Hacked traffic lights highlight perils within the Internet of Things

Researchers at the University of Michigan have hacked into a live, networked traffic-signal system, showing how lax security can imperil any embedded systems. According to a paper written by the group, they discovered several vulnerabilities in the system's wireless network and its traffic-light controller, which enabled the researchers to alter the state of traffic lights on command.

An unspecified local road agency in Michigan permitted the group to engage in the hacking effort. Altogether, the researchers hacked into nearly 100 wirelessly networked traffic lights and were able to alter their timing or even turn all the lights red.

"The vulnerabilities we discover in the infrastructure are not a fault of any one device or design choice, but rather show a systemic lack of security consciousness," wrote the research group, headed by University of Michigan computer scientist J. Alex Halderman.

During their tests, researchers uncovered three major weaknesses in the traffic-infrastructure deployment: The network is accessible to attackers because of the lack of encryption, devices on the network lack secure authentication because of the use of default usernames and passwords, and the traffic controller is vulnerable to known exploits.

The researchers noted that traffic controllers may communicate with one another and also with a central server to share information on current traffic conditions. In many scenarios, radios--typically operating in the industrial, scientific and medical (ISM) bands at 900 MHz or 5.8 GHz, or in the 4.9 GHz band allocated for public safety--are used in a point-to-point or point-to-multipoint configuration to provide connectivity. The actual system the group investigated relied upon employed commercially available radios that operate on the ISM band at either 900 MHz or 5.8 MHz.

"Many of the issues we discovered during our investigation were problems with the wireless network configuration," the researchers said. They noted that the 5.8 GHz radios used in the deployment were more vulnerable to attack than the 900 MHz radios.

"In the case of the 5.8 GHz radios, any attacker with a wireless card capable of 5.8 GHz communication is able to identify the SSIDs of infrastructure networks," the researchers said. They noted that although the 5.8 GHz radios used in the traffic system are not usually sold to the public, "previous work has shown social engineering to be effective in obtaining radio hardware."

One simple tactic to protect the network would be to disable SSID broadcasting. "While this does little to deter a determined adversary, it prevents casual observers and curious teenagers from noticing that the networks exist," according to the researchers. They added that since 5.8 GHz radios support WPA2 encryption, that should be enabled in the field.

Halderman and his group noted that their findings have broad implications for other embedded systems, which are key to the Internet of Things (IoT) concept in which billions of physical objects are equipped with IP addresses for Internet connectivity. The group said connected cars, electronic voting machines and medical devices are all subject to hacking. "Rather than applying weak incremental defenses, leaving security for future work, or shirking responsibility entirely, designers should take a proactive approach to security," the researchers warned.

"Security must be engineered into these devices from the start rather than bolted on later," they added.

For more:
- see this paper (PDF)
- see this MIT Technology Review article   

Related articles:
Kaspersky Labs warns social networks are dangerous territory for mobile users
Tripwire researcher takes on Wi-Fi Pineapples, security weaknesses
SensePost's Snoopy drone highlights pitfalls of constant connectivity
NBC report about mobile threat at Sochi Olympics draws heavy criticism
Apple iOS apps may be fooled, redirected via public Wi-Fi