Security researchers say they have discovered a flaw in traffic light control devices that could allow malicious hackers to change signals and cause traffic jams.
Andrew Lemon, a researcher at cybersecurity firm Red Threat, published two blog posts on Thursday detailing the findings of a broader research project looking into the security of traffic controllers.
One of the devices Lemon investigated was the Intelight X-1, where he found a bug that could allow anyone to take full control of the device's traffic lights. Lemon said the bug was very simple and basic, as the device's internet-facing web interface had no authentication capabilities.
“I just couldn't believe it,” Lemon told TechCrunch. “I was just shocked that something so obvious could have been overlooked.”
Lemon said he tried to see if he could create a “The Italian Job”-style scenario in which a hacker would switch all the lights at an intersection to green, but discovered that a different device called a fault management unit could thwart that scenario.
“Signals and timing can be modified, so if you want to set the timing to three minutes one way and three seconds the other way, it can create traffic jams because it's basically a denial of service in the physical world,” Lemon said.
It's unclear how many vulnerable Intelight devices are accessible from the internet, but Lemon said he and his team found about 30 vulnerable devices.
Lemon said he contacted Q-Free, the company that owns Intelight, to report the bug. Rather than act to fix the flaw, Lemon said, Q-Free sent him legal letters, a copy of which he published in his own blog post.
“We only accept vulnerability reports related to currently sold Q-Free products. We do not have the resources necessary to review analysis of older products,” said a copy of the letter, which appears to be signed by Q-Free general counsel Stephen D. Tibbets.
A copy of the letter said that the devices Lemon analyzed are not for sale and that the methods he and Red Threat used to investigate them may violate the Computer Fraud and Abuse Act, an anti-hacking law. The company did not say how Lemon's research violated the law. The letter also asked Lemon and Red Threat to promise not to publicly disclose details of the vulnerabilities because it could harm national security.
“We also urge Red Threat to consider the impact of disclosure on the security of critical infrastructure in which Q-Free devices are used. Contrary to your goal of improving cybersecurity, disclosure of vulnerabilities could facilitate attacks on infrastructure and create liability associated with Red Threat,” the letter said.
Lemon was surprised by the letter, saying, “It really felt like they were just trying to silence me using legal threats and things like that.”
Q-Free did not respond to multiple requests for comment.
Lemon said that during his investigation, he also discovered that traffic control equipment manufactured by Econolite was exposed to the internet and running potentially vulnerable protocols.
The protocol, called NTCIP, is an industry standard for traffic light control devices. Lemon said that devices exposed on the internet can change values in the system without logging in. These values can control how long a traffic light flashes or set all the lights at an intersection to flash at the same time.
Lemon said he hasn't contacted Econolite because the issues with NTCIP have been known about for some time.
Econolite's vice president of engineering, Sunny Chakrabarti, confirmed this when reached for comment: Chakrabarti told TechCrunch that the Econolite devices LeMond tested “reached the end of their life many years ago, and all users should replace these older controllers with appropriate new production models.”
“Econolite strongly encourages its customers to follow best practices for network security and access control for all safety-critical equipment and to limit access to such equipment on the open public internet,” Chakravarti said. “The actions that the creator took on the controller would not have been possible if the device had not been exposed to the open internet.”