fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Dutch Hackers Found A Simple Way To Mess With Traffic Lights

https://open.spotify.com/show/3Gmj15x6cGrgJEzmGnDTTj?si=nytzAjvSR4qBqTbLP6pgKA

Dutch Hackers Found A Simple Way To Mess With Traffic Lights

By reverse-engineering apps intended for cyclists, security researchers found they could cause delays in at least 10 cities from anywhere in the world.

In movies like Die Hard 4 and The Italian Job, hijacking traffic lights over the internet looks easy. But real-world traffic-light hacking, demonstrated by security researchers in years past, has proven tougher, requiring someone to be within radio range of every target light. Now a pair of Dutch researchers has shown how hackers really can spoof traffic data to mess with traffic lights easily from any internet connection—though luckily not in a Hollywood style that would cause mass collisions.

At the Defcon hacker conference Thursday, Dutch security researchers Rik van Duijn and Wesley Neelen will present their findings about vulnerabilities in an “intelligent transport” system that would allow them to influence traffic lights in at least 10 different cities in the Netherlands over the internet. Their hack would spoof nonexistent bicycles approaching an intersection, tricking the traffic system into giving those bicycles a green light and showing a red light to any other vehicles trying to cross in a perpendicular direction. They warn that their simple technique—which they say hasn’t been fixed in all the cases where they tested it—could potentially be used to annoy drivers left waiting at an empty intersection. Or if the intelligent transport systems are implemented at a much larger scale, it could potentially even cause widespread traffic jams.

“We were able to fake a cyclist, so that the system was seeing a cyclist at the intersection, and we could do it from any location,” says Neelen. “We could do the same trick at a lot of traffic lights at the same time, from my home, and it would allow you to interrupt the traffic flow across a city.”

Neelen and van Duijn, who are cofounders of the applied security research firm Zolder, say they got curious earlier this year about a collection of smartphone applications advertised to Netherlanders that claimed to give cyclists more green lights when the app is activated. In pilot projects across the Netherlands, cities have integrated traffic signals with apps like Schwung and CrossCycle, which share a rider’s location with traffic systems and, whenever possible, switch lights to green as they approach an intersection. The system functions as a smartphone-based version of the sensors that have long been used to detect the presence of a vehicle waiting at a red light, optimized so that a bike rider doesn’t have to stop.

But given that the information about the cyclist’s location comes from the user’s smartphone, the two researchers immediately wondered if they could inject spoofed data to wreak havoc. “We were just surprised that user input is getting allowed into systems that control our traffic lights,” says Neelen. “I thought, somehow I’ll be able to fake this. I was really curious how they were preventing this.”

As it turns out, some of the apps weren’t preventing it at all. Neelen and van Duijin found they could reverse engineer one of the Android apps—they declined to tell WIRED which apps they tested, since the problems they found aren’t yet fixed—and generate their own so-called cooperative awareness message, or CAM, input. That spoofed CAM data, sent using a Python script on the hackers’ laptop, could tell traffic lights that a smartphone-carrying cyclist was at any GPS location the hackers chose.

Initially, the app whose CAM inputs Neelen and van Duijn spoofed only worked to influence a couple of traffic lights in the Dutch city of Tilburg. In the videos below, the pair demonstrates changing the light from red to green on command, albeit with a delay in the first demo. (The nonexistent bicycle doesn’t always get immediate priority in Tilburg’s smartphone-optimized traffic system.)

Neelen and van Duijn later found the same spoofing vulnerability in another, similar app with a much wider implementation—they say it had been rolled out to hundreds of traffic lights in 10 Dutch cities, although they tested it only in the West Netherlands city of Dordrecht. “It’s the same vulnerability,” Neelen says. “They just accept whatever you put into them.”

Hacking traffic lights isn’t entirely new, though it’s rarely been so simple. Cesar Cerrudo, a researcher at security firm IOActive, revealed in 2014 that he had reverse engineered and could spoof the communications of traffic sensors to influence traffic lights, including those in major US cities. Researchers at the University of Michigan published a paper the same year on hacking the traffic controller boxes located at street intersections, which receive the inputs from road sensors. The vulnerabilities that Cerrudo and the Michigan researchers found likely affected far more traffic lights than those exposed by the Dutch researchers at Defcon. Cerrudo also says that he tested his technique in San Francisco a year after disclosing it to the affected sensor companies and found that it still worked there.

Also read: 9 Policies For Security Procedures Examples

But those earlier techniques required communicating via radio with the vulnerable equipment, so that a hacker needed to be within radio range, limiting the attack to a range of a couple thousand feet at maximum. Neelen and van Duijn’s technique works remotely over the internet, so it can be carried out at many intersections simultaneously, from anywhere in the world. “This attack sounds very easy to do,” Cerrudo says. “It’s very cool that you can just reverse engineer an app and start sending fake locations about ghost bikes and cause problems with traffic.”

Neelen and van Duijn say they’ve now warned the makers of both apps they found to be vulnerable to their spoofing. In the case of the more widely deployed system, though, they told the company just one month ago.

But even when the vulnerabilities they found are fixed, they say their research should serve as a warning about the more general risks of “smart” transportation infrastructure, as those systems roll out as key parts of optimizing urban traffic beyond a mere convenience for bicycles. “Imagine you could create hundreds of fake trucks across cities. If the wrong traffic lights start turning red, you have an issue, and it would cause huge delays,” van Duijn says. “Now that we’re talking about building these intelligent transport systems, we need to be damn sure to think more about security.”

Also read: 7 Phases Of Data Life Cycle Every Business Must Be Informed

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us