A cybersecurity researcher has exposed a critical vulnerability in a traffic light controller that could allow attackers to disrupt traffic flow and potentially create gridlock.
Unsecured Traffic Light System Found
Andrew Lemon, a researcher at Red Threat, published his findings after investigating the security of various traffic controller models.
One device, the Intelight X-1, was found to have a glaring security flaw - a complete lack of authentication on its web interface. This essentially grants anyone with internet access full control over the connected traffic lights.
While Lemon couldn't replicate the Hollywood scenario of turning all lights green at an intersection (due to a fail-safe mechanism), he discovered a more concerning possibility.
According to Lemon, the light timings can be manipulated. He said that massive jams can be generated through this real-world denial-of-service (DoS) attack.
Aside from that, he told TechCrunch to imagine a scenario where the traffic light is set to green for three minutes in one direction, then three seconds in the other one.
"I was just in disbelief. I was just shocked that something so glaring could have been missed," Lemon said.
The extent of this vulnerability is still not clear. Lemon and his team identified roughly 30 Intelight devices accessible online, but the total number remains unknown.
Researcher Silenced with Legal Threats?
Lemon's attempt to responsibly report the flaw to Q-Free, the company that owns Intelight, yielded a shocking response. Instead of fixing the issue, Q-Free sent him a legal letter.
The letter claimed the Intelight X-1 is no longer sold and researching it could violate the Computer Fraud and Abuse Act (CFAA) - although no specific details about the supposed violation were provided.
Q-Free further pressured Lemon to withhold his findings, citing potential national security concerns and potential liability for Red Threat. Lemon said that hackers appeared to be more interested in silencing him than addressing the problem.
Q-Free has yet to respond to requests for comment.
Beyond Intelight: Industry-Wide Concerns
Lemon's research also uncovered potential vulnerabilities in traffic controller devices manufactured by Econolite. These devices utilize the NTCIP protocol, an industry standard with known security weaknesses. For exposed devices, attackers could potentially manipulate settings like light cycle durations or even trigger synchronized flashing across an entire intersection.
Econolite acknowledges the issue but claims the affected devices are outdated and recommends users upgrade to newer models. They also emphasize the importance of proper network security measures and restricting access to critical infrastructure from the open internet.
The Takeaway: A Critical Infrastructure at Risk
This incident highlights a concerning reality - traffic light systems, vital to our transportation networks, are susceptible to cyberattacks.
Lemon's findings urge both manufacturers and users to prioritize effective security measures for traffic control systems. Immediate action is crucial to protect our infrastructure from potential disruption and ensure the smooth flow of traffic.