28 comments

[ 3.3 ms ] story [ 77.1 ms ] thread
Immediately reminds me of Hackers 90's movie and hackers establishing "turf" over public resources.
and The Italian Job
Yes! ... at least in the new version (I haven't seen the older version but just noticed it's on Amazon Prime).

What's scary about that scene is that so much of our infrastructure is available on the Internet. There are projects scanning for "support systems" (including the baby monitor in yesterday's story), but most of these system rely on technology that's older and less well maintained than our computer systems.

[1] The Italian Job (2003) - http://www.imdb.com/title/tt0317740/

[2] The Italian Job (1969) - http://www.imdb.com/title/tt0064505/

The original version also - yes, in 1969 - involves hacking the traffic light control computer system to cause chaos in Turin. The elite computer hacker who pulls off this feat by sneaking into the traffic control center and replacing the reel to reel tape on one of the mainframes is played, rather depressingly and entirely to type, by Benny Hill. I guess they didn't have the go-to computer hacker stereotype quite worked out in 1969, but they knew that geeks had potential as comic relief...
From Benny Hill to Dennis Nedry (Jurassic Park) to The Warlock (Die Hard 4), the development of the unheroic hacker stereotype; the heroic ones are slimmer...
I remember back in pre-internet days when BBS file directories were filed with ways to hack stop lights via pulses from a strobe light. Supposedly if you had the right pulse (and the cojones to have a pulsing strobe light on the front of your car) you could mimic the pulse in a siren and get reds to start a process immediately to switch to greens. Different locations had different pulse timings and people would find local ones and upload and aggregate them on some local phreaking BBS'.

Never tried this myself.

Always thought that was an urban legend. I'm not from the US, however in New Zealand the lights would never change as an ambulance/police car went past. They'd just slow down as everyone moved out of their way.

Have witnessed this also for our Prime Minister driving past with a convoy of police and black SUV's.

In the US, these are certainly real. Apparently, some did use strobe lights to signal the traffic lights.

http://en.wikipedia.org/wiki/Traffic_signal_preemption

I vaguely have memories of the state legislator having to pass new laws after the devices were installed because it was not technically illegal to have the emitter in your vehicle.

Usually only certain traffic signals are equipped with the detectors, but they do in fact use strobe lights to trigger the light switch and it does happen immediately. It doesn't work with any emergency lights, though -- a separate, specific strobe light be must installed to trigger the signal.
Just across the pond in Sydney, Australia, one of my earliest jobs was related to the traffic control systems at the Roads and Transit Authority (RTA). I do have the distinct impression that they had wireless communications allowing reprogramming of lights by emergency service vehicles. They also had zero authentication ISDN-based video dialups on major intersections, under-road sensor loops to compile traffic volumes, and had kept a VAX running right through to ~2001 and later. Most of that's probably gone now, but I suppose the wireless traffic manipulation is still about.
Was it the SCATS system by chance? http://www.scats.com.au/
Yep. SCATS is the name of the base system, very successfully exported to many countries overseas, some of which became our later customers. We were focused on third-party provision of complementary products.
I used to try to mimic this by flashing my high beams at them. I don't know if it worked but it sure seemed like it did at least some times.
This has civic benefits with traffic, safety, order. What's not to like?
Hmm maybe Live Free or Die Hard wasn't all that far fetched.
(comment deleted)
> “it was found that all communication is performed in clear text without any encryption nor security mechanism. Sensor identification information (sensorid), commands, etc. could be observed being transmitted in clear text.”

> Because the sensors’ firmware is also not digitally signed and access to them is not restricted to authorized parties, an attacker can alter the firmware or modify the configuration of the sensors.

Who deploys systems out into the wild these days without even giving a moment of consideration to security? This seems like "amateur hour" systems design. Did not a single engineer step up and say "Hey, uh, guys, do we want to at least take basic steps to obfuscate this stuff?"

Sounds like negligence. Not surprising their vice president of engineering has "nothing more to add to the matter."

Who deploys this? People winning contracts and delivering products. The company even stated that the customers didn't want security so they removed it. This is potentially even true - if you lose the key to a device in the ground, you have to dig it up...

The attitude of "eh, no one is really hacking it" is a common one, and might possibly be the right decision from a business standpoint. And if they get shamed into changing it, they'll issue some sort of patch, or announce the Windows utility is no longer available without credentials, and everyone will rest assured things are OK.

This is really quite common.

>Did not a single engineer step up and say "Hey, uh, guys, do we want to at least take basic steps to obfuscate this stuff?"

Of course they did. But they eventually learned to be "team players", or they moved on to another project.

There's a completely different mindset at work. As web developers, most of the HN population is acutely aware of the need for proper authentication of users and securing communications. The average embedded systems engineer is not. It likely will never even occur to him that someone other than the guy at the other end will want to control his system/hack into it.

This is changing (I'm seeing specifications for new systems that at least have placeholders for "Security"), but it will be slow and painful. Remember that at the low end, there are still engineers who can't understand why everyone isn't writing their programs in Assembly.

Looks like the developer considered security and built it into the product but the customer asked to remove it: “The option for encrypting the over-the-air information was removed early in the product’s life cycle based on customer feedback,”
That's certainly a step up from the olden days, when hackers could turn your computer into a bomb and blow your family to smithereens.
With all the facial recognition software, I wonder why they just don't put a camera on top of the light, recognize traffic coming, and optimize to maximize flow.
Cost, complexity and failure rate.
1. I'm sure it's cheaper than burying the wire sensors in the pavement. 2. The dev cost is amortized over a million intersections. 3. Cameras already exist on many intersections (the red light cameras) 4. Traffic lights are already driven by a computer.

Just think of all the gas savings.

It's even worse, hackers can mess with anything connected directly or indirectly to the internet.