green lights forever analyzing the security of traffic infrastructure branden ghena, william beyer,...
Post on 17-Dec-2015
219 Views
Preview:
TRANSCRIPT
Green Lights ForeverAnalyzing the Security of Traffic Infrastructure
Branden Ghena, William Beyer, Allen Hillaker, Jonathan Pevarnek,and J. Alex Halderman
8th USENIX Workshop on Offensive Technologies (WOOT’14) – August 19, 2014
High-level overview of our findings
We evaluated an existing anonymous traffic infrastructure deployment
We discovered numerous issues with the systemBoth the road agency and vendors at fault
The real issue:An absence of security consciousness in the
field
3
How vehicles are detected
5
> 80% of intersections detect vehicles
Inductive sensorsWired and wireless
Video detection
Microwave, Radar, Ultrasonic, etc.
Malfunction Management Unit
7
Electrical failsafe
Hand-soldered configuration cardPhysical connectionsWhitelist of valid states
Invalid states trigger an overrideGoes to blinking red lightsRequires manual reset
Stops 4-way green lights
Other intersection hardware
8
Radio communicationBetween controllersBack to main server
Video camerasRemote inspection
Overview of deployment
Collaborated with a road agencyUrban areaApproximately 100 lights total
Provided hardware for testing and access to deploymentInitial testing all performed under a laboratory setting
As a condition of their involvement:Wish to remain anonymous and keep vendors
anonymous
9
Deployment wireless network
Lights networked in a treeSingle private networkData reporting only
Two communication bands900 MHz5.8 GHz
20 dBm with directional antennas
10
Findings – 900 MHz radios
No encryption enabled on connectionsRelies on proprietary protocol and frequency hoppingWPA is possible
Default username and password in use
Vendor configuration softwareRequires default username and password to function
11
Findings - 5.8 GHz radios
Proprietary protocolSimilar to 802.11 – still broadcasts an SSIDNetwork name can be found on a standard laptop
12
Traffic Light #1Traffic Light #2
Findings - 5.8 GHz radios
No encryption enabled on connectionsRelies on proprietary protocolWPA2 is possible
Default username and password in use
Vendor configuration softwareAllows password to be changedAssumes single password in use throughout
deployment
13
Connecting to the network
How difficult is it?
1. Purchase 5.8 GHz radio from same vendor2. Open laptop and find network SSID3. Enter SSID into radio configuration as roaming slave
Network access at any point allows communication with all traffic light controllers in the deployment
14
Findings – Traffic controller
Usually controlled physically from the front panelNo username or password by defaultAccess control can be enabled, but is not simple
FTP server with database file for settingsUnchangeable default username and password
15
Findings – Traffic controller
Runs VxWorks real-time operating systemDefault build leaves a debug port openController we tested was vulnerableArbitrary access to read and write memory
Actually, the vendor had already fixed this issueThe patch report didn’t mention itRoad agency hadn’t gotten around to updating
controllers
16
Findings – Traffic controller
NTCIP 1202National Transportation Communications for ITS
ProtocolStandard defining communications for traffic
controllersSNMP can be used to manage devicesDoes not provide protection from unauthorized access
Vendor program for remote controller interactionUses NTCIP 1202 to emulate front panel interactionsEasy to sniff with Wireshark
17
Controlling the controller
We created a library of commands based on vendor programArrow keys, Number keys, Main Menu button
We then created a C program to act as a “traffic controller shell”
Can manually change settings on the controllerCan also run scripts to automatically perform actions
Advance lightsFreeze lightsTrigger MMU
18
Putting it all together
We can now:Access the networkConnect to the controllerChange light states
Next, we wanted to try it out at a real light
19
Demonstration on Deployment
T-intersectionMMU defaults to
blinking yellows on main road
Required supplies5.8 GHz radioLaptopAC power
20
Demonstration on Deployment
Connected to networkRan controller shellChanged light on command
Also accidentally triggered MMU twice
21
What can an attacker really do?
Denial of serviceIt’s easy to trigger the MMU to take overRequires a technician to manually reset the device
Traffic congestionPossible to change timings such that a road becomes
backed up
Individual light controlSpeedy getaways just like the movies
22
Recommendations for road agencies
Follow basic security best practices
Need to enable encryptionProprietary protocols do not cut it
Hiding SSIDs is a good ideaAdd firewalls to block access to ports you aren’t usingKeep firmware up to date
Change default usernames and passwords
23
Recommendations for vendors
Enforce security
Require strong wireless security optionsAllow and expect usernames and passwords to be changed
Somebody needs to be thinking about security
24
Vendor Response
Traffic controller vendor responded:The company “has followed the accepted industry standard
and it is that standard which does not include security”
Worrying for future Vehicle-to-Vehicle/Infrastructure technologies
25
Concluding Remarks
The real problem here is a lack of security consciousness
Traffic lights underwent a phase changeTiming electronics to computerized systemsStandalone devices to wireless networksSecurity did not keep up
Ensuring security of critical infrastructure should be a top priority
26
Acknowledgements
Many thanks to the anonymous road agency personnel who allowed us access to their network and hardware
27
top related