A security researcher says he found a flaw in a traffic light controller that would potentially allow malicious hackers to change the lights and create traffic jams.
Andrew Lemon, a researcher at cybersecurity firm Red Threat, published two blog posts on Thursday detailing his findings of a wider research project investigating the security of traffic controllers.
One of the devices Lemon looked at is the Intelight X-1, where he said he found a bug that allows anyone to take full control of the traffic lights. According to Lemon, the bug is very simple and basic: There is no authentication on the internet-exposed web interface of the device.
“I was just in disbelief,” Lemon told TechCrunch. “I was just shocked that something so glaring could have been missed.”
Lemon said he tried to see if it was possible to trigger a scenario like the one shown on movies like The Italian Job, where hackers switch all lights in an intersection to green. But Lemon said he found another device called the Malfunction Management Unit prevents that scenario from happening.
“You can still make changes to the lights and the timing. So if you wanted to set the timing to be three minutes, one way and three seconds the other way. Basically it’s a denial of service in the physical world, so you could clog up traffic,” said Lemon.
It’s unclear how many vulnerable Intelight devices are accessible from the internet. Lemon said he and his team found about 30 exposed devices.
Lemon said he reached out to Q-Free, the company that owns Intelight, to report the bug. Instead of responding and engaging with him to fix the flaw, Q-Free sent him a legal letter, according to Lemon, who published a copy of it in his blog post.
“We only accept vulnerability reports that relate to Q-Free products that are currently offered for sale. We do not have the resources necessary to consider analyses of outdated items,” read the copy of the letter, which appears to be signed by Steven D. Tibbets, Q-Free’s general counsel.
The copy of the letter said that the device Lemon analyzed is not for sale, and that the way he and Red Threat researched it may have been a violation of the anti-hacking law, the Computer Fraud and Abuse Act. The company did not specify how Lemon’s research could have violated the law. The letter then asked Lemon and Red Threat to commit that they would not publish details of the vulnerability because it could hurt national security.
“We also urge Red Threat to consider the impact of publication on the security of critical infrastructure in which Q-Free devices are used. Contrary to your stated aims of improving cybersecurity, publication of vulnerabilities may encourage attacks on infrastructure and generate associated liability for Red Threat,” the letter read.
Lemon said he was surprised by the letter, and that “it really felt like they were just trying to silence me with legal threats and everything.”
Q-Free did not respond to multiple requests for comment.
Lemon said that during his research he also found some traffic controller devices made by Econolite exposed to the internet, and run a protocol that is potentially vulnerable.
The protocol is called NTCIP and it’s an industry standard for traffic light controllers. Lemon said that for the devices that are exposed on the internet, it is possible to change the values in the system without being logged in. Those values, he said, could control how long the lights flash, or set all the lights in an intersection to flash at the same time.
Lemon said he hasn’t reached out to Econolite as the NTCIP issues are previously known.
Sunny Chakravarty, the vice president of engineering at Econolite, confirmed this when reached for comment. Chakravarty told TechCrunch that the Econolite devices tested by Lemon have been end-of-life “for many years, and all users should replace these older controllers by appropriate newer product models.”
“Econolite strongly recommends that customers follow best practices for network security and access control for all safety-critical equipment and restrict access to such equipment on the open public Internet,” said Chakravarty. “The actions on the controller performed by the author would not have been possible if the device was not exposed to the open Internet.”