Systems across the UK could be abused by hackers to cause delays or even accidents, claims researcher
Potentially serious vulnerabilities have been uncovered in systems managing traffic across various nations, including the UK, which could allow hackers to cause road accidents, according to a security researcher.
As many as 50,000 devices are vulnerable, said IOActive’s Cesar Cerrudo, who says the affected devices are Sensys Networks VDS240 wireless vehicle detection systems, which are used for monitoring traffic flow and relaying the information to systems that affect traffic lights.
As many as 45 US states are affected, along with another 10 countries. Major UK cities, including London, Aberdeen and Belfast, are using vulnerable systems, according to Cerrudo, who confirmed the flaws could be exploited with real-world tests in Washington DC.
Potential for traffic carnage
The potential impact is severe. Attacks could see traffic lights forced to stay on red or green, which could either cause congestion or accidents, the researcher claimed.
“The vulnerabilities I found allow anyone to take complete control of the devices and send fake data to traffic control systems. Basically anyone could cause a traffic mess by launching an attack with a simple exploit programmed on cheap hardware ($100 or less),” Cerrudo explained in a blog post.
“I even tested the attack launched from a drone flying at over 650 feet, and it worked! Theoretically, an attack could be launched from up to 1 or 2 miles away with a better drone and hardware equipment, I just used a common, commercially available drone and cheap hardware.
“Since it seems flying a drone in the US is not illegal and anyone will be able to get drones on demand soon, I would be worried about attacks from the sky in the US.
“It might also be possible to create self-replicating malware (worm) that can infect these vulnerable devices in order to launch attacks affecting traffic control systems later. The exploited device could then be used to compromise all of the same devices nearby.”
He said it was very difficult to detect and fix the issues. Despite contacting the US government’s Industrial Control Systems Cyber Emergency Response Team about the flaws, Cerrudo was told the vendor was unconcerned.
“Another excuse the vendor provided is that because the devices don’t control traffic lights, there is no need for security. This is crazy, because while the devices don’t directly control traffic control systems, they have a direct influence on the actions and decisions of these systems,” Cerrudo added.
Sensys Networks had not responded to a request for comment at the time of publication.
Are you a security pro? Try our quiz!