Hacking Traffic Lights
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
Title |
| |
Title of Series | ||
Number of Parts | 374 | |
Author | ||
License | CC Attribution 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
Identifiers | 10.5446/49777 (DOI) | |
Publisher | ||
Release Date | ||
Language |
Content Metadata
Subject Area | ||
Genre | ||
Abstract |
|
00:00
Asynchronous Transfer ModeInformationComputing platformHacker (term)Mobile appTotal S.A.Conditional-access moduleMessage passingContent (media)Position operatorIdentifiabilityPhysical systemInformation securityCycle (graph theory)Order (biology)SoftwareContext awarenessDataflowObject (grammar)Position operatorMessage passingComa BerenicesMobile appInternet der DingeGreen's functionSign (mathematics)GoogolTotal S.A.Information1 (number)FrequencyMultiplicationMereologyType theoryConnected spaceCartesian coordinate systemComputing platformDifferent (Kate Ryan album)Point cloudMultiplication signStandard deviationNeuroinformatikService (economics)Traffic reportingProjective planeView (database)Public key certificatePoint (geometry)Right angleLatent heatExpert systemSoftware testingHacker (term)State of matterConditional-access moduleDivisorMalwareComputer animation
09:48
Information securityMessage passingHacker (term)Asynchronous Transfer ModeRange (statistics)Computer-generated imageryModule (mathematics)Object (grammar)Conditional-access moduleFunction (mathematics)Suite (music)Front and back endsPhysical systemScripting languageKey (cryptography)Standard deviationSystem programmingProcess (computing)ImplementationBlock (periodic table)AuthenticationConditional-access moduleFunctional (mathematics)Multiplication signAndroid (robot)Physical systemOcean currentContext awarenessExistencePresentation of a groupReal numberHacker (term)Mobile appMoment (mathematics)Information securityCartesian coordinate systemAuthorizationEmailInformationAnalytic continuationLoop (music)PhysicalismForm (programming)Arithmetic meanType theoryRight angleDataflowCycle (graph theory)Order (biology)Scripting languageConnected spaceStandard deviationDifferent (Kate Ryan album)MereologySign (mathematics)Information privacyMessage passingTwitterGreen's functionSoftware6 (number)Front and back endsSimilarity (geometry)Slide ruleDemo (music)Server (computing)Group actionBlock (periodic table)AuthenticationGoodness of fitVideoconferencingCASE <Informatik>Object (grammar)Beta functionSystem callHoaxLetterpress printingComputer animation
19:35
Asynchronous Transfer ModeComputer animation
Transcript: English(auto-generated)
00:00
Hi, welcome everybody. We would like to talk today about a research project we did, Hacking Traffic Lights. And we would like to share our findings and our, well, the things we found in our research. Well, first of all, my name is Vessi Nähle and my colleague's name is Rick van Dijk.
00:20
And we both have been mainly pen testing in the past years, for about seven, eight years. And, of course, we also have our own interests. For example, I like to play around with Internet of Things and the security of it, and innovations like that. And Rick likes to play with malware and investigate that. I would like to, at least one disclaimer, we are no smart traffic experts. We are
00:44
just, well, two guys that are interested in this kind of innovations. So we decided to do research on it. We do use bicycles, because we are Dutch, but that doesn't really help us in our investigation, in our research.
01:02
Well, a small introduction. Well, what we have seen that they are creating a platform, multiple vendors are creating a platform to exchange information between traffic information. For example, road signs can reproduce states on a network, the parking spots, how many are still available and how many are occupied. Other traffic status, for example, is there
01:26
a traffic jam and stuff like that. But they are even trying to connect the traffic lights, the actual traffic light systems to the same network, so it can act well on the messages that are sent on the network.
01:41
And one of the examples is that they actually want to connect the road users to the network as well. For example, cyclists, cars, trucks, and even the rescue vehicles, the emergency vehicles. Well, I have to mention that in this research, we mainly have been focusing on the cyclist. And the reason for this is that, well, there was an app available
02:02
that allows you as a cyclist to install it. And if you are cycling on a road, you will get, well, the time to green will be decreased or maybe even instant green. So because it was available, we focused on that. Well, important fact is that in the
02:20
Netherlands, there are a lot of bicycles, 23 million, and we have a lot of cycling infrastructure. So, well, imagine that on every intersection, there's almost a cycling traffic light. So it's quite important in our country. Well, like I said, we see multiple apps being released. So we are mainly
02:43
interested in the fact that we are able to talk to traffic lights somehow. And for example, how are we able to talk to them? And what if we are able to manipulate it? What is possible and what can we manipulate? So that was pretty interesting. And the reason why we started the research. Well, one of the
03:03
things we see in Netherlands, there's an ongoing partnership. And the goal of that partnership is to realize smart traffic. And the goal is to improve the safety, comfort and traffic flow. Well, a lot of things are happening in that partnership. But some of the things are, for example, the cyclist app that I was talking about.
03:25
They are trying to give the user the ability to install an application on its phone. And when he's cycling on an intersection, the cyclist light time will decrease to go to green or maybe even instantly go to green if there's no other traffic at the intersection. But another thing is, for example, for
03:44
trucks, they are trying to realize a green flow on multiple traffic lights. So the trucks have to stop less, which is, of course, a great idea. And emergency vehicles. Well, that's maybe even the most interesting one.
04:02
Because those will get instantly green if they will be passing a connected traffic light. But also other users of the road users will be notified so that there is a vehicle coming up, an emerging vehicle. An important thing within the partnership is VRIs. VRIs are the systems
04:26
that are actually at an intersection that are actually controlling the actual traffic lights. And they are replacing the old systems for intelligent ones so that it is compatible with the network and that
04:40
this is possible to communicate to it, but also that it is able to send its own information to the network. And what we've seen that currently about 500 IVRIs or VRIs have been replaced for IVRIs, which is about 10% of the total amount of VRIs. And to give you an idea how the things are connected to each other,
05:04
on the right you will see the road users, for example, cars, cyclists or trucks. And they are, well, connected to the network, for example, by using an app, like I said earlier. But it's also possible that it might be an onboard computer within the truck, for example. And those systems are talking to the, well, to cloud services,
05:24
which are also like the apps created by multiple vendors. And in the cloud, the information that is sent to the cloud can be sent onto the network. And for example, to traffic lights. And one of the important things in there is that mostly this is done by using com objects,
05:43
which is a standard that allows you to, well, to communicate with each other within a traffic light network or traffic network. And Rick will be explaining more on that. Cool. So when we initially looked at the first app that allowed users to get the green light, we saw lots of references to com
06:04
objects. And we saw that the app was building com objects with the position stuff like that in it. And for us, it was unclear what those were. So we started googling. And we figured out that it's actually part of the intelligent transport system standard, which is a European standard, there's a different one.
06:21
As far as we know, there's a different one in the US. And there might even be a different one in your country. So important part of this standard are the cooperative awareness messages. So com messages. In the US, they're called basic safety messages. These contain all kinds of
06:40
information about the intelligent transport system. So could be a car telling you, it's speed stuff like that. So when we looked into the, the objects itself, we noticed that they contain lots of different information. So we can see the position, what type of vehicle you are important to
07:04
note, will later we can see why you shouldn't use the station type to determine what a user is and what they can do. But there's also a different container. So there's a high frequency container, which contains data that changes often.
07:21
So stuff like data, the direction, information like that. And there's a low frequency container contain having data that's more static, such as my lights are on or off, or, and this was my history, my path history. But
07:41
more importantly, we came across a special vehicle container. And this, this view container contains information such as I'm a I'm transporting dangerous goods, or I'm in emergency vehicle. And I need to have a green lights right now, stuff like that. So this for us was the point
08:03
where we were like, Okay, can we manipulate this? And can we send this to the traffic lights that are connected to our, to our apps? Well, when we started looking into this, we actually figured out that the intelligent transport system standard already has a security standard
08:20
in it. It's based on public infrastructure, where very simplified, the your your vehicle receives a certificate, the certificate contains information about your vehicle and will not necessarily your identity, but that you are a vehicle and what you are allowed to do, which allows other systems on the road to actually validate what you
08:45
are sending to them. So part of the com messages, and the certificate are the SSP and the ITSAID. So the ITSAID is the intelligent transport system application ID, and it
09:01
describes some basic permissions such as you are allowed to send com messages. And there's a service specific permission that's also in there that allows you to actually say I'm allowed to do this. So for example, I'm an emergency vehicle and I'm allowed to tell the world that I need green lights right now. So every message
09:24
you you send out, you sign and is combined with certificates in order to let other systems on the road identify that the message you are sending them is actually valid, you're allowed to send it, and that
09:40
you actually have the correct permissions to request this. So when we were preparing this presentation, we actually came across some interesting work already that's being done on this. So there's a cool paper by Joseph Kamel, which goes on to assume, let's say authentication authorization is already like, correct.
10:03
What is it? What can we do with a valid car? So can I say to others, like, I'm, I'm putting on the emergency brakes right now, will other cars immediately start breaking? So there's really interesting research being done. There's also some cool software being released in order to look for abuse on the network already. So the
10:25
security for this exists. However, when we started looking into the apps that that Wesley will talk about soon, we noticed that there's still some some work to be done. Yeah, like earlier mentioned, we saw multiple, well,
10:44
Android applications that a cyclist could install on his phone. And if he installs it, and he's he's going to he's approaching an intersection, he will get green, that the time will be decreased to green or he will instantly get green. So when we saw that we were
11:01
like, okay, what's going on? How does this app work? And what is it exactly doing? And what we did, we did the decompile the applications and we saw that common px are being sent over MQTT. And that was pretty interesting. Because if we are able to create those common px ourselves and send it over MQTT, for example, using Python, well, we might be able to
11:23
trick the system. The thing was, at that time, we didn't know what common px exactly were at that time. So we had quite a hard time imitating the behavior and well, making doing it in Python the same and also because the ASN and the protobuf encoding that was done by the application. So, well, during that
11:43
time, when we decided to take another approach, and let's use another tool, which was called Frida. And at that time, it was the first time we used it. Well, and it's really an amazing tool that allows you to, well, look into an application, for example, an existing Android application that's running on an Android device. And for example, print the
12:02
information that's in the function or call other functions and do modifications, for example. So, well, after trying, we were able to print out the become object. And on the right, you can see the snippet of the information. And like Rick was talking about, you see the basic container, the
12:21
station type, and GPS coordinates. So, we were like, this is pretty interesting, what and how the system will react if we are going to manipulate this information. So in order to do so, we also use Frida, and we were able to write the script that's on the left. And what it is doing, it's
12:40
again, just hooking before the publish come function is being called. So the comma object is published on MQTT. Just before that, we modify the information, for example, the speed, the GPS coordinates, and information like that. And our goal was to imitate the behavior that you see in the right, in the image, to let the system
13:02
believe that there is a cyclist cycling on the intersection all the time, and that in a loop. The thing was at that time, we were just recognized as one cyclist. And that was, well, we wanted to bypass it, we wanted to be continuously, well, a loop of cyclists that are passing the intersection. So we are trying to
13:23
bypass that. And well, the way to bypass it was quite simple. Because we found out that just before the, if we just before the comma is being published, disconnect and connect on the MQTT channel, we are recognized as a different and a new cyclist. So by just disconnecting
13:41
and connecting, we are able to, just before every comma was being sent, we are able to, well, act like we are a different cyclist instead of one. So that was cool. We were able to, well, get that flow continuously. Later on, we found another, a similar application, which is also an application. And if you install it,
14:01
for as a cyclist, you will get, well, the time will be decreased, or you will instantly get agreed, depending on the situation at the intersection. But this application was even easier because it was just sending one post request, as you can see in the slide, with similar information that we saw in the previous app, like speed, GPS coordinates, and
14:23
information like that, also the station type. And that was being sent to the server. So somehow this is probably converted, for example, to come by the backend. So we didn't have to take care of that at all. We just have to send one post and the system will react on it. And the interesting thing, there
14:42
was no authentication. So there's no way to distinguish a cyclist from each other within the system. And that was quite an interesting part, because maybe we can, well, fake a lot of cyclists in the city, for example. Well, we wrote a Python script to just send this post with the correct information. And well,
15:03
we recorded the demo on it. And I would like to show the demo. Here you will see a video where we are at a traffic light at a connected traffic light on an intersection. And in this video, there is other traffic at the intersection. And you will see that the system reacts and a waiting sign turns on. But, well,
15:22
it will wait until it goes to green. Well, when it's safe. So that's quite important to note. The safety system stays intact, so it will never turn two lights at green at the same time. So that's that's luckily and good that that's still still in place. Also, we
15:41
recorded a second video also at a traffic light. But in this case, without any other traffic. And as you can see, well, it reacts quite quickly and instantly. If we send one post request, the system instantly turns to green. So it goes quite quickly. So what could we do
16:01
with this vulnerability? Well, it's abuse of functionality. But, well, like we mentioned, it is not able to see multiple cyclists. It's just while using every request and doing an action on that. So what we could do is use the previous script and do it on a lot of traffic lights at the same time, because that system
16:22
was running in 10 cities currently. So you could just interrupt the traffic in a complete city at the time. So in conclusion, I think as we are, the place we are now is that there's
16:40
no real use of the security part of the standard. They are using corporate cooperative awareness messages to determine where vehicles are, but there's no clear distinction on what they are, who you are, or if you even authorized to do so. Luckily, now we're working with the public betas where cyclists are
17:02
being being used. But there are some closed betas going on for trucks for emergency vehicles. And especially those would could pose a real threat for for traffic. Luckily, security
17:21
systems will stay intact. So there's no like hacker style, all the lights green at the same time, cars hitting each other, stuff like that. So just currently, we're able to annoy you, which is already fun. So what the reason we're giving this presentation is, we really believe
17:42
that this is something that's coming, and we need to be sure that this is actually working properly, meaning that authentication authorization are correctly implemented. We've seen it with email, we're still having issues, determining if a mail you've received it actually from the person you received it from. And so it's really
18:03
important that the moment our physical lives, the traffic is being controlled by these systems that this is something that's actually properly working. So we would recommend that site, these apps will start to use some form of
18:20
authentication, at least knowing that there's one person operating one app, if they choose to spoof whatever it is they do, at least we would know they would only be able to control one digital cyclist. And it's, it's becoming more and more important to detect and monitor abuse on the back end of things, meaning that
18:42
the central system receiving all these messages and distributing them to the different traffic lights would need to look for unexpected or implausible behavior, and block users accordingly, which would reduce the impact of somebody trying to manipulate this. And I
19:02
mean, after that, will we need if the moment we have the authentication of authorization under control, we will have to see and look into abuse from a allowed user. But that's the next step. So this is as much as our presentation encompasses. If you have any
19:21
questions and you want to join in the Q&A, it will be on the 6th of August between 1.30 and two o'clock. Or if you need to contact us directly, check it out on Twitter. Thank you. Thank you.