Thousands of vulnerable traffic lights must be replaced in the Netherlands
Smart IoT devices represent a significant step forward in urban infrastructure management, part of the global Smart Cities initiative. The benefits are clear: better preventive maintenance, efficient resource management, and the ability to respond remotely in emergencies.
However, these advantages must be accompanied by deep reflection, observation, and the implementation of security measures to minimize the risks posed by potential attackers.
The attack surface expands, and in this case, it has a tangible impact on the physical world. Therefore, the principle of security by design should be strictly followed.
This is easier said than done. Largely because technology is advancing at such a fast pace, properly modeling threats becomes significantly more challenging as new innovations appear. These innovations are rarely fully anticipated in the initial implementation phase but emerge as time goes on.
In this article, we will review the recent discovery of a vulnerability affecting tens of thousands of traffic lights in the Netherlands, which will require manual replacement of the same as the only option of remediation, as a high-cost project estimated to last for six years until 2030 by the Dutch government.
It is planned to replace the traffic lights by 2030.
What happened?
Almost all traffic light installations in the Netherlands can detect approaching road users and adjust accordingly. In other words, they are smart.
These traffic lights can be influenced by a system called traffic signal preference, primarily used to stop conflicting traffic and allow emergency vehicles to pass through.
The system, known as KAR, has been used in the Netherlands and Belgium since 2005. It reduces response times and improves traffic safety.
Earlier this year, Alwin Peppels, a security engineer working for Dutch security firm Cyber Seals, initiated an investigation and discovered a vulnerability that could allow malicious actors to change traffic lights at will.
According to research, bad actors can exploit this vulnerability using SDR (software-defined radio) technology to send commands to the control boxes located next to the traffic lights.
This exploit specifically targets the emergency radio signal used by ambulances and fire trucks to force traffic lights to turn green, allowing them to pass easily through intersections during emergencies.
There is a possibility that an attack on this new system may be much more damaging than this experiment, since you could potentially control all traffic lights throughout an entire province.
In his experiment, Peppels built a similar system and "hacked" the traffic lights with just the press of a button.
Aside from the ease of execution, this attack could be carried out from kilometers away and affect multiple intersections simultaneously, making the potential impact substantial. This has forced the Dutch government to take extreme and costly measures.
Other precedents
Back in 2020, Dutch ethical hackers conducted an experiment, this time by reversing apps designed for cyclists, and discovered they could cause delays in at least 10 cities. They simply spoof traffic data to interfere with traffic lights.
This investigation was presented at DEFCON 2020. You can watch a video of it here if you want to dive deeper into the details.
For some context on the importance of this precedent, those who haven’t visited Amsterdam (those who have will understand immediately, as is the case with me) or any other part of the Netherlands may not realize the country’s impressive cycling infrastructure: over 35,000 kilometers of bike paths and more than 20 million bicycles (more than the population itself).
Mitigation
Returning to the vulnerability discovered by Peppels, the researcher shared his findings—details of which were not fully disclosed to prevent abuse—with the Dutch cybersecurity agency.
The solution, confirmed by the Ministry of Infrastructure and Water Management, was to establish a plan to replace all traffic lights. However, there are tens of thousands of them, so the process will take time: the current plan is to complete replacement by 2030. In addition, emergency services and public transport must upgrade their vehicles to work with the new system.
The current traffic control system (KAR) will be replaced by a new system for traffic signals that has already been designed in the Netherlands, called "Talking Traffic."
These new signals will be connected to the web via mobile networks rather than controlled by radio, making them invulnerable to this specific hack. However, authorities acknowledge that new risks may emerge.
As Peppels himself states: “An attack on this new system could, in theory, be much more damaging than my experiment, as you could potentially control all the traffic lights in an entire province. This new system will be used for ten, maybe twenty years, and we only have one chance to build it correctly and securely. We shouldn’t sacrifice security for convenience.”
To maximize their lifetime under 'safe' conditions, the safety-by-design paradigm must be followed.
Conclusions
The rise and democratization of software-defined radio technology, with widely accessible devices, pose a significant risk to all those older systems controlled or modifiable by radio signals, especially older ones that haven't considered basic factors like authentication (as we saw in our previous article), access control, or potential replay attacks.
For radio systems currently being designed and deployed, it is essential to follow the security-by-design paradigm, at least to maximize their lifespan under "safe" conditions.
Aside from the security component in the design and use of smart devices for traffic control and identification, citizen privacy must also be considered. Recently, the Dutch Data Protection Authority expressed concerns about the privacy risks posed by these types of smart traffic systems.
According to the Dutch Data Protection Authority, road authorities have not thought carefully about the privacy risks associated with these traffic lights. It is also not always clear with whom the data is shared or who is responsible for collecting and using it. According to the General Data Protection Regulation (GDPR), these matters must always be clarified before data collection begins.
As the saying states,
Intelligence is the ability to adapt to change.
We must apply this principle to the design and security of our "smart" devices.