In a world of thousands of hackers accessing different data sets, there has been a new object added to the list: traffic lights. In the Netherlands, it is now possible to change the red lights to green.
Two cybersecurity professionalsfrom the Netherlands have found out that it takes just one click to hijack the traffic data to get control over traffic lights. It's not clear if the trick can cause any trouble yet.
A gap to reconsider
Researchers Rik van Duijn and Wesley Neelen, who are also the co-founders of the security services and software firm Zolder, have started their investigation out of curiosity. The advertisement for smartphone applications which turn the traffic lights green for cyclists got quite popular this year in the Netherlands. And the two wanted to check if the applications were completely fitting the purpose of cyclists.
As it turns out, they were not.
"We were able to fake a cyclist, so that the system was seeing a cyclist at the intersection, and we could do it from any location," explained Neelen. They could even manage it from home.
This security gap was not just present in one of the applications. They tried another similar app with a wider implementation. The fake data could be sent to other traffic lights in ten different Dutch cities and the result was just the same.
"They just accept whatever you put into them," Neelen said.
It’s all about reverse engineering
Neelen and van Duijn basically reverse-engineered the apps and created a fake cooperative awareness message called CAM input. The mimicked data was sent by a Python script on the hacker's laptop. That's how it was then delivered to turn traffic lights green, when a smartphone user cyclist was getting close to the location that the hackers chose.
They recorded the trick in two different demos in the city of Tilburg. The first trial included some interaction with a couple of vehicles passing by the intersection.
During the second trial, however, there was no traffic. The professionals established control simply by commanding their laptop which could be done from anywhere with a simple internet connection.
Neelen and van Duijn joined the online DEF CON hacker conference on August 5, to display their findings and results about potential gaps in the country’s intelligent transportation system.