Hackers could engineer traffic jams, by using their cars to lie to smart traffic lights

Uhoh. Image: Getty.

The day when cars can talk to each other – and to traffic lights, stop signs, guardrails and even pavement markings – is rapidly approaching. Driven by the promise of reducing traffic congestion and avoiding crashes, these systems are already rolling out on roads around the U.S.

For instance, the Intelligent Traffic Signal System, developed with support from the U.S. Department of Transportation, has been tested on public roads in Arizona and California and is being installed more widely in New York City and Tampa, Florida. It allows vehicles to share their real-time location and speed with traffic lights, which can be used to effectively optimise the traffic timing in coordination with the real-time traffic demand to dramatically reduce vehicle waiting time in an intersection.

Our work, from the RobustNet Research Group and the Michigan Traffic Laboratory at the University of Michigan, focuses on making sure these next-generation transportation systems are secure and protected from attacks. So far we’ve found they are in fact relatively easy to trick. Just one car that’s transmitting fake data can cause enormous traffic jams, and several attack cars could work together to shut down whole areas. What’s particularly concerning is that our research has found the weakness is not in the underlying communication technology, but in the algorithms actually used to manage the traffic flow.

Misleading an algorithm

In general, algorithms are meant to take in a variety of inputs – such as how many cars are in various locations around an intersection – and calculate an output that meets a particular goal – such as minimising their collective delay at traffic lights. Like most algorithms, the traffic control algorithm in Intelligent Traffic Signal System – nicknamed “I-SIG” – assumes the inputs it’s getting are honest. That’s not a safe assumption.

The hardware and software in modern cars can be modified, either physically through the car’s diagnostic ports or over wireless connections, to instruct a car to transmit false information. Someone who wanted to compromise the I-SIG system could hack her own car using such methods, drive to a target intersection and park nearby.

Once parked near the intersection, we’ve found that the attacker could take advantage of two weaknesses in the algorithm controlling the light to extend the time a particular lane of traffic gets a green light – and, similarly, the time other lanes get red lights.

The first vulnerability we found, which we call “last vehicle advantage,” is a way of extending the length of a green-light signal. The algorithm keeps an eye on approaching cars, estimates how long the line of cars is and determines how long it thinks it will take for all the vehicles in a line of traffic to get through the intersection. This logic helps the system serve as many vehicles as possible in each round of light changes, but it can be abused. An attacker can instruct her car to falsely report joining the line of cars very late. The algorithm will then hold the attacked light green long enough for this nonexistent car to pass, leading to a green light – and correspondingly, red lights for other lanes – that is much longer than needed for the actual cars on the road.

We called the second weakness we found the “curse of the transition period,” or the “ghost vehicle attack”. The I-SIG algorithm is built to accommodate the fact that not all vehicles can communicate yet. It uses the driving patterns and information of newer, connected cars to infer the real-time location and speed of older, noncommunicating vehicles. Therefore, if a connected car reports that it is stopped a long distance back from an intersection, the algorithm will assume there is a long line of older vehicles queuing ahead of it. Then the system would allocate a long green light for that lane because of the long queue it thinks is there, but really isn’t.

These attacks happen by making a device lie about its own position and speed. That’s very different from known cyberattack methods, like injecting messages into unencrypted communications or having an unauthorised user logging in with a privileged account. Therefore, known protections against those attacks can do nothing about a lying device.

Results from a misinformed algorithm

Using either of these attacks, or both in concert with each other, can allow an attacker to give long periods of green lights to lanes with little or no traffic and longer red lights to the busiest lanes. That causes backups that grow and grow, ultimately building into massive traffic jams.

A congestion attack on a traffic signal control system.

This sort of attack on traffic lights could be just for fun or for the attacker’s own benefit. Imagine, for example, a person who wants to have a faster commute adjusting his own traffic-light timing, at the expense of other drivers’ delays. Criminals, too, might seek to attack traffic lights to ease their getaways from crime scenes or pursuing police cars.

There are even political or financial dangers: a coordinated group could shut down several key intersections in a city and demand a ransom payment. It’s much more disruptive, and easier to get away with, than other ways of blocking intersections, like parking a car across traffic.

Because this type of attack exploits the smart traffic control algorithm itself, fixing it requires joint efforts from both transportation and cybersecurity fields. This includes taking into account one of the broadest lessons of our work: the sensors underlying interactive systems, such as the vehicles in the I-SIG system, aren’t inherently trustworthy. Before engaging in calculations, algorithms should attempt to validate the data they’re using. For example, a traffic-control system could use other sensors – like in-road sensors already in use across the nation – to double-check how many cars are really there.

This is just the beginning of our research into new types of security problems in the smart transportation systems of the future, which we hope will both discover weaknesses and identify ways to protect the roads and the drivers on them.

Qi Alfred Chen, Ph.D. Candidate in Computer Science and Engineering, University of Michigan and Z. Morley Mao, Professor of Electrical Engineering and Computer Science, University of Michigan

This article was originally published on The Conversation. Read the original article.


The media scumbag’s route of choice: A personal history of London’s C2 bus

A C2 bus at Parliament Hill. Image: David Howard/Wikimedia Commons.

London’s C2 bus route, which runs from Parliament Hill, by Hampstead Heath, down to Conduit Street, just off Regent Street, is one of the bus routes recently earmarked for the chop. It has oft been noted that, of all the routes recently pencilled in for cancellation after a consultation late last year, it was the one most likely to survive, for the simple reason that it links liberal suburban north London with BBC Broadcasting House and Soho; it’s thus the route most likely to be used by people who can convince someone to let them report on its imminent demise.

So it would come as no surprise that former Guardian editor Alan Rusbridger took to the Camden New Journal when the consultation began, arguing that it would be a disservice to the local community to discontinue a route where you can always get a seat – seemingly missing the point that the fact you can always get a seat is not a great sign of the route’s usefulness.

It wasn’t always that way. When I left university in 2000, and moved from accommodation near college to up to a rented shared house in N6, the C2 was my bus. I commuted to Soho for sixteen years: for more than a decade from flats around the Swain’s Lane roundabout, and for five years from Kentish Town. While my place of work bounced around from Golden Square to Lexington Street to Great Marlborough, it was always the most convenient way to get to, and from, work; especially given the difference between bus and tube prices.

So when it comes to the C2 I’ve seen it, I’ve done it, and bought the bus pass. And by bus pass, I mean those little paper ones that still existed at the beginning of this century. Not just before contactless, but before Oyster cards.

More importantly, it was before London buses operated a single zone. There was an outer zone, and an inner zone, with different prices. To travel from one zone to another cost £1.30, meaning an all cash commute was £2.60, whereas a paper bus pass was £2.00. That made it worth your while to divert to an early opening newsagents on your way to the bus stop (GK, in my case), even if you only got two buses a day.

It’s a measure of how greatly London’s buses have improved over the last twenty years, since first brought under control of the mayoralty, that pretty much everything about this anecdotage, including the prices, seems faintly mad. But there’s more: back when I started getting that bus down to Stop N, literally at the very end of the route, the C2 used single decker buses with a single door. It’s an appalling design for use in a crowded city, which meant most of any journey was, for most passengers, spent fighting your way up and down the middle of the bus to find a seat, and then back again to get off; or – and this was more likely – fighting your way up the bus to get into standing space the driver insisted was there, before fighting your way, etc.

Such buses – and in my former life in the English Midlands I went to school on one of these buses every day – are perfectly functional where bus stops are infrequent and buses rarely standing room only. But running through Camden Town at rush hour, they’re wholly unfit for purpose.

A Citypacer. Image: RXUYDC/Wikimedia Commons.

It could have been worse. I didn’t know this at the time, but a few years before the C2 route had been run using Optare City Pacers. Those are, let us be frank, not really buses at all, but minibuses. That’s something the reveals the C2’s origins, as a hopper route to the west end largely intended for the daytime use of Gospel Oak’s pensioners in the years immediately before bus privatisation. (The C11 has a similar origin, taking the same constituency from Archway to England’s Lane.)

Once responsibility for London Buses was moved to the newly established mayoralty, things improved dramatically. Under Ken Livingstone it went double decker in 2005, and 24 hour in 2007. Under Boris Johnson it was extended from its once, and future, terminus of Conduit Street to Victoria Station, swallowing up the cancelled sections of the 8 bus; this extension was quietly disposed of a few years later, once it was clear no one would notice. (I did.)

In those years I must have taken a C2 the best part of ten thousand times; but for all the years when I wouldn’t have been able to live without the C2, times have reduced its utility, and not just for me. I’m now a 214 sort of guy: these days the top chunk of the C2 route is duplicated exactly by that other bus, which starts up in Highgate Village and, once it gets to Swain’s Lane, follows the same path until the fork of Kentish Town Road and Royal College Street, opposite the long defunct South Kentish Town tube station.

From a few hundred metres below that point, at Camden Gardens, stop C, the 88 starts. That duplicates the rest of the C2’s route, with the exception of the run down Albany Street and onto Great Portland, for much of which the C2 is the only bus.

So the C2, old friend that it is, is pretty redundant in the age of the hopper fare, which allows you to change buses without paying a second fare. That’s even more true now the C2’s otherwise un-serviced stops are being giving over to a re-routed 88, which will pick up the C2’s most northern leg, by not finishing at Camden Gardens anymore and instead going all the way to Parliament Hill Fields. Which will be nice for it.

All this, however, ignores the best reason for getting rid of the C2 (or rather for merging it with the 88, which is what’s actually happening): that first character. The letter. Who wants a bus route with a letter in front of it when even half the night buses don’t have the N anymore? It’s relic of the route’s aforementioned origins as a ‘Camdenhopper’.

That C is twenty five years past its own utility. It’s just untidy. City Metric hates that sort of thing. Get rid.