Vulnerable Traffic Systems Focus Of San Antonio Project

Oct 31, 2017

Your morning commute is guided by invisible forces in the form of sensors, electronic traffic signs and lights. As complex traffic systems become more and more integrated, the potential for traffic-fueled calamity increases, say cyber security experts.


In May of 2016, drivers in Dallas woke up to a strange sight: Someone had hacked a number of roadside Texas Department of Transportation signs and put in its own message about then-candidate Donald trump.

 

“Donald Trump is a shape shifting lizard!!” read the sign. Dallas drivers were unscathed by the stunt that made the rounds on social media.

 

But some questioned what if that roadside sign had been warning people a road was closed that wasn’t. What if they made all the lights in the city red?

 

This isn’t a theoretical for Allen Hillaker. In 2014, he and a few of his classmates at the University of Michigan proved just how real it could be.

 

“As soon as we got onto the network, we had control of any traffic light that was connected,” he said. "They partnered with an undisclosed local government and it opened their eyes to just how vulnerable those traffic systems were.

 

Diagram of undisclosed local government's traffic architecture.
Credit Allen Hillaker

“Just about everything that was deployed, default username and passwords were in use, which meant anyone with a little bit of Google knowledge, and knowledge of the manufacturer of the device would be able to log in, if they could find a connection."

The city they hacked didn’t use WiFi, but a special kind of point-to-point radio system, so the team had to use an extra set of the radios to hack in.

 

Some traffic systems are centrally controlled, others let lights and sensors work autonomously. Some use wireless radios to network, while some use Ethernet. And some aren’t connected at all. And with hundreds of vendors and few standards, cities can configure traffic systems in a lot of different ways.

 

For Instance, according to Dan Zajac at Southwest Research Institute, Texas systems can do some traffic routing; they control live camera feeds, but don’t connect to stop lights. The big problem is that traffic centers are slow to adopt cyber security.

 

“Some are doing very little. Some are doing quite a bit. And the whole idea is to try and level-set across the nation. Try to figure out how we can help the small people that don’t have huge amounts of budgets and dedicated people and staff,” Zajac said.

 

Zajac is principal investigator on the project, hoping to help secure these systems. They just got $750,000 from the Transportation Research Board to create a tool that tells traffic planners across the country what to do with what systems.

 

“Basically the end product is going to be a web-based tool that will allow the user to log into the system and then go through an inventory checklist of equipment they have, systems they have — network topology,” Zajac said.

 

Think of it like a online recipe generator, he said. You put in the ingredients you have (or in this case the types of traffic system hardware you have) and the computer spits out instructions on what to do to get secure.

 

These kinds of hack take some time and the payoff isn’t huge, said Allen Hillaker, a cyber security consultant. He questioned how popular a target these systems are currently, but with automated cars on the horizon, smart, networked infrastructure is going to play a bigger and bigger role, Hillaker added.

 

“From what we saw, it sounded like the bare minimum is a good starting point,” he said.

 

Southwest Research has partnered with Austin-based cyber security firm Praetorian on the project. It is funded for two years.