Sometimes it’s easy being green (Image: AP Photo/Julio Cortez)

BRANDEN GHENA pulls his car up under a traffic light in a city in Michigan. He plugs a radio transmitter into the car’s power adapter, connects it to his laptop and, with a few keyboard strokes, takes control of every traffic light in town.

“We were able to advance the light,” Ghena says of the experiment, which took place in May. “We could make it turn green.”

Ghena, an electrical engineer at the University of Michigan, and his team were exploiting a vulnerability in the light’s traffic controller. Present at every signalled intersection, the controller switches between red, yellow and green lights according to its programming. It can be set to change at regular intervals, or based on input from external traffic sensors.


These controllers are often networked across a city, and receive commands via a sequence of data packets. This allows engineers to manage them remotely, but anyone with network access can send these commands. All Ghena had to do was figure out which sequences of packets corresponded to which controller commands, and he gained full control.

“It’s great research,” says Cesar Cerrudo, a professional hacker and chief technology officer for IOActive Labs. Cerrudo found a different vulnerability in US traffic systems earlier this year. He showed that it was possible to spoof the sensors that feed into the traffic controller, making the lights think that cars are waiting at a light when they aren’t, for instance. “[Ghena’s work] and my research make me scared of driving in the US,” he says.

Part of Ghena and his colleagues’ agreement with the traffic department that authorised their study was that they wouldn’t reveal the name of the city concerned, or who made the vulnerable equipment. But Ghena says the vendor in question has traffic controllers installed at 100,000 intersections across the US. The Federal Highway Administration estimates that there are about 300,000 intersections in the country.

The US government has recognised the country has a problem with its infrastructure – in 2013, President Barack Obama signed an executive order that called for strengthened cybersecurity for critical systems like electricity grids, water utilities and transport networks.

An attack can do more than create havoc for its own sake. “If you were robbing a bank, you could cause a lot of congestion between you and the police station,” says Ghena. And thieves or even just an impatient commuter could easily set up a corridor of green lights for themselves. Ghena will present the work at a USENIX workshop on 19 August in San Diego, California.

If you were robbing a bank, you could cause a lot of congestion between you and the police station

This isn’t the first time that traffic infrastructure has been shown vulnerable to digital attack. In October last year, the signalling systems in the Carmel Tunnels in Haifa, Israel, were taken over, with the attackers gaining control through a weakness in the traffic cameras. The tunnels had to be closed during the morning rush hour, causing massive congestion.

“The attack space is growing every day,” says Cerrudo. “In the past you had viruses that affected PCs. In the future we’re going to see malware for everyday objects, because they’re all like small computers.”

Leader: “Who’s driving? Autonomous vehicles have a problem“

This article appeared in print under the headline “Gridlock alert”