Traffic Light Vulnerability Could Let Hackers Cause Massive Gridlock, Alarming Study finds

The big picture: A cybersecurity researcher just exposed a flaw allowing hackers to hijack traffic signals and manipulate light patterns to trigger colossal traffic jams. This is concerning considering reports of hackers targeting public utilities on US soil and beyond are on the rise.

Andrew Lemon from Red Threat revealed his findings in a pair of blog posts published last week. He had been digging into potential vulnerabilities in traffic control systems as part of a larger research project. One device that caught his attention was the Intelight X-1 controller.

Despite being a part of Critical National Infrastructure, the controller was exposed to the internet without authentication. By accessing a specific URL, the researcher could bypass authentication and modify settings, including disabling web security, without logging in. This vulnerability can give unauthorized parties complete control over the traffic light sequences, enabling them to deliberately cause gridlock by manipulating the light patterns.

While Lemon couldn’t actually turn every light green, he said the bug would allow virtually anyone to override the light timing. Setting one direction to three minutes and the other to three seconds could easily create a traffic nightmare, he told TechCrunch. As he put it, “it’s a denial of service in the physical world.”

Lemon and his team were able to find around 30 vulnerable Intelight boxes, but that’s likely just the tip of the iceberg. He says that when he tried to disclose the issue to Q-Free (Intelight’s parent company), they responded with “legal threats and everything.”

Q-Free’s legal counsel in a letter claimed that looking at the device may have violated anti-hacking laws. They also warned that publishing the vulnerability details could “encourage attacks on infrastructure and and generate associated liability for Red Threat.”

In their defense, a Q-Free spokesperson told TechCrunch that the affected Intelight controllers haven’t been produced for almost 10 years. However, they admitted some may still be in use and encouraged customers to reach out for guidance.

But Intelight wasn’t Lemon’s only concerning find. His research also uncovered exposed traffic controllers from Econolite that could be susceptible to attacks via a protocol called NTCIP. By exploiting such devices that are connected to the internet, hackers might change how lights flash or force an entire intersection to flash at the same time.

Lemon’s findings seem to confirm a disturbing trend: cyber vulnerabilities permeating the infrastructure that controls American streets and roadways. This adds to a warning from the White House in March about cyberattacks striking drinking water and wastewater systems across the country.

A report published this month highlighted that ransomware attacks on critical national infrastructure organizations across 14 countries and 15 industries are on the rise as well, with median ransom payments rising a whopping 41 times in a single year.

Masthead credit: Jonatan Hernandez