Experiment shows that hackers could take control of traffic lights

Image: Getty.

The growing extent to which our day-to-day infrastructure is computer-controlled and internet-connected leaves it open to the possibility that malicious hackers could intercept data or take control of devices.

Often this sort of critical infrastructure is obvious: for example in electricity generation or supply, in large datacentres where hundreds or thousands of web-based companies are based, or in financial services. But often it is the least obvious elements that are most open to attack. For example, attacking the air conditioning system at a datacentre could cause catastrophic overheating of the computers there. Or affecting the control of traffic around a city or region, reducing roads to gridlock.

As we move towards a situation where computers control and optimise our lives using the data they record about us, our dependence on them grows, as does their vulnerability to failure. Protecting the technology we rely on for our day-to-day lives from attack or failure must be a priority.

Traffic light hacking

To prove this point, a group of security researchers led by Alex Halderman at the University of Michigan published a report of how they managed to use a laptop and an off-the-shelf radio transmitter to break into and control more than 100 traffic light signals in Michigan City.

In order to be ethical in their approach they gained full permission from the road agency, and ensured there was no danger to drivers. The experiment was a test to see just how easily the traffic control infrastructure could be compromised.

In the US, the radio frequency used by traffic light controllers is typically in the industrial, scientific and medical (ISM) band at 900MHz or 5.8GHz. This means that the researchers were able to buy widely available wireless equipment to communicate with the devices.

What they found was weak wireless security with the use of open and unencrypted radio signals. This allows would-be intruders to eavesdrop on network traffic travelling over wireless radio signals to and from the traffic light controllers. In this way it’s possible to see the usernames and passwords being used – and they found that the usernames and passwords used were in any case set to factory defaults, and could be easily found on the internet. The controllers also had a physical port for debugging at street level that was physically accessible and easily compromised.

 

 

How traffic lights are controlled. Image: Bill Buchanan.

Traffic light controllers are linked to an induction loop buried in the ground that monitors traffic passing through the junction, and to cameras that provide the colour of lights to the controller and, via radio transmitters, a live visual feed to road agency staff.

A malfunction management unit (MMU) ensures that the lights are not put into an unsafe state, such as showing red and green at the same time. The lights change colour according to the information the controller receives from the induction loop and camera, so that, if there is a good deal of traffic at the lights, the flow will be adjusted accordingly.

If malicious attackers can gain control of the MMU the lights can be forced into unsafe states or to steady red or steady green, which could cause traffic chaos citywide. The researchers found that just making a single connection between two wires would provide full control of the traffic lights.

Too many open doors

A typical security problem with many control systems is that there is often a physical connector known as a debugging port, used for troubleshooting, that is unsecured and provides easy access or information to attackers. A debugging port typically outputs status or error messages to devices connected to it, and from this information attackers can work out what electronic devices are being used and what software is being run. This provides vital information that helps an attacker find flaws or vulnerabilities that can be used to take control. It can also allow commands to be sent to the controller.

The researchers also found that the controller and MMU don’t take any steps to verify that the messages they receive are from where they claim to be, and not from some other source. As the messages were not encrypted in any way, it was possible to analyse them and work out how to reproduce the correct commands, hijacking the channel and sending commands to operate the lights (a man in the middle attack). It was even possible to access the controller remotely, and ultimately the team was able to operate all the lights in the neighourhood.

They also found that you could attack the malfunction unit with incorrect signals to make it put the lights in a failure state, so for example all red - using a Denial of Service (DoS) method.

A metaphorical red light

Messing about with traffic lights may seem foolish, but this shows the system has several weaknesses, of design and implementation, that make it easy to attack. It’s clear that security was not a major concern in how it was designed and built – and therein lies the problem. This is not a small issue; this type of system is used in more than 60% of the traffic junctions in the US.

If a malicious hacker wanted to bring a city to a standstill, this is how they could do it, fairly easily. And this isn’t just about traffic – there are many other types of critical systems infrastructure – telecommunications, power transmission, and others – that have been designed and installed over many decades with the same lax approach to security. Engineers need to start designing infrastructure that is secure by design, or it will be more than just traffic jams to worry about.

Bill Buchanan is the head of the Centre for Distributed Computing, Networks and Security at Edinburgh Napier University. He does not work for, consult to, own shares in or receive funding from any company or organisation that would benefit from this article, and has no relevant affiliations.

This article was originally published on The Conversation. Read the original article.

 
 
 
 

Seven climate change myths put about by big oil companies

Oil is good for you! Image: Getty.

Since the start of this year, major players within the fossil fuel industry – “big oil” – have made some big announcements regarding climate change. BP revealed plans to reduce its greenhouse gas emissions by acquiring additional renewable energy companies. Royal Dutch Shell defended its $1-$2bn green energy annual budget. Even ExxonMobil, until recently relatively dismissive of the basic science behind climate change, included a section dedicated to reducing emissions in its yearly outlook for energy report.

But this idea of a “green” oil company producing “clean” fossil fuels is one that I would call a dangerous myth. Such myths obscure the irreconcilability between burning fossil fuels and environmental protection – yet they continue to be perpetuated to the detriment of our planet.

Myth 1: Climate change can be solved with the same thinking that created it

Measures put in place now to address climate change must be sustainable in the long run. A hasty, sticking plaster approach based on quick fixes and repurposed ideas will not suffice.

Yet this is precisely what some fossil fuel companies intend to do. To address climate change, major oil and gas companies are mostly doing what they have historically excelled at – more technology, more efficiency, and producing more fossil fuels.

But like the irresponsible gambler that cannot stop doubling down during a losing streak, the industry’s bet on more, more, more only means more ecological destruction. Irrespective of how efficient fossil fuel production becomes, that the industry’s core product can be 100 per cent environmentally sustainable is an illusion.

A potential glimmer of hope is carbon capture and storage (CCS), a process that sucks carbon out of the air and sends it back underground. But despite being praised by big oil as a silver bullet solution for climate change, CCS is yet another sticking plaster approach. Even CCS advocates suggest that it cannot currently be employed on a global, mass scale.

Myth 2: Climate change won’t spell the end of the fossil fuel industry

According to a recent report, climate change is one factor among several that has resulted in the end of big oil’s golden years – a time when oil was plenty, money quick, and the men at the top celebrated as cowboy capitalists.

Now, to ensure we do not surpass the dangerous 2°C threshold, we must realise that there is simply no place for “producers” of fossil fuels. After all, as scientists, financial experts, and activists have warned, if we want to avoid dangerous climate change, the proven reserves of the world’s biggest fossil fuel companies cannot be consumed.

Myth 3: Renewables investment means oil companies are seriously tackling climate change

Compared to overall capital expenditures, oil companies renewables’ investment is a miniscule drop in the barrel. Even then, as companies such as BP have demonstrated before, they will divest from renewables as soon as market conditions change.

Big oil companies’ green investments only produce tiny reductions in their overall greenhouse gas emissions. BP calls these effects “real sustainable reductions” – but they accounted for only 0.3 per cent of their total emissions reductions in 2016, 0.1 per cent in 2015, 0.1 per cent in 2014, and so on.


Myth 4: Hard climate regulation is not an option

One of the oil industry’s biggest fears regarding climate change is regulation. It is of such importance that BP recently hinted at big oil’s exodus from the EU if climate regulation took effect. Let’s be clear, we are talking about “command-and-control” regulation here, such as pollution limits, and not business-friendly tools such as carbon pricing or market-based quota systems.

There are many commercial reasons why the fossil fuel industry would prefer the latter over the former. Notably, regulation may result in a direct impact on the bottom line of fossil fuel companies given incurred costs. But climate regulation is – in combination with market-based mechanisms – required to address climate change. This is a widely accepted proposition advocated by mainstream economists, NGOs and most governments.

Myth 5: Without cheap fossil fuels, the developing world will stop

Total’s ex-CEO, the late Christoph de Margerie, once remarked: “Without access to energy, there is no development.” Although this is probably true, that this energy must come from fossil fuels is not. Consider, for example, how for 300 days last year Costa Rica relied entirely on renewable energy for its electricity needs. Even China, the world’s biggest polluter, is simultaneously the biggest investor in domestic renewables projects.

As the World Bank has highlighted, in contrast to big oil’s claims about producing more fossil fuels to end poverty, the sad truth is that by burning even the current fossil fuel stockpile, climate change will place millions of people back into poverty. The UN concurs, signalling that climate change will result in reduced crop yields, more waterborne diseases, higher food prices and greater civil unrest in developing parts of the world.

Myth 6: Big oil must be involved in climate policy-making

Fossil fuel companies insist that their involvement in climate policy-making is necessary, so much so that they have become part of the wallpaper at international environmental conferences. This neglects that fossil fuels are, in fact, a pretty large part of the problem. Big oil attends international environmental conferences for two reasons: lobbying and self-promotion.

Some UN organisations already recognise the risk of corporations hijacking the policy-making process. The World Health Organisation, for instance, forbids the tobacco industry from attending its conferences. The UN’s climate change arm, the UNFCCC, should take note.

Myth 7: Nature can and must be “tamed” to address climate change

If you mess with mother nature, she bites back. As scientists reiterate, natural systems are complex, unpredictable, and even hostile when disrupted.

Climate change is a prime example. Small changes in the chemical makeup of the atmosphere may have drastic implications for Earth’s inhabitants.

The ConversationFossil fuel companies reject that natural systems are fragile – as evidenced by their expansive operations in ecologically vulnerable areas such as the Arctic. The “wild” aspect of nature is considered something to be controlled and dominated. This myth merely serves as a way to boost egos. As independent scientist James Lovelock wrote, “The idea that humans are yet intelligent enough to serve as stewards of the Earth is among the most hubristic ever.”

George Ferns, Lecturer in Management, Employment and Organisation, Cardiff University.

This article was originally published on The Conversation. Read the original article.