Traffic lights all across the United States are dangerously easy to hack.
Anyone with a radio hooked up to a laptop can wreak havoc by remotely changing lights at will -- or by shutting them all down. That's according to findings by computer researchers at the University of Michigan.
"There's an assumption that these devices are secure. We all just trust them so much," said Branden Ghena, a computer science PhD student at the university and the lead researcher on the study. "This is critical infrastructure. We were shocked that was going on."
Under the watchful eye of local transportation officials in May, the Michigan researchers field-tested the hack in an undisclosed Michigan city, changing the traffic lights from a laptop in their truck.
The lights and controllers are made by Econolite, one of largest makers of signals, cameras and traffic management systems in North America.
The company did not respond to requests for comment.
Like most modern day traffic signals, Econolite's traffic lights run on a computer network. They communicate with one another just like your home Wi-Fi, using radio signals. But their controllers, found inside metal boxes at every intersection, operate like an unsecured router -- they are rarely encrypted and almost all of them use the same default username and password, which are published in online manuals.
Econolite's traffic lights are used in 100,000 U.S. and Canadian intersections, although it's unclear if all of those systems are susceptible to hacking.
The problem extends beyond just Econolite -- the U.S. traffic light communications standard, called "NTCIP 1202," is present in all modern signal systems. They can all be hacked if cities don't change their default settings.
Researchers said that the lights can be made much more difficult to hack with little effort: Guard the network. Cities that install the traffic control systems can enable encryption and set passwords for their networks -- both options are available on the Econolite systems. It's as simple as clicking on a box on the device's screen.
But that isn't likely to happen anytime soon. Local governments are cash-strapped and aren't easily convinced they must manually update every signal controller, said Adam Pridgen, a security consultant at Praetorian.
But a deeper problem remains. The software standard used by Econolite and many others doesn't limit who can send commands to traffic lights. If hackers break into the network, they can send commands to traffic lights unobstructed.
The solution? The standard must be updated to limit authorized devices and require additional credentials, researchers said.
Azorian Cyber Security founder Charles Tendell said it's time we start seeing traffic lights as computers -- and treating them as such. Cities seeking to save money by installing smarter, automated systems shouldn't assume the equipment is safe.
"You shouldn't install this type of system without a security audit," he said.