Hacked ‘virtual cyclist’ can manipulate Dutch traffic lights

Dutch security researchers have succeeded in manipulating several smart traffic lights. By mimicking the signal of users of a special app, the hackers create a virtual cyclist who pushes the wait button remotely, thus allowing them to get the green light without being near the traffic lights.

The hackers announced their findings on Thursday, at the renowned international security conference Def Con in Las Vegas, which is being held virtually because of the corona crisis.

Special app

The smart traffic light the researchers investigated uses apps that cyclists can install. Their location is thus communicated to the traffic lights. This way, the lights know that they are approaching and can already take their arrival into account.

Some 1 200 intersections in the Netherlands will have internet traffic lights that can regulate traffic more intelligently. Certain traffic can be given priority, and people need to slow down and accelerate less often.

Open for abuse

But at least part of it could be manipulated. “At the traffic lights we investigated, no one checked whether you are who you say you are,” says Wesley Neelen of security company Zolder to the NOS. This allowed him, together with his colleague, Rik van Duijn, to remotely pretend to be a cyclist who came cycling in the direction of a traffic light.

The researchers think that more than a hundred traffic lights are susceptible to this problem. Some of these traffic lights are still test stands, which do regulate actual traffic. For the time being, ‘the attack’ by the researchers only worked for cyclists. So far there are no indications that other road uses can be imitated as well, but in theory, that should be possible.

Problems for Schwung

The hackers do not mention names of apps or developers, but one of the vulnerable apps is Schwung, confirms a spokesperson for construction group VolkerWessels to NRC.Next.  The app, with the slogan ‘Jolly fast on green’ was developed by Vialis, a subsidiary of the construction group.

Schwung is being experimented with at least ten municipalities – from Enschede to Dordrecht. The app promises to give cyclists the green light sooner by passing on their arrival to the smart traffic light. The idea is that the cyclist, because he won’t have to wait too long, will be less inclined to cycle through red.

Offline

According to Mediawatch, the researchers informed the creators of the traffic lights of the problems. “They have promised to improve their apps,” says Esther Shoemaker of Talking Traffic, a partnership for smart traffic lights between the Ministry of Infrastructure and Water Management, other authorities, and the business community in the field of traffic innovation.

“The unsafe app could not have led to unsafe situations, such as forcing a green light from multiple directions,” says Schoemaker. According to her, other smart traffic lights are not vulnerable because, in the case of the traffic lights in question, it is “an initiative of two suppliers and a few municipalities.”

Otherwise, the hack is annoying: the rest of the traffic is waiting for a cyclist who will never come. After the researchers’ findings, the ‘unapproved apps’ were taken offline and are being improved.

Major consequences

For the researchers, it is not about who made the mistakes, but that mistakes were made. Van Duijn: “The pilots are the first step. Soon cars will talk to each other, with traffic lights, with traffic signs, with an accident or roadblock. Such technology must be well developed and safe. Imagine if we’d turned a cyclist into an ambulance.