[magmastonealex]

This is a great introduction to the mess that is traffic signal controllers!

The reality is perhaps even worse than the article suggests. The majority of signal controllers support the NTCIP "standard" MIBs in addition to the "proprietary" MIBs that are provided through FreeTheMIBs. These "standard" MIBs are defined in standards like NTCIP 1202[1], which are freely available online through the NTCIP group.

These standard MIBs let you set/get all kinds of fun settings... put the lights into flash, change timing settings, set "preempts" to give yourself a green light, and more.

The standard also strongly suggests that all vendors use a default SNMP community name of "public". That means, for any traffic controller you happen to find on a network, you can almost certainly change tons of scary settings without even needing to _exploit_ anything!

I've been working in the industry for quite some time, and it's genuinely scary how poorly secured some of this infrastructure is and how slowly things move when issues are found.

(Disclaimer: I work in the industry, not for any of the companies discussed in the article, and all these views are my own and not those of my employer)

[1]: https://www.ntcip.org/file/2019/07/NTCIP-1202v0328A.pdf

[debatem1]

I'd be pretty interested in working on this kind of critical infrastructure. Any tips or pointers for an experienced SE/SWE on getting into your world?

[magmastonealex]

I sort of accidentally stumbled into it when I joined an (at the time) startup as they were just getting into the market. So I don't know that I have anything specific to offer :)

I don't want to name names for companies in the industry, but you can find them in industry publications like Traffic Technology Today, or often as contributors to the standards documents like NTCIP 1202, ITE ATC 5301, etc.

I will say that there are a number of long-standing (40+ years) companies in the industry that seem to still operate the "legacy" way - slow iterations, very small software team, seemingly not much desire for large change. Basically, a hardware company that also happens to sell software.

There are also newer entrants to the market in the past ~decade or so that operate a lot closer to a modern software company - lots of new features coming out, fast-moving software teams, etc.

(again, all opinions are my own here.)

[winsome]

You sound like me. Stumbled into the industry at a startup (different than the one you're at -- you could probably guess which one) and have been around a while now. The condition of our traffic infrastructure is terrifying, frankly.

I was shocked when I learned that NTCIP was built on top of SNMPv1. To make matters worse, there are actually people in the industry against the adoption SNMPv3. That would at least adds a modicum of security via authentication and encryption. I'd prefer we build around another protocol entirely.

Imagine if folks at IBM knew we still used SDLC as the backbone of our communication in the cabinets...

[hunter2_]

> for any traffic controller you happen to find on a network

But how would one get on such "a network" in the first place? I assume it would involve physically opening a (hopefully locked) cabinet in public near the road? So just a bit of cutting/picking reveals an ethernet port, you drop in a wireless bridge, close it back up, and then hack from a parked car?

[magmastonealex]

Well, the "locked" cabinet generally uses the same key everywhere in North America, which isn't a great start :)

A number of agencies put these controllers directly on the Internet (a search on Shodan for some telltale strings produces concerning numbers of hits).

Others will use one giant flat network across their entire city - so if you get access at once location, you have access to the entire network. This could mean accessing a "rural" or quiet location, but then actually attacking a much busier one.

[486sx33]

Every “genie” lift has the same key Most “skyjacks” have the same key, there are maybe 3 iterations. Tractors have a lot of similar if not the same keys RV handle locks (not padlocks) have about 8 different combinations - they are color coded. Eg your RV has the purple or green key. Dead bolts are unique Every single RV storage lock is the same, if you have an RV look at the storage lock and if it says “ CH751 “ , well now you know :)

[EvanAnderson]

I am aware of a municipality local to me that, as part of a franchise agreement for a new ISP entering the community, had the ISP run fiber to every traffic cabinet. They're connected back to the city network in a VLAN that's "behind the firewall". >sigh<

[SoftTalker]

Because of course a controller for a traffic light needs gigabit fiber internet connectivity....

[ddulaney]

That’s not the scary thing here. Better to future-proof it.

Running presumably unencrypted SNMP over shared lines is sketchy.

[SoftTalker]

Well to be fair a number of traffic lights now have cameras to monitor the intersection as well. Didn't consider that.

[EvanAnderson]

It was only 100Mbps service, per the agreement, but yeah... >smile<

They do have cameras at each intersection, as well as networked audio at many (for all the speakers hanging from light poles that blare annoying instrumental covers of old popular songs).

[kevin_thibedeau]

The issue is that legacy copper plant has a finite lifetime. Paper insulated lines are already mostly useless today. If you have to replace infrastructure you may as well select a more robust modern alternative.

[mschuster91]

Cameras are cheap these days, and with a decent fiber link, just install one for each crossing, feed the live streams back to the pig sty and whoops you suddenly have all you need for a comprehensive monitoring solution to track people. No matter if they're suspects or not.

The shit you saw on NCIS a decade ago and dismissed as "science fiction" is getting ever more to reality.

[hunter2_]

Interesting, but I think the VLAN in your explanation is equivalent to the "network" I'm asking about. The V is mostly immaterial, I think.

[oasisbob]

The VLAN part is important.

"LAN" doesn't imply the same use of VLAN trunking or flat network architecture.

Traffic infra being on a VLAN behind the firewall implies a lot of trust in the traffic infra physical plant. You can harden against layer 2 vulnerabilities, but they're a whole 'nother can of worms and possible failure point.

It also implies the possibility of VLAN trunking being used inappropriately.

All the CCIEs I've learned from and trusted were very suspicious about extending the size and scope of LANs offsite through VLANs.