Presented at
DEF CON 28 (2020) Virtual,
Aug. 6, 2020, 1:30 p.m.
(30 minutes).
New systems are connected to the internet every day to make our lives easier or more comfortable. We are starting to see connected traffic and smart traffic lights innovations to improve traffic flow, safety and comfort. With smart systems entering and controlling our physical world, ethical hacking such systems to find possible ways of manipulation becomes even more important to society.
In the Netherlands there are some public innovations where traffic light systems are being connected to smartphone apps. We have looked at these innovations to see if these systems could be manipulated and how manipulation could benefit an attacker. Specifically, we found a way in two different platforms, that allows us to successfully fake a continuous flow of bicyclists that turns the cyclist traffic light instantly green or decreases the time to green.
More than 10 municipalities in the Netherlands connected a part of their cyclist traffic lights to the affected platforms. It was possible to perform these hacks from any remote location, which allows someone to remotely influence the traffic at scale. The hack results in turning the cyclists lights to green, while other lights on the intersection will turn to red.
The regular security systems that make sure lights are not turned green simultaneously stays intact. There are similar projects that turn the car traffic lights green for ambulances or trucks. If an attacker succeeds to exploit these projects with a similar attack, he could remotely influence the car traffic lights directly.
Presenters:
-
Wesley Neelen
- Hacker & co-founder at Zolder
Wesley has about 7 years' experience in the offensive security area working as a penetration tester. Next to his work assessing the security of infrastructures, he spends time researching trends within IT security and on developing defensive measures. Wesley likes to actively assess the security of home automation, internet of things and 'smart' innovations. One of the vulnerabilities discovered by Wesley, is a remote command execution (RCE) vulnerability in the Fibaro home center appliance. The vulnerability allowed to remotely obtain root access on the Fibaro device whenever the web interface is reachable. Also, he discovered vulnerabilities within a smartwatch cloud that disclosed the location history of about 300.000 of its users.
@wesleyneelen
-
Rik van Duijn
- Hacker & co-founder at Zolder
Rik is a security researcher with 7+ years of experience as a penetration tester. Nowadays Rik focusses on malware research and defense. His hobbies include cooking, bouldering and long walks on the beach. Rik has presented at SHA2017, (whiskey|fristi)leaks, DefCon BlueTeam Village and Tweakers Security/DEV Meetups.
@rikvduijn
Links:
Similar Presentations: