Hacking critical infrastructure looks extremely easy in movies, but up until now, there was some reassurance that it wasn’t as simple as just typing a few keys. A security researcher has uncovered issues in devices that communicate with traffic control systems that make them highly vulnerable to attack.
Anyone could exploit the vulnerabilities to take complete control of these controllers and send fake data to connected traffic control systems, Cesar Cerrudo, CTO of research firm IOActive, wrote in a blog post. According to Cerrudo, the controllers lacked basic security features, such as encrypting communications and authentication, which means attackers could potentially monitor and modify what instructions were being sent to the systems. He plans to release details of his research at the Infiltrate conference in Miami later this month.
“Basically anyone could cause a traffic mess by launching an attack with a simple exploit programmed on cheap hardware,” Cerrudo said.
While the blog post did not identify the vulnerable controllers or the vendor, Cerrudo confirmed via email the vulnerable system he tested was the Sensys Networks VDS240 wireless vehicle detection system from the Berkely, Calif-based Sensys Networks. Cerrudo noted that Sensys Networks has over 50,000 devices deployed worldwide, with more than 250 customers in 45 states in the U.S. and 10 countries, including the United Kingdom, China, Canada, Australia, and France. These devices are in use in “important US cities,” including Washington, DC, New York City, and Seattle. The company did not respond to SecurityWeek’s requests for comment.
It’s important to note that Cerrudo found the issues in devices that communicate with traffic control systems, not the actual systems controlling traffic lights themselves. This may be why the vendor did not seem overly worried when Cerrudo reported the issues through ICS-CERT last year. The vendor told Cerrudo that customers requested that communications between the devices and traffic systems not be encrypted, which is why it had been removed. “There was nothing broken on the system as we did not intend the over the air information to be protected,” Sensys Networks told Cerrudo. The controllers were working as designed.
The response is disconcerting considering that a significant number of customers using these devices happen to be city and state governments, Cerrudo told SecurityWeek in an email.
Cerrudo went to Seattle, New York City, and Washington, D.C. to verify that his tests really did work in real-world deployments of these controllers. For his real-world testing, Cerrudo monitored the communications “without modifying anything, not doing anything illegal, just looking at the wireless data and identifying the devices,” he said in the email.
Since the devices don’t require authentication, attackers can conceivable alter the firmware to make them unable to communicate with the rest of the system. One form of attack is to create a self-replicating malware to infect the vulnerable controllers and spread device to device. The compromised systems can be used to launch attacks against traffic control systems at a later date, Cerrudo said. He also tested a potential scenario using a commercially available drone flying at over 650 feet. Considering that drones are increasingly available in the US, “attacks from the sky” could soon be a possibility, Cerrudo warned.
“What worries me the most is that if a vulnerable device is compromised, it’s really, really difficult and really, really costly to detect it,” Cerrudo said, noting there could already be compromised devices out there no one knows about.
There are many ways an attacker could launch this kind of an attack, and the vulnerabilities can be exploited from up to a mile or two away with the right equipment. Attacks won’t need expensive tools, as Cerrudo said hardware costing $100 or less would be able to do the job. While the attackers would have to be physically present on the scene to launch an attack, there are wireless transmitters that are strong enough to intercept data from 150 feet away, and a more powerful antenna can extend the range even further, provided the attacker had a line of sight to the vulnerable device.
By intercepting the communications and sending false instructions, attackers could make traffic lights stay green for an arbitrary amount of time, stay red and not change. Electronic signs that connect to these controllers could be tampered with to display incorrect speed limits or incorrect instructions.
“By exploiting the vulnerabilities I found, an attacker could cause traffic jams and problems at intersections, freeways, highways, etc,” Cerrudo said, noting that resulting road delays could delay ambulances, fire fighters, or police cars responding to an emergency call.
Sensys Networks also has several resellers that re-brand the same controller, so there are other systems with the same issue, Cerrudo noted. His research didn’t look at similar systems from other vendors, so it is not known at this time whether this is a widespread issue.
“The possibility of a real attack shouldn’t be disregarded, since launching an attack is simple,” Cerrudo warned.