ROADS REPORT: Welcome to the age of hacking

The latest Hollywood craze is making its way to the streets

Blog Entry October 07, 2014

David Matthews has been chronicling the unexpectedly humorous side of transportation news for his Roads Report column since 2000. The stories are all true.

Printer-friendly version

Trip the lights fantastic
 

As we’ve learned from the recent Hollywood nude photo scandal, any kind of digital device can be hacked. With all the technology integrated into modern transportation, hacking may soon become a reality for drivers as well. And not just the naked ones.
 

For example, researchers at the University of Michigan found that traffic lights are dangerously easy for hackers to take control of with just a laptop and some radio broadcast equipment.
 

Researchers tested traffic lights and controllers made by a manufacturer found in more than 100,000 U.S. and Canadian intersections.
 

Like most modern traffic signals, the manufacturer’s traffic lights run on a computer network, communicating with one another using radio signals, similar to the Wi-Fi in your home.
 

The controllers, found inside metal boxes at every intersection, operate like your Wi-Fi router—that is if you still use a router from 1998 that doesn’t include encryption or password protection.
 

The research team demonstrated this vulnerability to local transportation officials in May by hacking the traffic lights in an undisclosed Michigan city from a laptop in their truck.
 

Researchers say the problem isn’t the manufacturer’s system; it’s the cities installing the system and choosing not to enable encryption, and often using the default usernames and passwords for their networks that are published in online manuals.
 

Unfortunately, most local governments are strapped for cash and aren’t easily convinced that a manual update to every signal controller is necessary.
 

Old school
 

Not all traffic hacks are high-tech. In fact, this summer a police lieutenant on Martha’s Vineyard hacked the speed limit in his own town just by putting up new signs.
 

Requests for speed-limit changes are supposed to be made to MassDOT, which usually requires the town to conduct a speed study before making any determinations.
 

However, the lieutenant decided that instead of all that rigmarole, he would just contact the city highway department and have them replace some 45-mph signs near a high school with new 35-mph signs.
 

Of course, the reduced speed limit isn’t enforceable without MassDOT’s authorization, so if you receive a speeding ticket in the reduced zone, simply take time off work to challenge your citation, and for a small court fee everything will be cleared up. No big deal.
 

Hack attack
 

Lights and signs aren’t the only vulnerabilities on the road. A recent study found that your car itself could be at risk for hacking.
 

Two researchers (one a director of vehicle security research at a Seattle consultancy and the other a security engineer at Twitter) received an $80,000 grant last fall from the Pentagon to investigate security vulnerabilities in automobiles.
 

The duo then spent the next 10 months examining the technical configurations of 24 different car models to check for potential weaknesses, and then revealed their findings in August at a security conference in Las Vegas.
 

In the researchers’ analysis, the vehicles ranked as “most hackable” were the 2014 models of the Infiniti Q50 and Jeep Cherokee, the 2015 Cadillac Escalade and the 2010 and 2014 Toyota Prius.
 

These models share an inherent security flaw: Critical functions like steering and braking share the same network as features that connect the car to the Internet, like apps, Bluetooth or satellite radio.
 

The researchers said that a flaw in any of those Internet-connected features could create a gateway for hackers to access the features directly controlling the driver’s safety.
 

Say a driver accidentally downloads a virus onto his phone and then connects it to his car via Bluetooth. If the virus spreads to the Bluetooth computer in the car, that could enable hackers to send messages to the other components of the car that share the same network, like “engage the brakes” or “make a hard left.”
 

Fortunately, some cars were found to be less hackable than others. The researchers point to Audi’s A8 as an example of a strong network layout. Its wireless features are separated from its driving functions on its internal network, with a gateway that blocks commands sent to the steering or brakes from any compromised radios.
 

The pair said their goal is to push car companies to be more forward thinking about their security architecture through some old-fashioned methods: public pressure and, if necessary, shame. R&B

Overlay Init