In movies like Die Hard 4 and The Italian Job, hijacking traffic lights over the internet looks easy. But real-world traffic-light hacking, demonstrated by security researchers in years past, has proven tougher, requiring someone to be within radio range of every target light. Now a pair of Dutch researchers has shown how hackers really can spoof traffic data to mess with traffic lights easily from any internet connection—though luckily not in a Hollywood style that would cause mass collisions.
At the Defcon hacker conference Thursday, Dutch security researchers Rik van Duijn and Wesley Neelen will present their findings about vulnerabilities in an “intelligent transport” system that would allow them to influence traffic lights in at least 10 different cities in the Netherlands over the internet. Their hack would spoof nonexistent bicycles approaching an intersection, tricking the traffic system into giving those bicycles a green light, and showing a red light to any other vehicles trying to cross in a perpendicular direction. They warn that their simple technique—which they say still isn’t fixed in all the cases where they tested it—could potentially be used to annoy drivers left waiting at an empty intersection. Or if the intelligent transport systems are implemented at a much larger scale, it could potentially even cause widespread traffic jams.
“We were able to fake a cyclist, so that the system was seeing a cyclist at the intersection, and we could do it from any location,” says Neelen. “We could do the same trick at a lot of traffic lights at the same time, from my home, and it would allow you to interrupt the traffic flow across a city.”
Neelen and van Duijn, who are cofounders of the applied security research firm Zolder, say they got curious earlier this year about a collection of smartphone applications advertised to Netherlanders that claimed to give cyclists more green lights when the app is activated. In pilot projects across the Netherlands, cities have integrated traffic signals with apps like Schwung and CrossCycle, which share a rider’s location with traffic systems and, whenever possible, switch lights to green as they approach an intersection. The system functions as a smartphone-based version of the sensors that have long been used to detect the presence of a vehicle waiting at a red light, optimized so that a bike rider doesn’t have to stop.
But given that the information about the cyclist’s location comes from the user’s smartphone, the two researchers immediately wondered if they could inject spoofed data to wreak havoc. “We were just surprised that user input is getting allowed into systems that control our traffic lights,” says Neelen. “I thought, ‘somehow I’ll be able to fake this.’ I was really curious how they were preventing this.”
As it turns out, some of the apps weren’t preventing it at all. Neelen and van Duijin found they could reverse engineer one of the Android apps—they declined to tell WIRED which apps they tested since the problems they found aren’t yet fixed—and generate their own so-called Cooperative Awareness Message, or CAM, input. That spoofed CAM data, sent using a Python script on the hackers’ laptop, could tell traffic lights that a smartphone-carrying cyclist was at any GPS location the hackers chose.
Initially, the app whose CAM inputs Neelen and van Duijn spoofed only worked to influence a couple of traffic lights in the Dutch city of Tilburg. In the videos below, the pair demonstrates changing the light from red to green on command, albeit with a delay in the first demo. (The nonexistent bicycle doesn’t always get immediate priority in Tilburg’s smartphone-optimized traffic system.)
Neelen and van Duijn later found the same spoofing vulnerability in another, similar app with a much wider implementation—they say it had been rolled out to hundreds of traffic lights in 10 Dutch cities, although they only tested it in the West Netherlands city of Dordrecht. “It’s the same vulnerability,” Neelen says. “They just accept whatever you put into them.”