Hundreds of thousands of road traffic sensors and repeater equipment are risk of attack, researcher says.
LAS VEGAS — DEF CON 22 — Smart traffic sensor systems that help regulate and automate the flow of traffic and lights contain security weaknesses that could be manipulated by hackers and result in traffic jams or even crashes, a researcher showed here today.
Cesar Cerrudo, CTO at IOActive, here at the DEF CON 22 hacker conference, detailed how he was able to build a prototype access point device that could communicate with the network of sensors, repeaters, and access point devices stationed along roads and highways in some major cities in the US. Cerrudo said he found that the devices communicate traffic information wirelessly in clear text and don't authenticate the data they receive, leaving them open to potential sabotage.
He said there are some 200,000 wireless Sensys Networks sensors buried below roadways plus repeaters mounted on poles, mostly in the US. The sensors detect vehicles, and that data ultimately dictates the timing of traffic lights and electronic traffic event alerts on the highway.
"It's about $100 million worth of equipment that can probably be bricked and cause a traffic jam. You can send fake data that there's no traffic there, and cause a big mess."
An attacker would need to know the configuration of the road intersection, for example, where the access point, repeaters, and sensors are stationed. "You can sniff the wireless data, learn how the system was configured, how it was working, and then just launch an attack with fake data." The access point will accept the phony traffic data, he said.
Because the sensors don't authenticate the origin of the data they receive, an attacker could push them malware-laden firmware as an update, for example. Nor is the sensor's firmware digitally signed, he said, leaving the door open for malicious code installation. Cerrudo reported his findings to ICS-CERT, which handles vulnerability disclosures in critical infrastructure systems.
"The problem is the firmware is not encrypted, and the communications channel is not encrypted," Cerrudo said. "That makes the device vulnerable, so anyone can update the firmware wirelessly without encryption."
Click here to continue reading this article on EE Times sister site Dark Reading.