Hacking Traffic Lights
by Anonymous
Ah, the lowly traffic light.
Faithfully rotating through a sequence of colored patterns, hour-by-hour, day-by-day. Being found at nearly every busy intersection, we think nothing special of them. Even less attention is paid to the non-descript metal cabinet resting just off the side of the road by every traffic light. This cabinet is generally the size of a refrigerator if standing alone, or a microwave if on a light pole. Most are unpainted plain metal boxes, designed to not attract attention. Do not be fooled, friend! Inside this cabinet, hidden in plain sight, is a wonderland of blinken lights, electronics, and computers!
But alas, the cabinet is locked. Do not be dismayed! It is but a simple tumbler, easily conquered. And if you are lazy, you can purchase a key for a few dollars online, as nearly all cabinets use one of a handful of keys. If you do obtain a key, you may find that it also opens other nearby cabinets. Even without a key, the thin sheet metal of the cabinet affords little real security from a determined individual.
Once inside the cabinet, you will find a hacker's dreamland of lights, wires, and switches. How does all this work? I am glad you asked! The heart of it all is the signal controller. This single machine controls all of the traffic lights. In the old days, these were mechanical, much like a clock. Later, microcontrollers were introduced and some still use these. However, today the trend is by using controllers with embedded Linux.
Oh, did I mention these controllers are often networked together? Let that sink in a bit. Across the USA in particular, traffic lights are being controlled by networked Linux computers. Do you suppose these are installed by security professionals who change default passwords, disable SSH, HTTP admin portals, etc.? Or are they installed wide open as to be operated by city or town workers over a supposed "secure" network?
But wait, there's more! Consider that some traffic lights are remotely accessed via public IP address and connection from an Internet provider. One wonders if a security professional has configured and installed a firewall for these devices? Some, if not most, traffic controllers can be set with a password. This is often just a four-digit PIN. A look around the cabinet and you might even find it sketched on a scrape of paper.
The bottom of the cabinet contains rows of flashing metal "bricks." These are the load switches which translate the low voltage of the controller signal to 110 or 220 for the traffic light to operate. Be very careful! You will also find several switches on the inside of the cabinet door or just inside the cabinet. These may be used to reset the signal controller, manually cycle the signal, or place the traffic light in all red flash! Nearly every modern cabinet has a monitor that will not allow the traffic lights to go "all green" and in general will prevent any dangerous combination of lights to appear. If you try, the signal will enter "all red flash" as a protection. For your own safety, it is best to avoid this section of the cabinet.
Traffic lights are controlled by a combination of "detection" and "timing." The traffic light may have a timing cycle which runs from one to three minutes. Within this "cycle," a predetermined slice of the cycle is given to each light. However, if a vehicle is "detected," more time may be given to a particular light. Detection may be by buried wire loops which detect the metal of a vehicle. These wires are fed back to the cabinet into a "detector" (more blinken lights!) that tells the controller a vehicle has arrived. However, sophisticated camera systems are increasingly in use. You may find a video monitor in the cabinet which you may use to monitor the video from the camera. If not, every video system has a processor which can be accessed with any computer via serial or local Ethernet link. From this interface, you can view and edit the zones where the vehicles are detected. Microwave radar systems are also used to detect vehicles at traffic signals. These systems also have processors and, much like the video processors described above, can be accessed from the cabinet (or even remotely if networked). There are even Infrared and AI powered systems in some locations.
Most of the devices described above communicate over Ethernet. However, in many cabinets the primary communication protocol is Synchronous Data Link Control (SDLC) bus. SDLC is a fascinating protocol from the early years of computer networking. Unless you have been working with computers for a very long time, you probably have no idea what an SDLC bus is. As a quick introduction, SDLC is a 1970s-era frame-based data bus created by IBM to network machines over phone lines, satellite, and inter-building links (think Cold War, missile silos and PDP-11s). Hardly anything modern uses this protocol, save traffic lights. That said, SDLC is a very robust, well documented protocol and preserves a good deal of networking history. Along with SDLC, you will find RS-232 and RS-485 serial protocols commonly used to network within and between cabinets. As a rule, these protocols work with no authentication or encryption.
Traffic cabinets, in the USA at least, are a relic of a simpler time when high security meant a five-pin brass tumbler lock. The serious truth is that traffic cabinets are ridiculously insecure, physically. Once physical access is gained, the cabinet is pwned. Even more disturbing is that if one cabinet in a series of network cabinets is breached, all of the cabinets are now pwned. If one of these cabinets has Internet access and this Internet connection is breached, the entire network of traffic signals will be compromised, without the need for physical access. I should not need to elaborate further the seriousness of such a situation for public safety.
Considering how vulnerable and valuable these systems are, why are we not seeing more attacks? Either these system have not caught the eye of would-be attackers, or they have already been compromised. Which do you think is more likely?