Most items the public comes in contact with are connected in some form or another. This could be one of the myriad of IoT devices (e.g. lightbulbs, doorbells, garage doors, door locks, etc.), vehicles, or items worked with daily. These items are connected not simply to show this can be done, but to improve the user’s life with simplicity and automation.
One such application is with traffic lights. Beginning in 2016, the U.S. Department of Transportation started to test traffic lights connecting wirelessly with the proximate vehicles. The vehicles would transmit their location as they would approach the light. The light would then process the data within its algorithm to maximize traffic flow and to the user experience. For the driver the time spent at the stoplights would be minimized, as the connected car may, given the optimal situations, not need to stop at the lights.
Although this appears to be utopian, there are potential issues. Researchers at the University of Michigan found the DOT’s I-SIG (Intelligent traffic signal system) was vulnerable to spoofed messages and data (https://nakedsecurity.sophos.com/2018/03/08/smart-traffic-lights-cause-jams-when-fed-spoofed-data/). This vulnerability may be exploited by a single vehicle, and would not require multiple vehicles all targeting the smart stoplight, analous DDoS.
The attack was not perpetrated in the wild, but was demonstrated as a proof-of-concept. This was shown to be effective on the physical street, and not merely in the lab.
Notwithstanding the vulnerability, the system worked and worked well. The actual system tests were completed at intersections located in Anthem, Arizona, and Palo Alto, CA. The new system was able to decrease vehicle delays by 26.6%. With the spoofed data, however the situation changes with a car’s trip 22% of the time, which should take approximately 30 seconds would take over seven minutes. This would occur with one vehicle attacking the smart.
This is still an emerging technology not widely in use. As the cybersecurity is applied to the newer technology as it is designed, engineered, and deployed, there will continue to be issues like this that would be addressed.
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.