Researcher Warns of Potential Traffic Disruptions Due to Vulnerability in Traffic Light Control Systems

A cybersecurity investigator unearthed a vulnerability in traffic light systems that could let hackers manipulate signals and cause congestion.

Cybersecurity analyst Andrew Lemon from Red Threat revealed his discovery through two blog entries last Thursday, which were part of a larger study on traffic signal security vulnerabilities.

Lemon focused on the Intelight X-1 controller, uncovering a defect that could give individuals unauthorized control over traffic signals. He pinpointed a fundamental oversight: the device’s web interface is exposed to the internet without any authentication mechanism.

“It was utterly shocking,” Lemon shared with TechCrunch, expressing his astonishment at the oversight.

He explored the possibility of causing all lights at an intersection to go green simultaneously, reminiscent of scenes from The Italian Job. However, he discovered that while a device named the Malfunction Management Unit prevents this specific situation, other manipulations like altering traffic light durations are possible, leading to significant traffic disruptions.

Lemon reported finding approximately 30 Intelight devices that were vulnerable because they were accessible online.

After notifying Q-Free, the proprietors of Intelight, instead of a discussion on the vulnerability, Lemon received a legal notice from the company. The notice, which he published in his blog, communicated that Q-Free would only consider vulnerabilities in currently sold products due to limited resources. It suggested that Lemon’s investigation might have breached the Computer Fraud and Abuse Act, urging that disclosing the flaw could jeopardize national security and implicate Red Threat for potential attacks on critical infrastructure.

Lemon was taken aback by the company’s attempt to suppress the issue through legal intimidation. Meanwhile, Q-Free’s spokesperson Trisha Tunilla commented to TechCrunch that the controller model in question has not been produced for almost a decade.

Tunilla emphasized the company’s willingness to guide and support customers still using these outdated controllers.

Furthermore, Lemon’s research identified vulnerable traffic control devices from Econolite, also exposed online, operating on a susceptible protocol known as NTCIP. These vulnerabilities were acknowledged by Econolite’s vice president of engineering, Sunny Chakravarty, who advised replacing outdated equipment and adhering to security best practices.

The article has been updated to include a statement from Q-Free.