green lights forever · ntcip 1202 national transportation communications for its protocol standard...
TRANSCRIPT
![Page 1: Green Lights Forever · NTCIP 1202 National Transportation Communications for ITS Protocol Standard defining communications for traffic controllers SNMP can be used to manage devices](https://reader035.vdocuments.net/reader035/viewer/2022062611/612df1f31ecc5158694280f0/html5/thumbnails/1.jpg)
Green Lights Forever Analyzing the Security of Traffic Infrastructure
Branden Ghena, William Beyer, Allen Hillaker, Jonathan Pevarnek, and J. Alex Halderman
8th USENIX Workshop on Offensive Technologies (WOOT’14) – August 19, 2014
![Page 2: Green Lights Forever · NTCIP 1202 National Transportation Communications for ITS Protocol Standard defining communications for traffic controllers SNMP can be used to manage devices](https://reader035.vdocuments.net/reader035/viewer/2022062611/612df1f31ecc5158694280f0/html5/thumbnails/2.jpg)
Motivating our investigation
2
Traffic Lights Ubiquitous critical infrastructure
![Page 3: Green Lights Forever · NTCIP 1202 National Transportation Communications for ITS Protocol Standard defining communications for traffic controllers SNMP can be used to manage devices](https://reader035.vdocuments.net/reader035/viewer/2022062611/612df1f31ecc5158694280f0/html5/thumbnails/3.jpg)
High-level overview of our findings
We evaluated an existing anonymous traffic infrastructure deployment We discovered numerous issues with the system
Both the road agency and vendors at fault The real issue:
An absence of security consciousness in the field
3
![Page 4: Green Lights Forever · NTCIP 1202 National Transportation Communications for ITS Protocol Standard defining communications for traffic controllers SNMP can be used to manage devices](https://reader035.vdocuments.net/reader035/viewer/2022062611/612df1f31ecc5158694280f0/html5/thumbnails/4.jpg)
Outline
Anatomy of a traffic intersection
Security evaluation
Recommendations
4
![Page 5: Green Lights Forever · NTCIP 1202 National Transportation Communications for ITS Protocol Standard defining communications for traffic controllers SNMP can be used to manage devices](https://reader035.vdocuments.net/reader035/viewer/2022062611/612df1f31ecc5158694280f0/html5/thumbnails/5.jpg)
How vehicles are detected
5
> 80% of intersections detect vehicles Inductive sensors
Wired and wireless Video detection Microwave, Radar, Ultrasonic, etc.
![Page 6: Green Lights Forever · NTCIP 1202 National Transportation Communications for ITS Protocol Standard defining communications for traffic controllers SNMP can be used to manage devices](https://reader035.vdocuments.net/reader035/viewer/2022062611/612df1f31ecc5158694280f0/html5/thumbnails/6.jpg)
Inside the traffic cabinet
6
Malfunction Management Unit (MMU)
Traffic Controller
Light Relays
![Page 7: Green Lights Forever · NTCIP 1202 National Transportation Communications for ITS Protocol Standard defining communications for traffic controllers SNMP can be used to manage devices](https://reader035.vdocuments.net/reader035/viewer/2022062611/612df1f31ecc5158694280f0/html5/thumbnails/7.jpg)
Malfunction Management Unit
7
Electrical failsafe Hand-soldered configuration card
Physical connections Whitelist of valid states
Invalid states trigger an override
Goes to blinking red lights Requires manual reset
Stops 4-way green lights
![Page 8: Green Lights Forever · NTCIP 1202 National Transportation Communications for ITS Protocol Standard defining communications for traffic controllers SNMP can be used to manage devices](https://reader035.vdocuments.net/reader035/viewer/2022062611/612df1f31ecc5158694280f0/html5/thumbnails/8.jpg)
Other intersection hardware
8
Radio communication Between controllers Back to main server
Video cameras
Remote inspection
![Page 9: Green Lights Forever · NTCIP 1202 National Transportation Communications for ITS Protocol Standard defining communications for traffic controllers SNMP can be used to manage devices](https://reader035.vdocuments.net/reader035/viewer/2022062611/612df1f31ecc5158694280f0/html5/thumbnails/9.jpg)
Overview of deployment
Collaborated with a road agency Urban area Approximately 100 lights total
Provided hardware for testing and access to deployment
Initial testing all performed under a laboratory setting As a condition of their involvement:
Wish to remain anonymous and keep vendors anonymous
9
![Page 10: Green Lights Forever · NTCIP 1202 National Transportation Communications for ITS Protocol Standard defining communications for traffic controllers SNMP can be used to manage devices](https://reader035.vdocuments.net/reader035/viewer/2022062611/612df1f31ecc5158694280f0/html5/thumbnails/10.jpg)
Deployment wireless network
Lights networked in a tree Single private network Data reporting only
Two communication bands
900 MHz 5.8 GHz
20 dBm with directional antennas
10
![Page 11: Green Lights Forever · NTCIP 1202 National Transportation Communications for ITS Protocol Standard defining communications for traffic controllers SNMP can be used to manage devices](https://reader035.vdocuments.net/reader035/viewer/2022062611/612df1f31ecc5158694280f0/html5/thumbnails/11.jpg)
Findings – 900 MHz radios
No encryption enabled on connections Relies on proprietary protocol and frequency hopping WPA is possible
Default username and password in use Vendor configuration software
Requires default username and password to function
11
![Page 12: Green Lights Forever · NTCIP 1202 National Transportation Communications for ITS Protocol Standard defining communications for traffic controllers SNMP can be used to manage devices](https://reader035.vdocuments.net/reader035/viewer/2022062611/612df1f31ecc5158694280f0/html5/thumbnails/12.jpg)
Findings - 5.8 GHz radios
Proprietary protocol Similar to 802.11 – still broadcasts an SSID Network name can be found on a standard laptop
12
Traffic Light #1 Traffic Light #2
![Page 13: Green Lights Forever · NTCIP 1202 National Transportation Communications for ITS Protocol Standard defining communications for traffic controllers SNMP can be used to manage devices](https://reader035.vdocuments.net/reader035/viewer/2022062611/612df1f31ecc5158694280f0/html5/thumbnails/13.jpg)
Findings - 5.8 GHz radios
No encryption enabled on connections Relies on proprietary protocol WPA2 is possible
Default username and password in use Vendor configuration software
Allows password to be changed Assumes single password in use throughout deployment
13
![Page 14: Green Lights Forever · NTCIP 1202 National Transportation Communications for ITS Protocol Standard defining communications for traffic controllers SNMP can be used to manage devices](https://reader035.vdocuments.net/reader035/viewer/2022062611/612df1f31ecc5158694280f0/html5/thumbnails/14.jpg)
Connecting to the network
How difficult is it? 1. Purchase 5.8 GHz radio from same vendor 2. Open laptop and find network SSID 3. Enter SSID into radio configuration as roaming slave
Network access at any point allows communication with all traffic light controllers in the deployment
14
![Page 15: Green Lights Forever · NTCIP 1202 National Transportation Communications for ITS Protocol Standard defining communications for traffic controllers SNMP can be used to manage devices](https://reader035.vdocuments.net/reader035/viewer/2022062611/612df1f31ecc5158694280f0/html5/thumbnails/15.jpg)
Findings – Traffic controller
Usually controlled physically from the front panel No username or password by default Access control can be enabled, but is not simple
FTP server with database file for settings
Unchangeable default username and password
15
![Page 16: Green Lights Forever · NTCIP 1202 National Transportation Communications for ITS Protocol Standard defining communications for traffic controllers SNMP can be used to manage devices](https://reader035.vdocuments.net/reader035/viewer/2022062611/612df1f31ecc5158694280f0/html5/thumbnails/16.jpg)
Findings – Traffic controller
Runs VxWorks real-time operating system Default build leaves a debug port open Controller we tested was vulnerable Arbitrary access to read and write memory
Actually, the vendor had already fixed this issue The patch report didn’t mention it Road agency hadn’t gotten around to updating controllers
16
![Page 17: Green Lights Forever · NTCIP 1202 National Transportation Communications for ITS Protocol Standard defining communications for traffic controllers SNMP can be used to manage devices](https://reader035.vdocuments.net/reader035/viewer/2022062611/612df1f31ecc5158694280f0/html5/thumbnails/17.jpg)
Findings – Traffic controller
NTCIP 1202 National Transportation Communications for ITS Protocol Standard defining communications for traffic controllers SNMP can be used to manage devices Does not provide protection from unauthorized access
Vendor program for remote controller interaction
Uses NTCIP 1202 to emulate front panel interactions Easy to sniff with Wireshark
17
![Page 18: Green Lights Forever · NTCIP 1202 National Transportation Communications for ITS Protocol Standard defining communications for traffic controllers SNMP can be used to manage devices](https://reader035.vdocuments.net/reader035/viewer/2022062611/612df1f31ecc5158694280f0/html5/thumbnails/18.jpg)
Controlling the controller
We created a library of commands based on vendor program Arrow keys, Number keys, Main Menu button
We then created a C program to act as a “traffic controller shell”
Can manually change settings on the controller Can also run scripts to automatically perform actions Advance lights Freeze lights Trigger MMU
18
![Page 19: Green Lights Forever · NTCIP 1202 National Transportation Communications for ITS Protocol Standard defining communications for traffic controllers SNMP can be used to manage devices](https://reader035.vdocuments.net/reader035/viewer/2022062611/612df1f31ecc5158694280f0/html5/thumbnails/19.jpg)
Putting it all together
We can now: Access the network Connect to the controller Change light states
Next, we wanted to try it out at a real light
19
![Page 20: Green Lights Forever · NTCIP 1202 National Transportation Communications for ITS Protocol Standard defining communications for traffic controllers SNMP can be used to manage devices](https://reader035.vdocuments.net/reader035/viewer/2022062611/612df1f31ecc5158694280f0/html5/thumbnails/20.jpg)
Demonstration on Deployment
T-intersection MMU defaults to blinking
yellows on main road Required supplies
5.8 GHz radio Laptop AC power
20
![Page 21: Green Lights Forever · NTCIP 1202 National Transportation Communications for ITS Protocol Standard defining communications for traffic controllers SNMP can be used to manage devices](https://reader035.vdocuments.net/reader035/viewer/2022062611/612df1f31ecc5158694280f0/html5/thumbnails/21.jpg)
Demonstration on Deployment
Connected to network Ran controller shell Changed light on command Also accidentally triggered MMU twice
21
![Page 22: Green Lights Forever · NTCIP 1202 National Transportation Communications for ITS Protocol Standard defining communications for traffic controllers SNMP can be used to manage devices](https://reader035.vdocuments.net/reader035/viewer/2022062611/612df1f31ecc5158694280f0/html5/thumbnails/22.jpg)
What can an attacker really do?
Denial of service It’s easy to trigger the MMU to take over Requires a technician to manually reset the device
Traffic congestion
Possible to change timings such that a road becomes backed up Individual light control
Speedy getaways just like the movies
22
![Page 23: Green Lights Forever · NTCIP 1202 National Transportation Communications for ITS Protocol Standard defining communications for traffic controllers SNMP can be used to manage devices](https://reader035.vdocuments.net/reader035/viewer/2022062611/612df1f31ecc5158694280f0/html5/thumbnails/23.jpg)
Recommendations for road agencies
Follow basic security best practices Need to enable encryption
Proprietary protocols do not cut it Hiding SSIDs is a good idea Add firewalls to block access to ports you aren’t using Keep firmware up to date
Change default usernames and passwords
23
![Page 24: Green Lights Forever · NTCIP 1202 National Transportation Communications for ITS Protocol Standard defining communications for traffic controllers SNMP can be used to manage devices](https://reader035.vdocuments.net/reader035/viewer/2022062611/612df1f31ecc5158694280f0/html5/thumbnails/24.jpg)
Recommendations for vendors
Enforce security Require strong wireless security options Allow and expect usernames and passwords to be changed Somebody needs to be thinking about security
24
![Page 25: Green Lights Forever · NTCIP 1202 National Transportation Communications for ITS Protocol Standard defining communications for traffic controllers SNMP can be used to manage devices](https://reader035.vdocuments.net/reader035/viewer/2022062611/612df1f31ecc5158694280f0/html5/thumbnails/25.jpg)
Vendor Response
Traffic controller vendor responded: The company “has followed the accepted industry standard and it is
that standard which does not include security”
Worrying for future Vehicle-to-Vehicle/Infrastructure technologies
25
![Page 26: Green Lights Forever · NTCIP 1202 National Transportation Communications for ITS Protocol Standard defining communications for traffic controllers SNMP can be used to manage devices](https://reader035.vdocuments.net/reader035/viewer/2022062611/612df1f31ecc5158694280f0/html5/thumbnails/26.jpg)
Concluding Remarks
The real problem here is a lack of security consciousness Traffic lights underwent a phase change
Timing electronics to computerized systems Standalone devices to wireless networks Security did not keep up
Ensuring security of critical infrastructure should be a top priority
26
![Page 27: Green Lights Forever · NTCIP 1202 National Transportation Communications for ITS Protocol Standard defining communications for traffic controllers SNMP can be used to manage devices](https://reader035.vdocuments.net/reader035/viewer/2022062611/612df1f31ecc5158694280f0/html5/thumbnails/27.jpg)
Acknowledgements
Many thanks to the anonymous road agency personnel who allowed us access to their network and hardware
27
![Page 28: Green Lights Forever · NTCIP 1202 National Transportation Communications for ITS Protocol Standard defining communications for traffic controllers SNMP can be used to manage devices](https://reader035.vdocuments.net/reader035/viewer/2022062611/612df1f31ecc5158694280f0/html5/thumbnails/28.jpg)
Questions?
Branden Ghena [email protected]
William Beyer [email protected]
Allen Hillaker [email protected]
Jonathan Pevarnek [email protected]
J. Alex Halderman [email protected]
Green Lights Forever: Analyzing the Security of Traffic Infrastructure