It's Easy To Hack Traffic Lights 144
An anonymous reader notes coverage of research from the University of Michigan into the ease with which attackers can hack traffic lights. From the article:
As is typical in large urban areas, the traffic lights in the subject city are networked in a tree-type topology, allowing them to pass information to and receive instruction from a central management point. The network is IP-based, with all the nodes (intersections and management computers) on a single subnet. In order to save on installation costs and increase flexibility, the traffic light system uses wireless radios rather than dedicated physical networking links for its communication infrastructure—and that’s the hole the research team exploited. ... The 5.8GHz network has no password and uses no encryption; with a proper radio in hand, joining is trivial. ... The research team quickly discovered that the debug port was open on the live controllers and could directly "read and write arbitrary memory locations, kill tasks, and even reboot the device (PDF)." Debug access to the system also let the researchers look at how the controller communicates to its attached devices—the traffic lights and intersection cameras. They quickly discovered that the control system’s communication was totally non-obfuscated and easy to understand—and easy to subvert.
Welcome to the Information Age! (Score:5, Insightful)
Re:What are they waiting for? (Score:4, Insightful)
Deaths? multiple injured people? Why isn't that secured in the first place? With all the news about stuff getting *hacked*, why are they still doing this?
They are waiting for the first part, because unless there is a big uproar about it (which there won't be until it gets abused enough to cause deaths) it costs too much money to fix.
How this is a surprise to anyone by now is a surprise to me, this has been standard operating procedures with pretty much everyone since computers have come out. That is, security is non existent or an afterthought. Paying money to make sure everything is secure for any sort of attacks/compromise/whatever takes away from the bottom line, so shareholders don't like that stuff. And management is kissing the shareholders ass, so it's not as important.
Now for government work, it's a bidding process and well, you aren't going to make any money on the job by having to hire some sort of computer type to make sure the system is secure. And since the contract probably didn't state it needed to be done, well, this is what we have.
So wait until it gets abused bad enough to kill people, nothing will get done.
Re:Welcome to the Information Age! (Score:5, Insightful)
Next, script kiddies causing couple fender-benders and every municipality having to upgrade traffic light systems at a "I want it yesterday" premium. Then higher property taxes to pay for such monumental lack of planning and foresight.
Re:Welcome to the Information Age! (Score:4, Insightful)
And who will be blamed? Why, the researchers who discovered this incredible negligence, of course! "If you hadn't shown the hackers how to do it, we never would have this problem!"
Re:Welcome to the Information Age! (Score:4, Insightful)
Re:Welcome to the Information Age! (Score:4, Insightful)
No, it's scary how much we still don't care about security. These things could definitely be fixed, we just don't care to fix them. We don't demand security in the first place, we aren't willing to pay for security, and we aren't really willing to fix security when it's broken. People will run around looking for blood for 5 minutes when it's discovered that there are huge security flaws, but nobody will fix them.
Remember all the news when it was discovered that a person could easily and untraceably hack voting machines? Do you think that was ever fixed? The way we use credit cards is insecure. Most email is unencrypted. We use Social Security Numbers as both an identifier and a form of authentication.
Most of what we do is completely insecure, and it's actually kind of amazing how rarely people take advantage of it. But it's really disturbing that we aren't remotely willing to secure things that would be relatively easy to secure, and would solve lots of problems.
Re:Welcome to the Information Age! (Score:5, Insightful)
"we aren't willing to pay for security" It's worse than that. IT also stems from the fact that people in charge. The guys making big bucks making decisions are horribly undereducated.
If you ask the guy that is in charge of the city's traffic lights to explain in detail how the system works he will NOT be able to tell you. We as a society do not put in leadership positions the best and brightest. WE instead promote those that can suck up the best and schmoose the best.
And it's now biting us in the ass because the decision makers in general are dumb as a box of rocks. And when faced with a problem they simply say "I dont know" or try to scream how we need more laws instead of actually learning what the problem is and fixing it.
A lot of easy things are illegal (Score:5, Insightful)
Its probably easy to build a device that gives you green lights as though you were an emergency vehicle. This is definitely illegal.
While I think its irresponsible to design computer systems without basic and reasonable security measures, technology is not the final answer to antisocial behavior. Hacking somebody else's systems is illegal and wrong. Finding (sometimes ) esoteric ways to do it and making it easy for bad guys is just plain foolish.
My friend Neil and I have a law: You know you have enough security when you can't do your job anymore. Requiring the average stop light electrician to now be a computer networking security expert requiring tons of tech support would certainly drive up taxes.
Antisocial behavior is why we have laws and there is a reason we should obey them.