tube stations have been renamed since 1950: the last was Shepherd’s Bush Market, which was until 2008 was simply Shepherd's Bush, despite being quite a long way from the Shepherd's Bush station on the Central line. That, to me, suggests that one of the two Bethnal Green stations might be a more plausible candidate for an early rename.

At any rate: it seems unlikely that TfL will be renaming its Brent Cross station to encourage more people to use the new national rail one any time soon. But at least it won’t be Brent Cross Thameslink.

Jonn Elledge is the editor of CityMetric. He is on Twitter as @jonnelledge and also has a Facebook page now for some reason. 

Want more of this stuff? Follow CityMetric on Twitter or Facebook