Hackers could engineer traffic jams, by using their cars to lie to smart traffic lights

Uhoh. Image: Getty.

The day when cars can talk to each other – and to traffic lights, stop signs, guardrails and even pavement markings – is rapidly approaching. Driven by the promise of reducing traffic congestion and avoiding crashes, these systems are already rolling out on roads around the U.S.

For instance, the Intelligent Traffic Signal System, developed with support from the U.S. Department of Transportation, has been tested on public roads in Arizona and California and is being installed more widely in New York City and Tampa, Florida. It allows vehicles to share their real-time location and speed with traffic lights, which can be used to effectively optimise the traffic timing in coordination with the real-time traffic demand to dramatically reduce vehicle waiting time in an intersection.

Our work, from the RobustNet Research Group and the Michigan Traffic Laboratory at the University of Michigan, focuses on making sure these next-generation transportation systems are secure and protected from attacks. So far we’ve found they are in fact relatively easy to trick. Just one car that’s transmitting fake data can cause enormous traffic jams, and several attack cars could work together to shut down whole areas. What’s particularly concerning is that our research has found the weakness is not in the underlying communication technology, but in the algorithms actually used to manage the traffic flow.

Misleading an algorithm

In general, algorithms are meant to take in a variety of inputs – such as how many cars are in various locations around an intersection – and calculate an output that meets a particular goal – such as minimising their collective delay at traffic lights. Like most algorithms, the traffic control algorithm in Intelligent Traffic Signal System – nicknamed “I-SIG” – assumes the inputs it’s getting are honest. That’s not a safe assumption.

The hardware and software in modern cars can be modified, either physically through the car’s diagnostic ports or over wireless connections, to instruct a car to transmit false information. Someone who wanted to compromise the I-SIG system could hack her own car using such methods, drive to a target intersection and park nearby.


Once parked near the intersection, we’ve found that the attacker could take advantage of two weaknesses in the algorithm controlling the light to extend the time a particular lane of traffic gets a green light – and, similarly, the time other lanes get red lights.

The first vulnerability we found, which we call “last vehicle advantage,” is a way of extending the length of a green-light signal. The algorithm keeps an eye on approaching cars, estimates how long the line of cars is and determines how long it thinks it will take for all the vehicles in a line of traffic to get through the intersection. This logic helps the system serve as many vehicles as possible in each round of light changes, but it can be abused. An attacker can instruct her car to falsely report joining the line of cars very late. The algorithm will then hold the attacked light green long enough for this nonexistent car to pass, leading to a green light – and correspondingly, red lights for other lanes – that is much longer than needed for the actual cars on the road.

We called the second weakness we found the “curse of the transition period,” or the “ghost vehicle attack”. The I-SIG algorithm is built to accommodate the fact that not all vehicles can communicate yet. It uses the driving patterns and information of newer, connected cars to infer the real-time location and speed of older, noncommunicating vehicles. Therefore, if a connected car reports that it is stopped a long distance back from an intersection, the algorithm will assume there is a long line of older vehicles queuing ahead of it. Then the system would allocate a long green light for that lane because of the long queue it thinks is there, but really isn’t.

These attacks happen by making a device lie about its own position and speed. That’s very different from known cyberattack methods, like injecting messages into unencrypted communications or having an unauthorised user logging in with a privileged account. Therefore, known protections against those attacks can do nothing about a lying device.

Results from a misinformed algorithm

Using either of these attacks, or both in concert with each other, can allow an attacker to give long periods of green lights to lanes with little or no traffic and longer red lights to the busiest lanes. That causes backups that grow and grow, ultimately building into massive traffic jams.

A congestion attack on a traffic signal control system.

This sort of attack on traffic lights could be just for fun or for the attacker’s own benefit. Imagine, for example, a person who wants to have a faster commute adjusting his own traffic-light timing, at the expense of other drivers’ delays. Criminals, too, might seek to attack traffic lights to ease their getaways from crime scenes or pursuing police cars.

There are even political or financial dangers: a coordinated group could shut down several key intersections in a city and demand a ransom payment. It’s much more disruptive, and easier to get away with, than other ways of blocking intersections, like parking a car across traffic.

Because this type of attack exploits the smart traffic control algorithm itself, fixing it requires joint efforts from both transportation and cybersecurity fields. This includes taking into account one of the broadest lessons of our work: the sensors underlying interactive systems, such as the vehicles in the I-SIG system, aren’t inherently trustworthy. Before engaging in calculations, algorithms should attempt to validate the data they’re using. For example, a traffic-control system could use other sensors – like in-road sensors already in use across the nation – to double-check how many cars are really there.

This is just the beginning of our research into new types of security problems in the smart transportation systems of the future, which we hope will both discover weaknesses and identify ways to protect the roads and the drivers on them.

Qi Alfred Chen, Ph.D. Candidate in Computer Science and Engineering, University of Michigan and Z. Morley Mao, Professor of Electrical Engineering and Computer Science, University of Michigan

This article was originally published on The Conversation. Read the original article.

 
 
 
 

It’s time to rethink how the British railway network works

Nothing doing: commuters await a long-delayed train. Image: Getty.

The recent meltdowns on Northern and Thameslink not only left many passengers besides themselves with frustration about not being able to get to work on time, if at all. It also led to a firestorm of criticism and condemnation from politicians and media alike.

With the immediate shock of that first Monday morning of the meltdown passed, there’s a now a bigger debate about whether the way that rail services are provided for cities needs some far reaching reform. But before coming to that, the first thing to say – and as we set out in our Rail Cities UK report, launched today – is that the fundamentals for urban rail remain very strong.

Here’s why. All cities want to become denser, more dynamic places which attract the best people to the growth sectors of the economy (including the ‘flat white economy’ of media, communications and information). In order to achieve this, as well as to improve air quality, cities are also reducing space for motorised traffic in favour of space for people.

It’s very difficult to see how this can be achieved without expanding rail networks and their capacity. What’s more, if housing need is to be met without creating more sprawl and traffic congestion, then again its rail that will be key – because it opens up former rail-connected brownfield industrial sites, it extends commuting range, plus housing can be built above or around new or existing rail stations and interchanges.

In some ways there’s nothing new here. From Metroland to Docklands, successful cities have always grown with their rail networks. And to be fair, there is significant investment going into urban rail at present. Northern will get a lot better (the pacers are doomed) and both Merseyside and Tyne & Wear are getting a whole new fleet of trains for their urban rail networks.

However, much (but not all) of this investment is incremental, or replacing rolling stock on its last legs. It stops short of the wider vision for the rail cities that we need.


What would that look like in practice? There comes a point when the biggest cities need more cross-city routes, because running trains in and out of edge-of-centre termini can’t cope with the numbers. That explains the push for Crossrail 2 in London, but also the need for more cross-city capacity in cities like Birmingham (on the Snow Hill route) as well as in Manchester (on the Oxford Road to Manchester Piccadilly corridor, as well as a potential new underground route).

Tram-train technology can also help – allowing the lucky commuter that benefits to get on board at their local station and get off right outside their city centre office on main street in the city centre, rather than piling out at a Victorian railway terminal on the edge of that city centre.

Tram-trains aren’t the only tech fix available. Battery packs can extend the range of existing electric trains deeper into the “look ma, no wires” hinterlands, as well as allow trams to glide through city centres without the expensive clutter of overhead wires.

More mundane but equally useful work to increase capacity through signalling, station, track and junction work offers the opportunity to move to turn-up-and-go frequency networks with greater capacity and more reliability – networks that start to emulate the best of what comparable German rail cities already enjoy. Interlocking networks of long distance, regional express, regional, S-bahn, U-bahn, trams and buses, all under common ticketing.

But in talking about Germany and common ticketing I am now getting back to where I started around the debate on whether some fundamental change is needed on how urban rail networks are provided. Obviously there is a bigger national discussion going on about whether the current structure is just too layered, with too many costly interfaces and too fractured a chain of command. And in addition another, on whether the railway should be publicly or privately owned and operated.

But it’s been heartening to see the growing recognition that – regardless of how these debates are resolved – more devolution for urban and regional services should be part of any solution. That’s not only because fully devolved services have been out-performing comparators both operationally and in passenger satisfaction; it’s because local control rather than remote control from Whitehall will mean that the dots can be joined between rail and housing, between rail and the wider re-fashioning of city centres, and between rail and local communities (for example through repurposing stations as wider hubs for local community use, enterprises and housing). It will also allow for rail and the rest of local urban public transport networks to be part of one system, rather than be just on nodding terms as is all too often the case at present.

The crisis on Northern and Thameslink has been a miserable experience for rail users, affected cities and the rail industry. If any good has come out of it, it is that it shows how important rail is to cities, and opens up a space for some bigger thinking about what kind of rail cities we will need for the future – and how best we can make that happen.

Jonathan Bray is the Director of the Urban Transport Group which represents the transport authorities for the largest city regions. You can read the group’s full report here.