Give Me the Green Light Part 1: Hacking Traffic Control Systems

This is a great introduction to the mess that is traffic signal controllers!

The reality is perhaps even worse than the article suggests. The majority of signal controllers support the NTCIP "standard" MIBs in addition to the "proprietary" MIBs that are provided through FreeTheMIBs. These "standard" MIBs are defined in standards like NTCIP 1202[1], which are freely available online through the NTCIP group.

These standard MIBs let you set/get all kinds of fun settings... put the lights into flash, change timing settings, set "preempts" to give yourself a green light, and more.

The standard also strongly suggests that all vendors use a default SNMP community name of "public". That means, for any traffic controller you happen to find on a network, you can almost certainly change tons of scary settings without even needing to _exploit_ anything!

I've been working in the industry for quite some time, and it's genuinely scary how poorly secured some of this infrastructure is and how slowly things move when issues are found.

(Disclaimer: I work in the industry, not for any of the companies discussed in the article, and all these views are my own and not those of my employer)

[1]: https://www.ntcip.org/file/2019/07/NTCIP-1202v0328A.pdf

If we’re as serious about cybersecurity as all the noise that gets made about it indicates, we really need legal immunity for unsolicited responsible disclosure. You shouldn’t have any ability to beat someone with the CFAA who is trying to help you.

Sounds like the company realised they can't solve the issue in 90 days. Betting a combination of infrastructure scale problems, terrible tech, no-longer-building old solutions, no maintenance fee's built in and contractors who hate them. So they pulled the only lever they had left, which was the lawyers.

Same time, RedThreat's email was kinda (maybe rightly) hostile. Read from the other side it's basically "You have 90 days to work (/maybe pay) me before you start hearing your name on TickTok under the label 'wanna hack the city?'".

"Work with your team" leaves a ton of negotiating opportunity for a company that obviously does this for a living and expects to make money somewhere.

Just what we need to tie up the cops so we can rollerblade into Grand Central Station and hack the Gibson to get the garbage file that will exonerate Joey!

https://m.youtube.com/watch?v=yhVDhcuRY1I

That's an embarassing letter from the company.

Part 2 article goes into a bit more of detail, but the funniest thing is that they requested access to the SNMP MIBs of the controller and never got them

> I requested MIBs from Q-Free but didn’t receive any follow-up after the request and I never received access to the MIBS, so it was back to square one.

Then you go look at https://www.freethemibs.org/advocates and... there they are, "advocates" for free MIB access. What clowns.

Why wouldn't defcon allow this to be presented?

Can you turn all the lights at a given intersection green at the same time?

The legal threat letter from the vendor is among the most insane examples I've read. They only consider something a valid vulnerability if the reporter can demonstrate they obtained the equipment through a legitimate recorded sale? What on earth does that have to do with the existence of a vulnerability?

This blog post is dated 5 days prior to The Intelligent Transportation Society of America's publishing of its Cybersecurity and Transportation Safety Issue Brief.

The original author of the blog post was invited to speak at an ITSA.ORG conference, and present as through the eyes of an attacker. Thus, the perspective he posits.

There is nothing untoward in his observations but I can see why DefCon might hold off on letting him present his findings.

The ITSA is based in Washington D.C. and has a fairly large membership consisting of state's DOT's (primarily western U.S.), tech companies, car companies, engineering design companies, consulting firms, etc.

Their vision is a better future transformed by transportation technology and innovation. Safer. Greener. Smarter. For all.

A lot of automation is factored into that vision including the use of autonomous vehicles, high-speed inter-connected systems, their attendant technologies, and of course, cyber-security.

Personally, I'm dismayed the U.S. in only now awarding grants for these studies. Maybe the whole thing got sidetracked when our focus shifted to COVID, I don't know. But it does seem as though we're behind the private and governmental initiatives going on in Asia.

1: https://itsa.org/

2: https://itsa.org/wp-content/uploads/2024/07/Cybersecurity-an...

3: https://itsa.org/wp-content/uploads/2023/01/2026-ITS-America...

If you just want a green light an easier way to get one is to flash the infrared strobe pattern that gives fire trucks green lights. Seems simpler.

This has been bothering me for a while.

Security people act like it's their duty to expose every vulnerability, and that companies are negligent if they don't harden themselves against all attack vectors, while they are responsible for a good part of the danger.

Out in meatspace, I don't wander around picking random people's locks, making smug posts about how vulnerable their houses are (along with their address). Nobody would be happy about that, no matter what color hat I have on.

Security is a twin-engine racket, based on the pillars of

- assumed intellectual superiority

- the actual protection racket part