Dutch researchers manipulate traffic lights with virtual cyclists

Dutch security researchers have succeeded in fooling around several smart traffic lights. This allowed them to get the green light without being near the traffic lights.

But at least part of the traffic lights could be manipulated. “At the traffic lights we examined, no one checked if you are who you say you are,” says Wesley Neelen of security company Zolder. This allowed him to remotely impersonate a cyclist who came cycling towards a traffic light.

The hackers present their findings today at the renowned international security conference Def Con, which is being held virtually because of the corona crisis.

Apps

The traffic lights researched by the researchers make use of apps that cyclists can install. Their location is thus communicated to the traffic lights. They therefore know that they are coming and can already take their arrival into account.

In the CCeit on 3 Tech Podcast Wesley Neelen and Rik van Duijn talk about their research. Listen to it in your favourite podcast app or in the player below:

But Neelen and his colleague Rik van Duijn were able to imitate the packages that the app sends. “With this we could then steer unlimited so-called cycling towards a traffic light”, says Neelen.

“We think that now more than a hundred traffic lights were susceptible to this,” says Van Duijn. Some of them are still test rigs, which do regulate actual traffic.

This is what the manipulation looks like in practice:

For the time being, the attack by the researchers only worked for cyclists. “We now have no indications that you can also imitate other road users”, says researcher Van Duijn.

In theory, it should be possible. “We did try to turn a bike into a car, but we didn’t succeed,” says Van Duijn. The consequences of that could be greater, for example if someone can imitate an ambulance and always gets the green light.

Now, not yet. “The traffic light still determines who gets priority,” says Neelen. “It’s a bit like you can remotely press the priority button for cyclists.” That only happens when it’s safe to do so; it’s not like a traffic light goes green when someone else is still on green.

At the same time, attackers could cause problems, for instance by steering virtual cyclists at an intersection from several sides and disrupting traffic. “We didn’t try that, because it wasn’t necessary to make the problem clear,” says Neelen.

According to the researchers, their work is mainly a warning, now that more and more places need smart traffic lights. They must then be able to withstand manipulation.

The researchers informed the creators of the traffic lights of the problems. “They have promised to improve their apps,” says Esther Schoemaker of Talking Traffic, a partnership for smart traffic lights.

The traffic lights in question were not ‘official’ smart traffic lights that form part of that connection, Schoemaker argues.

“The unsafe apps could not have led to unsafe situations, such as forcing a green light from multiple directions,” says Schoemaker. After Van Duijn and Neelen’s findings, the apps were taken offline.

“For example, they can look at the back to see if there are any suspicious patterns,” says Van Duijn. “It might be suspicious if you cycle in Groningen one moment and then in Den Bosch the next.”