Presentation is loading. Please wait.

Presentation is loading. Please wait.

Green Lights Forever Analyzing the Security of Traffic Infrastructure Branden Ghena, William Beyer, Allen Hillaker, Jonathan Pevarnek, and J. Alex Halderman.

Published byGordon Green Modified over 9 years ago

Similar presentations

Presentation on theme: "Green Lights Forever Analyzing the Security of Traffic Infrastructure Branden Ghena, William Beyer, Allen Hillaker, Jonathan Pevarnek, and J. Alex Halderman."— Presentation transcript:

1 Green Lights Forever Analyzing the Security of Traffic Infrastructure Branden Ghena, William Beyer, Allen Hillaker, Jonathan Pevarnek, and J. Alex Halderman 8 th USENIX Workshop on Offensive Technologies (WOOT’14) – August 19, 2014

2 Motivating our investigation 2 Traffic Lights Ubiquitous critical infrastructure

3 High-level overview of our findings We evaluated an existing anonymous traffic infrastructure deployment We discovered numerous issues with the system Both the road agency and vendors at fault The real issue: An absence of security consciousness in the field 3

4 Outline Anatomy of a traffic intersection Security evaluation Recommendations 4

5 How vehicles are detected 5 > 80% of intersections detect vehicles Inductive sensors Wired and wireless Video detection Microwave, Radar, Ultrasonic, etc.

6 Inside the traffic cabinet 6 Malfunction Management Unit (MMU) Traffic Controller Light Relays

7 Malfunction Management Unit 7 Electrical failsafe Hand-soldered configuration card Physical connections Whitelist of valid states Invalid states trigger an override Goes to blinking red lights Requires manual reset Stops 4-way green lights

8 Other intersection hardware 8 Radio communication Between controllers Back to main server Video cameras Remote inspection

9 Overview of deployment Collaborated with a road agency Urban area Approximately 100 lights total Provided hardware for testing and access to deployment Initial testing all performed under a laboratory setting As a condition of their involvement: Wish to remain anonymous and keep vendors anonymous 9

10 Deployment wireless network Lights networked in a tree Single private network Data reporting only Two communication bands 900 MHz 5.8 GHz 20 dBm with directional antennas 10

11 Findings – 900 MHz radios No encryption enabled on connections Relies on proprietary protocol and frequency hopping WPA is possible Default username and password in use Vendor configuration software Requires default username and password to function 11

12 Findings - 5.8 GHz radios Proprietary protocol Similar to 802.11 – still broadcasts an SSID Network name can be found on a standard laptop 12 Traffic Light #1 Traffic Light #2

13 Findings - 5.8 GHz radios No encryption enabled on connections Relies on proprietary protocol WPA2 is possible Default username and password in use Vendor configuration software Allows password to be changed Assumes single password in use throughout deployment 13

14 Connecting to the network How difficult is it? 1.Purchase 5.8 GHz radio from same vendor 2.Open laptop and find network SSID 3.Enter SSID into radio configuration as roaming slave Network access at any point allows communication with all traffic light controllers in the deployment 14

15 Findings – Traffic controller Usually controlled physically from the front panel No username or password by default Access control can be enabled, but is not simple FTP server with database file for settings Unchangeable default username and password 15

16 Findings – Traffic controller Runs VxWorks real-time operating system Default build leaves a debug port open Controller we tested was vulnerable Arbitrary access to read and write memory Actually, the vendor had already fixed this issue The patch report didn’t mention it Road agency hadn’t gotten around to updating controllers 16

17 Findings – Traffic controller NTCIP 1202 National Transportation Communications for ITS Protocol Standard defining communications for traffic controllers SNMP can be used to manage devices Does not provide protection from unauthorized access Vendor program for remote controller interaction Uses NTCIP 1202 to emulate front panel interactions Easy to sniff with Wireshark 17

18 Controlling the controller We created a library of commands based on vendor program Arrow keys, Number keys, Main Menu button We then created a C program to act as a “traffic controller shell” Can manually change settings on the controller Can also run scripts to automatically perform actions Advance lights Freeze lights Trigger MMU 18

19 Putting it all together We can now: Access the network Connect to the controller Change light states Next, we wanted to try it out at a real light 19

20 Demonstration on Deployment T-intersection MMU defaults to blinking yellows on main road Required supplies 5.8 GHz radio Laptop AC power 20

21 Demonstration on Deployment Connected to network Ran controller shell Changed light on command Also accidentally triggered MMU twice 21

22 What can an attacker really do? Denial of service It’s easy to trigger the MMU to take over Requires a technician to manually reset the device Traffic congestion Possible to change timings such that a road becomes backed up Individual light control Speedy getaways just like the movies 22

23 Recommendations for road agencies Follow basic security best practices Need to enable encryption Proprietary protocols do not cut it Hiding SSIDs is a good idea Add firewalls to block access to ports you aren’t using Keep firmware up to date Change default usernames and passwords 23

24 Recommendations for vendors Enforce security Require strong wireless security options Allow and expect usernames and passwords to be changed Somebody needs to be thinking about security 24

25 Vendor Response Traffic controller vendor responded: The company “has followed the accepted industry standard and it is that standard which does not include security” Worrying for future Vehicle-to-Vehicle/Infrastructure technologies 25

26 Concluding Remarks The real problem here is a lack of security consciousness Traffic lights underwent a phase change Timing electronics to computerized systems Standalone devices to wireless networks Security did not keep up Ensuring security of critical infrastructure should be a top priority 26

27 Acknowledgements Many thanks to the anonymous road agency personnel who allowed us access to their network and hardware 27

28 Questions? Branden Ghenabrghena@umich.edu William Beyerwbeyer@umich.edu Allen Hillakerhillaker@umich.edu Jonathan Pevarnekjpevarne@umich.edu J. Alex Haldermanjhalderm@eecs.umich.edu Green Lights Forever: Analyzing the Security of Traffic Infrastructure

Download ppt "Green Lights Forever Analyzing the Security of Traffic Infrastructure Branden Ghena, William Beyer, Allen Hillaker, Jonathan Pevarnek, and J. Alex Halderman."

Similar presentations

SECURING WIRELESS LANS PRESENTED BY VICTOR C. NWALA CS555 Department of Computer Science Old Dominion University.

SECURING WIRELESS LANS PRESENTED BY VICTOR C. NWALA CS555 Department of Computer Science Old Dominion University.
DSL-2730B, DSL-2740B, DSL-2750B.

DSL-2730B, DSL-2740B, DSL-2750B.
DAP-1520 FAQ’s Wireless AC750 Dual Band Range Extender.

DAP-1520 FAQ’s Wireless AC750 Dual Band Range Extender.
1 Web Servers / Deployment Alastair Dawes Original by Bhupinder Reehal.

1 Web Servers / Deployment Alastair Dawes Original by Bhupinder Reehal.
DSL-2870B How to Change ADSL Username and Password in your modem router How to Change Wireless Channel in your modem router How to Open Ports in your modem.

DSL-2870B How to Change ADSL Username and Password in your modem router How to Change Wireless Channel in your modem router How to Open Ports in your modem.
LANs and WANs. 2 Chapter Contents Section A: Network Building Blocks Section B: Wired Networks Section C: Wireless Networks Section D: Using LANs Section.

LANs and WANs. 2 Chapter Contents Section A: Network Building Blocks Section B: Wired Networks Section C: Wireless Networks Section D: Using LANs Section.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Jonas Lippuner. Overview IPCop  Introduction  Network Structure  Services  Addons Installing IPCop on a SD card  Hardware  Installation.

Jonas Lippuner. Overview IPCop  Introduction  Network Structure  Services  Addons Installing IPCop on a SD card  Hardware  Installation.
N ETWORK S ECURITY Presented by: Brent Vignola. M ATERIAL OVERVIEW … Basic security components that exist in all networks Authentication Firewall Intrusion.

N ETWORK S ECURITY Presented by: Brent Vignola. M ATERIAL OVERVIEW … Basic security components that exist in all networks Authentication Firewall Intrusion.
Wireless Router Setup. Internet Cable Internet Cable (Blue) Machine Cable (Yellow) Power Plug (Black) Reset Button (Red)

Wireless Router Setup. Internet Cable Internet Cable (Blue) Machine Cable (Yellow) Power Plug (Black) Reset Button (Red)
Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.

Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.
Chapter 9 Connecting to and Setting up a Network

Chapter 9 Connecting to and Setting up a Network
Improving Security. Networking Terms Node –Any device on a network Protocol –Communication standards Host –A node on a network Workstation 1.A PC 2.A.

Improving Security. Networking Terms Node –Any device on a network Protocol –Communication standards Host –A node on a network Workstation 1.A PC 2.A.
1 Wireless LANs. 2 Introduction Types of Communication Networks. LAN’s Configurations. Wireless Technology. –Definition. –Applications. –Example. Communications.

1 Wireless LANs. 2 Introduction Types of Communication Networks. LAN’s Configurations. Wireless Technology. –Definition. –Applications. –Example. Communications.
LECTURE16 NET 301. HOW TO SET UP A SECURE LOCAL NETWORK Step 1: Identify Your Networking Needs This is a very important step.the key considerations are:

LECTURE16 NET 301. HOW TO SET UP A SECURE LOCAL NETWORK Step 1: Identify Your Networking Needs This is a very important step.the key considerations are:
Secure Network Design: Designing a Secure Local Area Network IT352 | Network Security |Najwa AlGhamdi1 Case Study

Secure Network Design: Designing a Secure Local Area Network IT352 | Network Security |Najwa AlGhamdi1 Case Study
Chapter 3 Application Level Security in Wireless Network IWD2243 : Zuraidy Adnan : Sept 2012.

Chapter 3 Application Level Security in Wireless Network IWD2243 : Zuraidy Adnan : Sept 2012.
Connecting to Secure Wi-Fi in QSB Boardroom Locations 01 September 2013.

Connecting to Secure Wi-Fi in QSB Boardroom Locations 01 September 2013.
WLAN What is WLAN? Physical vs. Wireless LAN

WLAN What is WLAN? Physical vs. Wireless LAN
Dainis Krakops’ Wireless Network MOTOROLA SURFboard SB5101 CABLE MODEM Enables cable operators to provide broadband Internet connection for my LAN devices.

Dainis Krakops’ Wireless Network MOTOROLA SURFboard SB5101 CABLE MODEM Enables cable operators to provide broadband Internet connection for my LAN devices.

Similar presentations

Ads by Google