Green Lights Forever Analyzing the Security of Traffic Infrastructure Branden Ghena, William Beyer, Allen Hillaker, Jonathan Pevarnek, and J. Alex Halderman.

Green Lights ForeverAnalyzing the Security of Traffic Infrastructure

Branden Ghena, William Beyer, Allen Hillaker, Jonathan Pevarnek,and J. Alex Halderman

8th USENIX Workshop on Offensive Technologies (WOOT’14) – August 19, 2014

Motivating our investigation

2

Traffic LightsUbiquitous critical infrastructure

High-level overview of our findings

We evaluated an existing anonymous traffic infrastructure deployment

We discovered numerous issues with the systemBoth the road agency and vendors at fault

The real issue:An absence of security consciousness in the

field

3

Outline

Anatomy of a traffic intersection

Security evaluation

Recommendations

4

How vehicles are detected

5

> 80% of intersections detect vehicles

Inductive sensorsWired and wireless

Video detection

Microwave, Radar, Ultrasonic, etc.

Inside the traffic cabinet

6

Malfunction Management Unit (MMU)

Traffic Controller

Light Relays

Malfunction Management Unit

7

Electrical failsafe

Hand-soldered configuration cardPhysical connectionsWhitelist of valid states

Invalid states trigger an overrideGoes to blinking red lightsRequires manual reset

Stops 4-way green lights

Other intersection hardware

8

Radio communicationBetween controllersBack to main server

Video camerasRemote inspection

Overview of deployment

Collaborated with a road agencyUrban areaApproximately 100 lights total

Provided hardware for testing and access to deploymentInitial testing all performed under a laboratory setting

As a condition of their involvement:Wish to remain anonymous and keep vendors

anonymous

9

Deployment wireless network

Lights networked in a treeSingle private networkData reporting only

Two communication bands900 MHz5.8 GHz

20 dBm with directional antennas

10

Findings – 900 MHz radios

No encryption enabled on connectionsRelies on proprietary protocol and frequency hoppingWPA is possible

Default username and password in use

Vendor configuration softwareRequires default username and password to function

11

Findings - 5.8 GHz radios

Proprietary protocolSimilar to 802.11 – still broadcasts an SSIDNetwork name can be found on a standard laptop

12

Traffic Light #1Traffic Light #2

Findings - 5.8 GHz radios

No encryption enabled on connectionsRelies on proprietary protocolWPA2 is possible

Default username and password in use

Vendor configuration softwareAllows password to be changedAssumes single password in use throughout

deployment

13

Connecting to the network

How difficult is it?

1. Purchase 5.8 GHz radio from same vendor2. Open laptop and find network SSID3. Enter SSID into radio configuration as roaming slave

Network access at any point allows communication with all traffic light controllers in the deployment

14

Findings – Traffic controller

Usually controlled physically from the front panelNo username or password by defaultAccess control can be enabled, but is not simple

FTP server with database file for settingsUnchangeable default username and password

15

Findings – Traffic controller

Runs VxWorks real-time operating systemDefault build leaves a debug port openController we tested was vulnerableArbitrary access to read and write memory

Actually, the vendor had already fixed this issueThe patch report didn’t mention itRoad agency hadn’t gotten around to updating

controllers

16

Findings – Traffic controller

NTCIP 1202National Transportation Communications for ITS

ProtocolStandard defining communications for traffic

controllersSNMP can be used to manage devicesDoes not provide protection from unauthorized access

Vendor program for remote controller interactionUses NTCIP 1202 to emulate front panel interactionsEasy to sniff with Wireshark

17

Controlling the controller

We created a library of commands based on vendor programArrow keys, Number keys, Main Menu button

We then created a C program to act as a “traffic controller shell”

Can manually change settings on the controllerCan also run scripts to automatically perform actions

Advance lightsFreeze lightsTrigger MMU

18

Putting it all together

We can now:Access the networkConnect to the controllerChange light states

Next, we wanted to try it out at a real light

19

Demonstration on Deployment

T-intersectionMMU defaults to

blinking yellows on main road

Required supplies5.8 GHz radioLaptopAC power

20

Demonstration on Deployment

Connected to networkRan controller shellChanged light on command

Also accidentally triggered MMU twice

21

What can an attacker really do?

Denial of serviceIt’s easy to trigger the MMU to take overRequires a technician to manually reset the device

Traffic congestionPossible to change timings such that a road becomes

backed up

Individual light controlSpeedy getaways just like the movies

22

Recommendations for road agencies

Follow basic security best practices

Need to enable encryptionProprietary protocols do not cut it

Hiding SSIDs is a good ideaAdd firewalls to block access to ports you aren’t usingKeep firmware up to date

Change default usernames and passwords

23

Recommendations for vendors

Enforce security

Require strong wireless security optionsAllow and expect usernames and passwords to be changed

Somebody needs to be thinking about security

24

Vendor Response

Traffic controller vendor responded:The company “has followed the accepted industry standard

and it is that standard which does not include security”

Worrying for future Vehicle-to-Vehicle/Infrastructure technologies

25

Concluding Remarks

The real problem here is a lack of security consciousness

Traffic lights underwent a phase changeTiming electronics to computerized systemsStandalone devices to wireless networksSecurity did not keep up

Ensuring security of critical infrastructure should be a top priority

26

Acknowledgements

Many thanks to the anonymous road agency personnel who allowed us access to their network and hardware

27

Questions?

Branden Ghena [email protected]

William Beyer [email protected]

Allen Hillaker [email protected]

Jonathan Pevarnek [email protected]

J. Alex Halderman [email protected]

Green Lights Forever: Analyzing the Security of Traffic Infrastructure