By Cesar Cerrudo @cesarcer
Hacking like in the movies
Probably many of you have watched scenes from "Live Free or Die Hard" (Die Hard 4) where "terrorist hackers" manipulate traffic signals by just hitting Enter or typing a few keys. I wanted to do that! I started to look around, and while I couldn't exactly do the same thing (too Hollywood style!), I got pretty close. I found some interesting devices used by traffic control systems in important US cities, and I could hack them :) These devices are also
used in cities in the UK, France, Australia, China, etc., making them even more interesting.
After getting the devices, it wasn't difficult to find vulnerabilities (actually, it was more difficult to make them work properly, but that's another story).
The vulnerabilities I found allow anyone to take complete control of the devices and send fake data to traffic control systems. Basically anyone could cause a traffic mess by launching an attack with a simple exploit programmed on cheap hardware ($100 or less).
I even tested the attack launched from a drone flying at over 650 feet, and it worked! Theoretically, an attack could be launched from up to 1 or 2 miles away with a better drone and hardware equipment, I just used a common, commercially available drone and cheap hardware. Since it seems flying a drone in the US is not illegal and anyone will be able to get drones on demand soon, I would be worried about attacks from the sky in the US.
It might also be possible to create self-replicating malware (worm) that can infect these vulnerable devices in order to launch attacks affecting traffic control systems later. The exploited device could then be used to compromise all of the same devices nearby.
What worries me the most is that if a vulnerable device is compromised, it's really, really difficult and really, really costly to detect it. So there could already be compromised devices out there that no one knows about or could know about.
Let me give you an idea of how affected some cities are. The following is from documentation from vulnerable vendors:
- 250+ customers in 45 US states and 10 countries
- Important US cities have deployments: New York, Washington DC, San Francisco, Los Angeles, Boston, Seattle, etc.
- 50,000+ devices deployed worldwide (most of them in the US)
- Countries include US, United Kingdom, China, Canada, Australia, France, etc. For instance, some UK cities with deployments: London, Shropshire, Slough, Bournemouth, Aberdeen, Blackburn with Darwen Borough Council, Belfast, etc.
- Australia has a big deployment on one of the most important and modern freeways.
As you can see, there are 50,000+ devices out there that could be hacked and cause traffic messes in many important cities.
I knew that the devices I have are vulnerable, but I wanted to be 100% sure that I wasn't missing anything with my tests. Real-life deployments could have different configurations (different hardware/software versions)
and it seemed that the vendor provided wrong information when I reported the vulnerabilities, so maybe what I found didn't affect real-life deployments. I put my "tools" in my backpack and went to Seattle, New York, and Washington DC to do some "passive" onsite tests ("no hacking and nothing illegal" :)). Luckily, I could confirm that what I found applied to real-life deployments. BTW, many thanks to Ian Amit for the pictures and videos and for daring to go with me to DC :).
As you may have already realized, I'm not going to share specific nor technical details here (for that, you will have to wait and go to Infiltrate 2014 in a couple of weeks but you can watch a teaser below :) ).
What I would like to mention is that the vendor was contacted a long time ago (September 2013) through ICS-CERT (the initial report to ICS-CERT was sent on July 31st, 2013). I was told by ICS-CERT that the vendor said that they didn't think the issues were critical nor even important. For instance, regarding one of the vulnerabilities, the vendor said that since the devices were designed that way (insecure) on purpose, they were working as designed, and that customers (state/city governments) wanted the devices to work that way (insecure), so there wasn't any security issue. Yes that was the answer, I couldn't believe it.
Regarding another vulnerability, the vendor said that it's already fixed on newer versions of the device. But there is a big problem, you need to get a new device and replace the old one. This is not good news for state/city governments, since thousands of devices are already out there, and the time and money it would take to replace all of them is considerable. Meanwhile, the existing devices are vulnerable and open to attack.
Another excuse the vendor provided is that because the devices don't control traffic lights, there is no need for security. This is crazy, because while the devices don't directly control traffic control systems, they have a direct influence on the actions and decisions of these systems.
I tried several times to make ICS-CERT and the vendor understand that these issues were serious, but I couldn't convince them. In the end I said, if the vendor doesn't think they are vulnerable then OK, I'm done with this; I have tried hard, and I don't want to continue wasting time and effort. Also, since DHS is aware of this (through ICS-CERT), and it seems that this is not critical nor important to them, then there isn't anything else I can do except to go public.
This should be another wake up call for governments to evaluate the security of devices/products before using them in critical infrastructure, and also a request to providers of government devices/products to take security and security vulnerability reports seriously.
By exploiting the vulnerabilities I found, an attacker could cause traffic jams and problems at intersections, freeways, highways, etc.
It's possible to make traffic lights (depending on the configuration) stay green more or less time, stay red and not change to green (I bet many of you have experienced something like this as a result of driving during non-traffic hours late at night or being on a bike or in a small car), or flash. It’s also possible to cause electronic signs to display incorrect speed limits and instructions and to make ramp meters allow cars on the freeway faster or slower than needed.
These traffic problems could cause real issues, even deadly ones, by causing accidents or blocking ambulances, fire fighters, or police cars going to an emergency call.
I’m sure there are manual overrides and secondary controls in place that can be used if anomalies are detected and could mitigate possible attacks, and some traffic control systems won’t depend only on these vulnerable devices. This doesn’t mean that attacks are impossible or really complex; the possibility of a real attack shouldn’t be disregarded, since launching an attack is simple. The only thing that could be complex is making an attack have a bigger impact, but complex doesn't mean impossible.
Traffic departments in states/cities with vulnerable devices deployed should pay special attention to traffic anomalies when there is no apparent reason and closely watch the device’s behavior.
"In 2012, there were an estimated 5,615,000 police-reported traffic crashes in which 33,561 people were killed and 2,362,000 people were injured; 3,950,000 crashes resulted in property damage only." US DoT National Highway Traffic Safety Administration: Traffic Safety Facts
"Road crashes cost the U.S. $230.6 billion per year, or an average of $820 per person" Association for Safe International Road Travel: Annual US Road Crash Statistics
If you add malfunctioning traffic control systems to the above stats, the numbers could be a lot worse.