Categories: SecurityWorkspace

Traffic Systems Vulnerable To Hackers Wanting To Cause Road Chaos

Potentially serious vulnerabilities have been uncovered in systems managing traffic across various nations, including the UK, which could allow hackers to cause road accidents, according to a security researcher.

As many as 50,000 devices are vulnerable, said IOActive’s Cesar Cerrudo, who says the affected devices are Sensys Networks VDS240 wireless vehicle detection systems, which are used for monitoring traffic flow and relaying the information to systems that affect traffic lights.

As many as 45 US states are affected, along with another 10 countries. Major UK cities, including London, Aberdeen and Belfast, are using vulnerable systems, according to Cerrudo, who confirmed the flaws could be exploited with real-world tests in Washington DC.

Potential for traffic carnage

The potential impact is severe. Attacks could see traffic lights forced to stay on red or green, which could either cause congestion or accidents, the researcher claimed.

“The vulnerabilities I found allow anyone to take complete control of the devices and send fake data to traffic control systems. Basically anyone could cause a traffic mess by launching an attack with a simple exploit programmed on cheap hardware ($100 or less),” Cerrudo explained in a blog post.

“I even tested the attack launched from a drone flying at over 650 feet, and it worked! Theoretically, an attack could be launched from up to 1 or 2 miles away with a better drone and hardware equipment, I just used a common, commercially available drone and cheap hardware.

“Since it seems flying a drone in the US is not illegal and anyone will be able to get drones on demand soon, I would be worried about attacks from the sky in the US.

“It might also be possible to create self-replicating malware (worm) that can infect these vulnerable devices in order to launch attacks affecting traffic control systems later. The exploited device could then be used to compromise all of the same devices nearby.”

He said it was very difficult to detect and fix the issues. Despite contacting the US government’s Industrial Control Systems Cyber Emergency Response Team about the flaws, Cerrudo was told the vendor was unconcerned.

“Another excuse the vendor provided is that because the devices don’t control traffic lights, there is no need for security. This is crazy, because while the devices don’t directly control traffic control systems, they have a direct influence on the actions and decisions of these systems,” Cerrudo added.

Sensys Networks had not responded to a request for comment at the time of publication.

Are you a security pro? Try our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

View Comments

  • I so wish all of the platforms would stop giving "hackers" new ideas for them to work on.

Recent Posts

Spyware Maker NSO Group Found Liable In US Court

Landmark ruling finds NSO Group liable on hacking charges in US federal court, after Pegasus…

2 days ago

Microsoft Diversifying 365 Copilot Away From OpenAI

Microsoft reportedly adding internal and third-party AI models to enterprise 365 Copilot offering as it…

2 days ago

Albania Bans TikTok For One Year After Stabbing

Albania to ban access to TikTok for one year after schoolboy stabbed to death, as…

2 days ago

Foldable Shipments Slow In China Amidst Global Growth Pains

Shipments of foldable smartphones show dramatic slowdown in world's biggest smartphone market amidst broader growth…

2 days ago

Google Proposes Remedies After Antitrust Defeat

Google proposes modest remedies to restore search competition, while decrying government overreach and planning appeal

2 days ago

Sega Considers Starting Own Game Subscription Service

Sega 'evaluating' starting its own game subscription service, as on-demand business model makes headway in…

2 days ago