Wednesday, September 17, 2014

Traffic Light Radio

You know that scene in the action movie where the stereotypical "hacker" character hacks into the city "traffic system" so the flights will favor their getaway?  Apparently that's totally possible. Actually It's so easy it's probably actually happened. This is something we all assumed was fiction that apparently could be accomplished by a 14-year old with an iPad.

Am I exaggerating?  Sadly no. While oldschool intersection lights one stood alone running on timers 24/7, modern units are "smarter." Modern systems have traffic sensors, multiple timing schedules, and can even receive data from systems at other intersections. All this input requires they be networked. Rather than build hard wired systems almost all traffic lights are run by a controller on a wireless switch. Most of them operate on in the ISM band at 900 MHz, 5.8 GHz, or in the 4.9 GHz band as allocated by the FCC for public safety. More here.

The problem is that most of these networks have no passwords and use no encryption. If you identify the frequency you can often send and receive data from the system. Identifying the signal requires a simple packet sniffer and a bit of logical deduction. To quote the now infamous paper by the Computer Science Department at U. of Michigan:
"The systems in question use a combination of 5.8GHz and 900MHz radios, depending on the conditions at each intersection (two intersections with a good line-of-sight to each other use 5.8GHz because of the higher data rate, for example, while two intersections separated by obstructions would use 900MHz). The 900MHz links use "a proprietary protocol with frequency hopping spread-spectrum (FHSS)," but the 5.8GHz version of the proprietary protocol isn’t terribly different from 802.11n."
A layperson might read that reference to 802.11n as encryption. That is not the case. It's a reference to IEEE 802.11n-2009, a common wireless MIMO networking standard. It can also use 16-QAM, 64-QAM, BPSK or QPSK modulation. The maximum ERP on these wireless radios is only about 4 watts but it's certainly feasible to connect to them by line-of-sight from down the block. The 5.8 GHz signals were particularly vulnerable. The Michigan study found none with any encryption and all had a readily accessible SSID. The 900 MHz radios had a 16-bit ID. That sounds like a lot but the maximum number of addresses possible with 16-bit integer is only 65,536. It may seem like a large number but a computer program can crack that in short order.

The logic for locking down your network is the same logic that leads you to lock your front door and your car. This problem here isn't mischievous hackers.. it's just a lack of foresight.