>> Thank you. Okay, thank you for coming. I will be talking about hacking traffic control systems from U.S. and a few other countries. So this is quickly about me, just to make a point that I'm not new in the security business/industry. I have been around for a long time. I've been doing different kinds of research and this is my last research. And I want to give thanks because I got a lot of help from some people, from my company, and when you put everything together, it's a lot of help and it allows you to save a lot of time. Are you curious when you go on the roads of the highway and you look at the highway signs and stuff? You will see a lot of different devices. Most common are the traffic signals and the traffic cameras. But if you pay attention, you will find a lot more different devices around. And I was curious about that and I wanted to research some of them and I didn't know anything about that, so I took a look around. And when I was looking around, I found some news that the Department of Transport from London was going to implement some traffic wireless detection system and it got my attention because London is a big city and these devices are wireless. So it's an interesting technology and possible attack vector. So I started to look around specifically for this technology. It took me a while because they were aquiring the devices from [indiscernible] so is I kept digging and I found out that the vendor name, the maker. It was very interesting because when I kept searching, I found out that it was really widely deployed, mostly in the U.S., but also in a few more countries, so this is information from the customers. They have more than 250 customers worldwide. The customers were like city Department of Transport, State Department of Transport. And in the last piece of news from the vendor, I saw that they state they have 200 thousand wireless sensors deployed worldwide. Most of them are in the U.S.
So you can see, this is an image from the vendor, the deployment around the U.S.
You can see most of the important cities are there, including Las Vegas. For instance, one popular deployment is Washington, D.C. They say 1,300 are installed there in Washington, D.C. When you research, you find documentation and I found a manual, a 100 page user manual and it has just one paragraph about security. So it was a really good indicators that probably these devices weren't really secure. So there was a challenge to cultivate the device because the device is not something you can easily buy around because customers are usually Governments. So what we did was social engineer the vendor saying we needed to do some testing and we needed a couple of devices. Which is weird because when they get involved, they get them by the hundreds. So after some talks, they agreed, so we got a couple of devices and at that time I was in Puerto Rico so I then I shipped them and then came to the U.S. with the devices and then returned to the Argentina and then the U.S. and then Argentina and then back to the U.S. The point is you can easily travel around with these devices without any problems. So what are the devices? I have one here, you can see this small device. So this goes in the road, so basically they are magnetometers, so they detect. They are normally in the natural magnetic field of the Earth and that way it can detect when a car goes over it. So for the technology, you have to make a hole in the road with the sensor and then it's filled with epoxy. So the battery life is ten years. This is what the vendor says. And it TI transceiver, which is CC‑2430 which is pretty common for the specifications. It runs on 2.4gHz and it has a microcontroller by is the MSP430, which is also pretty common. I lost my notes but I think they run TinyOS. So this is, like, a view of how internally the sensor, you have the ‑‑ in the top, the antenna. So below is the electronic board and then the battery and then the plastic that's protecting it. So we open it and there you can see the antenna at the top. Here, we'll push it out between the board, and here is the battery. Here is the transceiver and the microcontroller and then the device that is used for detecting the magnetic inference. And then we have the access point, which is this wide box, as you can see here. You can usually find this on a pole next to the traffic light or sometimes another pole around. So basically what the access point does is get the wireless data from the sensor from the traffic detection and relays it to the traffic control systems. It has a Coldfire processer and also runs software and interfaces with the traffic controller with a pressure car in order to communicate with the traffic systems. Then we have repeaters. I don't have one of that, but it's similar to the access points and the wide box. And basically what it does is to extend the range when the sensors are too far away from the access point. So they transmit on two different channels. One channel they get the information from the sensor and in the other channel they relay the data to the access point. So this is the range for the communication between the sensors and the access point, which is a maximum 150 feet. And then if you want to extend the range, you add the repeaters and the maximum range by vendor recommendation is 1,000 feet. Of course, I mean, if you have equipment antenna, you can probably go further away. How these devices work, well, like I said, the sensor goes in the road, there are configurations. One of those ‑‑ this one, it is at an intersection. So here you have a set of sensors that are used for stop detection. That means that once a car is detected as stopping, they are waiting for the signal, the sensor will detect it. And then you have advanced detection to detect when the car is coming and is waiting far away from the stop bar. So the sensor sends the data to the access point. So basically the traffic system uses this information to know how to best set the timing, for instance, for the green light. If they see there's a lot of traffic, they will set the timing longer, maybe 20 or 30 seconds, depends on the configuration. Also some intersections, probably most of you, some of you have seen these late night, sometimes you are waiting at that intersection and the traffic light won't change or will take a lot to change. Sometimes that's because the detection mechanism is not working very well. So that's the stop bar detection. So when a car is waiting, the traffic control system will set some parameters so that the traffic light will change faster and you get the green light and you can go. This is called the access point connect to the traffic controler by the [indiscernible] and can also connect to some internal network. Another configuration is metering. So this one, you have the detection that will detect when the car is waiting, and also queue detection to measure the length of the queue. Then at the freeway, you have several wireless sensors to ensure that the traffic is in the freeway just before the access ramp to the freeway. So this way the traffic control system knows how to set the proper timing to the ramp meter. If they see there's no traffic at this freeway, they will turn off maybe the ramp meter or they may allow the cars to go faster on the freeway. If there's a lot of traffic, they will allow the cars to go slower on the freeway. Another kind of use is for travel times. So basically you get an array of sensors at some point on the freeway and then maybe or two miles away another array of sensors. What they can do with this technology is to identify a car. So basically they detect the car, they do some possible assessing, and they will create a fingerprint of the car. So after a mile or two, they will re-identify the car so they can know what the travel time for that lane. So that information is the information that you later see on the electronic signals on the freeway. And also it can assess the speed limit. If they see there's a very low speed in some lane, they could slow down just a little. So in order to configure the device is to access the Windows software that basically we have over here. So it is very easy to compile. You get the source code. You get the hard coded root for the access point. So you connect to the access point with this software and then you can access the sensors, too. And you can configure them, install update work, et cetera. And then you have some server software that you can use to concentrate all of the configurations interest the access points from the different intersections. And also the vendor provides a SaaS that allows you to connect to any access point worldwide and look at some information and set some specific configuration. I didn't touch this because it is server-side and of course would be illegal. So the access point goes to a location and it is connected with a traffic system. So basically they don't have any encryption. So all of the wireless communication is cleartext. This was interesting because it took me a while to make this thing work because, I don't know, it took me a while, but when I saw there was no encryption, I told them and they said, yes, it is doing encryption. And the only paragraph I mentioned earlier that I found in the user guide was the next one. So you can read it there. So basically they said the information doesn't carry any comments, it's only data, there's, like, nothing here so there's nothing to attack. That's what I understood because it's really difficult to understand what they tried to say there, but that's the only paragraph about security in the whole user manual. So when I continued insisting that I wasn't seeing any encryption any place, that I wasn't looking at the communication and there was no encryption, they came back after many e‑mails with this answer. You can read it.
>> Right. It's funny because the customers are Government.
>> And I don't know if it's intentional or just a lie from the vendor because the vendor was lying all the time, but this is a really crazy answer. It works at the sign, so there is no issue there.
>> So the other issue is no authentication. So nothing prevents an attacker to access a sensor or to access a repeater. I mean, access point I protect because you have to ascertain the internal network, but sensors and repeaters can be accessed wirelessly. Also, the connection point doesn't indicate the sensor or the repeater, so the access point gave any data that matched the protocol and that matched the address of the sensor, then they would just accept it as data and trust it. So another issue is that the P1 update are not encrypted at all. So basically you can go and change the wire on the sensor or the repeaters. So when I told all of this to the vendor ‑‑ well, this is from ‑‑ the communication from the vendor, when I was looking at different communications for the presentation, I thought, this is what they said to me when I reported the issue. What they said to me when I reported the issue was they were encrypting it in the next version. But what's the problem? If these sensors are built in the road worldwide, because of the architecture being nonexistent, hopefully they update it with encryption without actually changing the sensor. So basically they will have to do a physical replacement to have a secure update. So is let's see about the protocol they used. So basically the standard is 250 port physical level. It's the same as CV and other wireless possibilities. It's very low rate. And this is because it's very low power consumption. And it has 16 channels from 2.4 GFS. And they have their own protocol which is the sensor are wireless protocol, which is a kind of a media access protocol. It's kind of a ‑‑ it's very similar and it's used TDMA. So they divide the timeframe in 64 slots, so the access point to one sensor, okay, you have to transmit with every sensor. They do that and also to optimize the power consumption, so the sensor doesn't need to be awake all the time. So sensors will only listen and transmit during a specific time slot, but the access point will get data at any point. It will get it and process it. So if there is no detection, there's no car around, then it will stop it. The access points just acknowledge when they get detection data from the sensor. If there is not knowledge, then the sensor will retransmit a few times and then will get to sleep. So basically [indiscernible] so these are for the kind of packet, and then the other is for the sequence number. The sequence of packets in its transmission. And the following two bytes are for the address of the sensor because the sensors are identified by these two bytes. So the access point knows from where the data is coming. And then it's the data part. So this is for the type of packet, as you can see. And then there's a space from the access point side, they used what they call hollow code which is used so the sensors can know if they are getting information from the right access point. Because the access point doesn't have a specific address, the sensors will know they are getting the right information by the color‑code. By the channel and the color‑code. So the data is 4 to 50 bytes. So the data that the sensor sends, sometimes the battery level, the thin wire version, the detection of the car, if there is traffic or not, and then from the access point to the sensors and repeaters, you get some configuration data and also configuration information, and also updates. This is 100 packet from the sensor to the access point. That means there is no detection in any event, so basically they transmit every 50 seconds. And this is a slightly different packet which means there's a detection of a car. This is also interest the sensor to the access point when they send the information, like configuration information. Sometimes you can query the sensors with the access point to know how they are configured. So is here they send the channel, the physical address this they get from the factory that you can change, so they receive all this information. And finally, from the access point to the sensor, this is used to synchronize when they say use this timing. So for the [indiscernible], they provide the [indiscernible] which is a format that looks this way. So these two bytes are the address of it. They have it twice. Because when it's running the device, it will copy it to the address which is specified here. If it's running [indiscernible], it will copy the update to the other address and then they will reroute and change. So basically the security mechanism is just one check at the end of each line, which is a very simple check and then you have a check for all of the thin wire which is also an excerpt. So basically you engineer it and then you can update it. The packets for the three‑wire update is very simple, it's just applying the thin wire to the access point, hit the sensors in PY update mode and then you have to broadcast it by the access point. So basically they broadcast every line of the file. You can see here the file ‑‑ okay, that's one line as you can see there, and that is what is broadcasting. So in order to do this research, I needed some hardware because you need the wireless communication and then you have to be able to modify packets, so basically I got USB dongle for sniffing to 802.15.4 protocol, which is this device, it's very small. You can see it here. It's pretty good. You just plug it and it will start working with the dongle provided. And then I go to the programming board, all from Texas Instruments, so you get the programming board, you get the radio transceiver and a sniffer. Just plug in the programming board by USB to the computer and then you have the framework to program it, which is the IAR and then you have the studio and the software. You can see the software, it is for sniffing. So you can see you can start getting the packet. You get the packet from the access point to the sensor. And here you can see the data. And if you know the protocol, you know it's Clear Text because all of the information is there, you have the options. So just look at the type of protocol you want to capture and then set up the radio channel here. And then with the [indiscernible], you have the RF studio, which is pretty cool, you just choose the right receiver and you can manually craft packets. You can also get packets, too. It's just like a complete packet and you can just send one or 100. And finally, the software for programming the device is just coded in C and you can upload the device. It's very simple. So the vendor says there's over 200 thousand worldwide. Most of them in the U.S., I would say, based on my research, maybe 80% are in the U.S. And then you have repeaters also. I have seen the price of the sensors, $500, $600, the access point is $4000, and the repeaters are $1,000 or more. So we're talking about 100 million or more worth of equipment, that probably can be bricked. So you can see there's a huge money impact here. And, of course, you can cause traffic because you can influence the traffic controller system. Because you can lie to the system. You can send fake data and say there's a lot of data here and maybe there isn't any traffic there. Or you can say there's no traffic and in fact there is a lot of traffic. So you can create a whole mess. I remember a years ago there was a conflict with Los Angeles Department of Transportation over the transport traffic machinery and a couple of them had 2 or 4 intersections, but they were the main intersections of the Los Angeles and they created a chaos for 2 days just hacking 2 or 4 intersections. Because, you know, when there's a problem at the intersection, it promulgates over the other intersections and if they are the main of the city, then you have a big mess. Of course, it is based on the traffic configuration. So you can have a simple accident or a really large accident because, you know, when people say they are waiting at the red light and the red light doesn't change and you have there one minute. Okay, one minute is fine. Two minutes, two minutes is still fine. More than two minutes, the cars will start to go anyway. And in that way, you get accidents. So what the U.S. Department of Transportation said, they said that sensors and signal failures increase motorist time and delays, making accidents. This is what the U.S. DOT says. Not me. I have an issue with the vendor because with the communication, what they get back from the vendor was lie. They were saying, there is encryption. I said there is none and they came back and said, yes, there is. So they were lying and saying stupid things. I had a conflict because I did the testing at home with these devices, which is a nonproduction system, so I don't like to make a statement saying, okay, this devices are insecure and maybe when you go to a [indiscernible] side you see that the configurations can be different or they may have different options and what you found is completely inaccurate. So what I did was, with the devices in my backpack and I made them portable because the access point is power over ethernet and I made it USB, so I connected to the portable batteries and then I connected it to the portable Wi‑Fi router, so I point the access point in my backpack and I could access it wirelessly. So I went to Seattle, New York, and when I tested it, it was a testing site, it wasn't a production site, so it wasn't very sure. The same in New York. But when I went to DC, which is a big deployment there, it was a production site, so I did some testing there that I will show you now. So this is New York. It was good because I was next to the New York police.
>> Traffic. So here you can see the marks from the sensors in the street. Those circles are the mark and then in the pole, here is the access point. And this is just, like, three blocks away from the Empire State. So there I basically was pointing with my backpack the sensor because of the directional antenna, so I was pointing with my backpack the sensor.
>> And I was able to access the sensor. I was able to see the configuration of that. And if I wanted, I can could have compromised them, changed it. Which I didn't do it.
>> So there is ‑‑ we see this later, this is the software from the vendor. I put the access point in discovery mode, which queried for some specific channel. So the sensor started to appear on the graphical interface. This is a line, you can see green, that's my sensor which I carried in my backpack. But then, there you can see three more sensors that were there in the road. I can't find ‑‑ okay, I wanted to show there was like 5. So I went to DC and just when we get out there to Union Station, I found a nice surprise because I didn't know there were those in there. So I was looking around outside Union Station and I think it was around the exit ramp and we found some sensors there. There you can see the mark of the sensor. Because maybe if you have been there, it is a really complex intersection. There are, I don't know, how many streets there. And there you can see the access point. So with that configuration, it's for detecting that a car is waiting there at the ramp trying to exit, so it would put faster the green light or if there's no car, it won't get the green light. So you can see that by pointing the sensor. And there I was able to look at the configuration. Basically the wireless data, I could display it in a graphical interface and because I know how to do this, I can see all of the configuration options. So the traffic I was seeing from the access point to the sensor and from the sensor to the access point. But there is another part we went to do some testing, there were a lot of sensors there and a repeater, too. You can see here every line is a sensor expect for one which is a repeater. These are all sensors and this one is the repeater. So just with one I can access there, changes the configuration, do anything, change the channel. And this was, as you can see, two blocks from the Capitol. I mean, there were some weird people that gave us the spooks, but we didn't get any problem. It was weird. The access point and here on the street, the mark of the sensors, and there was a repeater here. So in this way I could prove that I was right with what I was saying, what I informed. So what are the possible attacks? So basically you can do [indiscernible] which is [indiscernible] so you can change the sensor, change the frequency channel, change the thin wire, probably brick them, take packets, but, of course, I will be getting the traffic data. Because if you know how it works and how the guys communicate, you can just send fake data. And in order to do that, I built a special device which I will show you later. It's basically data saying there is traffic here. So in the real world, it's kind of easy because there's a lot of vendor recommendation, press releases, where they say we are implementing this in New York and DC. Based on a lot of public documents, also, from the Government. And the good part is you can specifically know the coordinates of the devices using Google Street view.
>> Here are a couple of repeaters and here are the sensors. This is New York. So you know specifically the GPA is where they are located. So for vendor specification, you need to be at least 1000 feet away in order to attack them, to be able to connect. So one option to connect is being on‑site. So being near the devices so you can send fake data. So what I did was with these, we programmed a sample proof-of-concept I can show you here. So basically, here is the screen, I put the menu there. These are different attacks. One is from creating fake sensors. The other one is to send fake data. I did some ASCII art and you can see.
>> And then I also can send fake data about configuration. I will show you now. So I have here the vendor software, so I will connect to the access point now. So basically here in every line you get the devices which are the sensors there. And you can see there isn't any device there. So just one, which is my sensor. So now I will create a fake sensor. It will be replacing an existing one, maybe [indiscernible] and sending fake data. I will push this button here and you will see the sensors being created. So you can see I'm sending fake data to the access point and it is accepting it as valid data. There are a couple of columns here. Which is that there is a car present at the sensor. And the other is the number of cars being detected. So now what I will do is send fake data about car detection, about traffic. So I push "now" and you will see here the detection number to be increased a lot.
>> [Laughter]. [Applause].
>> So basically the access point is taking this data which is fake, it's made up, and processing it. So this is the data that I would get the traffic control system to make decisions. So if you don't want to be on‑site, what you can do is just program ‑‑ you can see where a transceiver to with a GPS is when you set up the coordinates of the device is, to a car or whatever and just let it go. Because on this you have the map where the buses load, so you can know where to launch the attack automatically by the attached device. Another one I tested and works is from the guy. This is a new service where you can rent drones if you don't have one. So in this case, I attached this to my drone and make it fly at like 350 feet and it worked. And when you have light outside and you have a good antenna, you can go 1,000 feet or more in the sky and launch the attack. Another attack could be to do a thin wire update. So basically you change the firmware and make a worm. And it will detect the sensors that are near, or maybe not near because the sensors will propagate worm, too. When you have the fewer compromises, there's no way to know if you have compromised or not unless you look at the code and see. But if you just use the functionality, you never know if it's compromised or not. Basically you can know in realtime, you can see some media, GPS coordinates on pictures, so you can search people in New York, like right now, and you can compromise the SmartPhone and from the SmartPhone launch an attack. Right now I think it's kind of [indiscernible] but maybe a radio that can be modified by using this protocol and you can have someone else with his cell phone attacking this device. Another kind of creative attack, this is based on immunity. You can use these as a trigger to a bomb. So you finger print one car and then use that later and set that as a trigger to a bomb. So because you see Washington, D.C., maybe you can finger print cadillac one. My final conclusion is that any field guy like me, I live in a small town, many miles from here, can get these devices that are used in other countries and hack them and then you want to hack the U.S. or other countries, the attack tools would cost you $100 or less to build if you buy the part and program it. It's cheap. The Government is buying devices that are being used without testing the security of them. They are just assaulting the crazy claims from the vendors and they are putting it critical infrastructure on and that is happening right now. And finally, when we talk about being smart, if you get devices like this that blindly trust the data, then the city is not very smart is. Kind of stupid.
>> And finally, it is cheap. I'm part of Build It Securley where trying to help the smart vendors to improve the security of the devices. And if you don't know about this, you can check the site and there are step‑by‑step instructions to build secure protocols, et cetera. And that's it. I hope you like it.