Traffic Control Systems Are Vulnerable to Hackers


IOActive Labs CTO Cesar Cerrudo recently warned that devices used by traffic control systems in several major U.S. cities contain vulnerabilities that make them surprisingly easy to breach (h/t Computer Business Review).

"The vulnerabilities I found allow anyone to take complete control of the devices and send fake data to traffic control systems," Cerrudo writes. "Basically, anyone could cause a traffic mess by launching an attack with a simple exploit programmed on cheap hardware ($100 or less)."

Cerrudo ran a successful test attack from a drone flying at over 650 feet, and notes that an attack could also be launched by infecting the devices with malware. "What worries me the most is that if a vulnerable device is compromised, it's really, really difficult and really, really costly to detect it," Cerrudo writes. "So there could already be compromised devices out there that no one knows about or could know about."

By leveraging the vulnerabilities, Cerrudo says, an attacker could make traffic lights stay green for a longer or shorter time, stay red and not change to green, or flash. "It's also possible to cause electronic signs to display incorrect speed limits and instructions and to make ramp meters allow cars on the freeway faster or slower than needed," he writes.

Vulnerable vendors, Cerrudo writes, serve more than 250 customers in 45 U.S. states and 10 countries. Affected U.S. cities include New York, San Francisco, Los Angeles, Boston, Seattle, and Washington, D.C.

According to Cerrudo, ICS-CERT notified one vendor of the vulnerabilities in September of 2013, but the vendor "didn't think the issues were critical nor even important."

"This should be another wake up call for governments to evaluate the security of devices/products before using them in critical infrastructure, and also a request to providers of government devices/products to take security and security vulnerability reports seriously," Cerrudo writes.

Cerrudo will present his findings at the INFILTRATE conference in Miami Beach, Fla., on May 16, 2014.