By Zahid,
Here’s how easy it is to hack a traffic light with a laptop.
If we compare the traffic light hacks in movies and real life, the reality is much easier.
In a paper study published this month, the security
researchers describe how a series of major security
vulnerabilities in traffic light systems allowed them to very
easily and very quickly seized control of the whole system.
‟Our attacks show that an adversary can control traffic
infrastructure to cause disruption, degrade safety, or gain an
unfair advantage, ”
There are three major weaknesses:
unencrypted radio signals,
the use of factory-default usernames and passwords, and
a debugging port that is easy to attack
This left the network accessible to everyone from cyber
criminals to young hackers.
“ The vulnerabilities we discover in the infrastructure are not a
fault of any one device or design choice, but rather show a
systemic lack of security consciousness, ”
In an effort to save on installation costs and increase
flexibility, the traffic light system makes use of wireless
radio signals rather than dedicated physical networking
links for its communication infrastructure – this hole was
exploited by the researchers.
“ The safety critical nature of traffic infrastructure requires that it
be secure against computer-based attacks, but this is not
always the case, ”
WIRELESS SECURITY IN QUESTION.
The Traffic light systems use a combination of 5.8GHz and
900MHz radio signals, depending on the conditions at each
intersection, for wireless communication in point-to-point or
point-to-multipoint configurations. The 900MHz links use “ a
proprietary protocol with frequency hopping spread-spectrum
(FHSS) ,” but the 5.8GHz version of the proprietary protocol
isn’t terribly different from 802.11n.
The researchers says that anyone with a laptop and a
wireless card operating on the same frequency as the
wirelessly networked traffic light — in this case, 5.8
gigahertz — could access the entire unencrypted network.
DEBUG PORT
Now, after gaining access, next was to communicate with
one of the controllers in their target network. This was done
very easily due to the fact that this system’s the control
boxes run VxWorks 5.5, a version which by default gets built
from source with a debug port left accessible for testing.
“ By sniffing packets sent between the controller and this
program, we discovered that communication to the controller is
not encrypted, requires no authentication, and is replayable.
Using this information, we were then able to reverse engineer
parts of the communication structure, ” the paper reads.
“ Various command packets only differ in the last byte, allowing
an attacker to easily determine remaining commands once one
has been discovered. We created a program that allows a user
to activate any button on the controller and then displays the
results to the user. We also created a library of commands
which enable scriptable attacks. We tested this code in the field
and were able to access the controller remotely. ”
This debug port allowed researchers to successfully turned
all lights red or alter the timing of neighboring intersections
— for example, to make sure someone hit all green lights on
a given route.
More worrying part is the ability of a cyber criminal to
perform denial-of-service (DoS) attack on controlled
intersections by triggering each intersection’s malfunction
management unit by attempting invalid configurations,
which would put the lights into a failure mode.
SOLUTION TO PROBLEM
At last, the team called for manufacturers and operators to
improve the security of traffic infrastructure. It
recommended that the traffic-system administrators should
not use default usernames and passwords, as well as they
should stop broadcasting communications unencrypted for
“casual observers and curious teenagers” to see.
“ While traffic control systems may be built to fail into a safe
state, we have shown that they are not safe from attacks by a
determined adversary ,” the paper concluded.
Moreover, they also warned that devices like voting
machines and even connected cars could suffer similar
attacks.
Here’s how easy it is to hack a traffic light with a laptop.
If we compare the traffic light hacks in movies and real life, the reality is much easier.
In a paper study published this month, the security
researchers describe how a series of major security
vulnerabilities in traffic light systems allowed them to very
easily and very quickly seized control of the whole system.
‟Our attacks show that an adversary can control traffic
infrastructure to cause disruption, degrade safety, or gain an
unfair advantage, ”
There are three major weaknesses:
unencrypted radio signals,
the use of factory-default usernames and passwords, and
a debugging port that is easy to attack
This left the network accessible to everyone from cyber
criminals to young hackers.
“ The vulnerabilities we discover in the infrastructure are not a
fault of any one device or design choice, but rather show a
systemic lack of security consciousness, ”
In an effort to save on installation costs and increase
flexibility, the traffic light system makes use of wireless
radio signals rather than dedicated physical networking
links for its communication infrastructure – this hole was
exploited by the researchers.
“ The safety critical nature of traffic infrastructure requires that it
be secure against computer-based attacks, but this is not
always the case, ”
WIRELESS SECURITY IN QUESTION.
The Traffic light systems use a combination of 5.8GHz and
900MHz radio signals, depending on the conditions at each
intersection, for wireless communication in point-to-point or
point-to-multipoint configurations. The 900MHz links use “ a
proprietary protocol with frequency hopping spread-spectrum
(FHSS) ,” but the 5.8GHz version of the proprietary protocol
isn’t terribly different from 802.11n.
The researchers says that anyone with a laptop and a
wireless card operating on the same frequency as the
wirelessly networked traffic light — in this case, 5.8
gigahertz — could access the entire unencrypted network.
DEBUG PORT
Now, after gaining access, next was to communicate with
one of the controllers in their target network. This was done
very easily due to the fact that this system’s the control
boxes run VxWorks 5.5, a version which by default gets built
from source with a debug port left accessible for testing.
“ By sniffing packets sent between the controller and this
program, we discovered that communication to the controller is
not encrypted, requires no authentication, and is replayable.
Using this information, we were then able to reverse engineer
parts of the communication structure, ” the paper reads.
“ Various command packets only differ in the last byte, allowing
an attacker to easily determine remaining commands once one
has been discovered. We created a program that allows a user
to activate any button on the controller and then displays the
results to the user. We also created a library of commands
which enable scriptable attacks. We tested this code in the field
and were able to access the controller remotely. ”
This debug port allowed researchers to successfully turned
all lights red or alter the timing of neighboring intersections
— for example, to make sure someone hit all green lights on
a given route.
More worrying part is the ability of a cyber criminal to
perform denial-of-service (DoS) attack on controlled
intersections by triggering each intersection’s malfunction
management unit by attempting invalid configurations,
which would put the lights into a failure mode.
SOLUTION TO PROBLEM
At last, the team called for manufacturers and operators to
improve the security of traffic infrastructure. It
recommended that the traffic-system administrators should
not use default usernames and passwords, as well as they
should stop broadcasting communications unencrypted for
“casual observers and curious teenagers” to see.
“ While traffic control systems may be built to fail into a safe
state, we have shown that they are not safe from attacks by a
determined adversary ,” the paper concluded.
Moreover, they also warned that devices like voting
machines and even connected cars could suffer similar
attacks.
No comments:
Post a Comment