by Peter High, published on Forbes
Cesar Cerrudo is Chief Technology Officer for IOActive Labs, a security consultancy with a global presence and deep expertise in hardware, software, and wetware assessments. He leads the team in producing ongoing, cutting-edge research in areas including Industrial Control Systems/SCADA, Smart Cities, the Internet of Things, and software and mobile device security. Also, he has hacked into the devices used by traffic systems in Washington, DC, New York, Seattle, and San Francisco, and found profound vulnerabilities in each. He surmises that the ease with which a sophisticated hacker who, unlike him, has malevolent intentions could bring major world cities to a stand-still as traffic lights could go off of their timers.
Upon discovering these vulnerabilities, Cerrudo shared his findings with the cities he had tested along with representatives from the US federal government, and he was surprised to find that the response was lukewarm at best. He has indicated that there are few cities in the world that are taking these risks seriously enough, but herein, he provides some thoughts on how they might mitigate these risks, and he also has advice for the average person on how they might mitigate their own cyber security risks.
(To read future articles in this vein, please click the “Follow” link above and to the left.)
Peter High: Cesar, last year you traveled to Washington, DC, set yourself up on Capitol Hill, and then hacked the city’s traffic system. You had done the same in Manhattan prior to that. What did the ease with which you were able to do so tell you about the vulnerabilities of the US capital and the US financial capital?
Cesar Cerrudo: First of all, I would like to clarify that I did not hack any city traffic system! What I did was—in a lab–hack some devices used by traffic systems. Then I did some passive tests (not hacking because it would be illegal) to prove that the same devices used on cities around the world were really vulnerable. What I found on lab tests was right. What I did was to look at the device’s wireless communications and device’s configuration to make sure the security problem really existed on a real deployment. I had positive results but I did not perform any attack.
The tests I did were easy to do and doing attacks would be easy too. You just need to have specific hardware that does not cost more than $100 and know the wireless protocol used by the devices. With that hardware and knowledge, doing tests and attacks is pretty simple and can be even done from many feet away since devices use wireless communications.
High: In terms of worst case scenarios, what would be the outcome if a bad actor were to undertake what you did and draw it out further?
Cerrudo: The worst case scenario would be traffic lights, ramp meters, and the like would use improper timing and cause traffic problems. An attack could consist of sending fake information about current traffic to traffic systems so they will make wrong decisions and actions by making traffic lights set improper times for red or green light durations. If an attacker can do this at a critical intersection, traffic problems propagate many blocks away making the problem worse. Depending on the amount of traffic and time of the day, the situation could get really bad causing traffic jams and accidents.