It's pretty easy to hack traffic lights


Originally published at:


I know this guy who totally pwned downtown LA…


By default these systems have the debugging port turned on, which allows untrusted parties to seize control over the system.

Weasel words! Trusted/untrusted by whom? People who don’t trust the public should never make it to government jobs.

These sorts of difficulties are more symptomatic of a culture which actively teaches selfish opportunism instead of concerted efforts to solve even basic problems.


When I was a boy and walked home from school there was a traffic light at a corner where I crossed the street. On the pole with the button to push to cross was a silver box that controlled the traffic light. It made a mechanical “ticking” sound like a clock.

If I slammed my fist against the box when the light turned yellow, the yellow light would begin to flash. It was that easy to get the lights to break and default to the flashing yellows.


I believe “untrusted parties” has a narrower, less judgmental definition in the context of information security.


If you’re able to hack hacks I would think there are much juicier targets around than traffic lights like, oh, banks?


I am not sure if observing that public systems should be secured by and for the public counts as a “judgement”, it’s practically a tautology.


It’s pretty easy to hack traffic lights

Hollywood has been doing that for years.


Is there anyone in the world you would not trust with the fuctioning of a traffic control system? Well, this debugging port being turned on by default makes it accessible by them.


Sorry—I didn’t mean you were being judgmental! I meant the people who “don’t trust the public.”

“Untrusted parties,” as I understand it, means anyone accessing a system in a way its designers didn’t intend. If a system is designed securely (so it doesn’t allow access in unintended ways) this doesn’t imply that its designers are judging anyone in particular to be untrustworthy.


It’s been easy for a while—Fun with Traffic Lights (Cult of the Dead Cow)


I think most people would be shocked at just how many public infrastructure and industrial systems are basically wide open, protected by default passwords and security-through-obscurity. It’s not just traffic lights. There’s so much more than that out there.


This happened on the FWY not far from me -


It’s far easier than that. Major streets will have light sensors (usually IR) to detect the signal of an emergency vehicle, and will turn the light green.


Portable emergency warning signs are frequently a cinch - the lockable control box is often left unlocked, and many units use one of a small handful of default mfr’s passwords that often have never been changed.

Good time to think verrrrry carefully about liability issues, though. (-:


When I was still a teenager (a long time ago) I was walking to school one morning and saw a line of cars on a two way street near my house all backed up. I walked along the sidewalk listening to all the cars honking for two blocks until I got to the first light. At the light there was another kid from the neighborhood I knew sitting on his bike leaning up against the pole that had the control box for the intersection. It was old and had electro mechanical relays in it that you could hear going ka-chunk-chunk when the lights were changing. The door to this green box was open and the kid had his hand inside. It looked like he was pulling a glass fuse out of holder or maybe pulling a switch. His hand would move and the light would turn green. He’d let a car go and then his hand would move and it would turn red and all the cars would stop and honk. I said, “Hey, what’s up” to the guy and he says, “Oh nothing much” and goes back to messing with the light. I waved and kept walking to the subway doing a Sgt Schulz…I see Nothing! Nothing!. I did not want to be there when the drivers noticed him and came a beat the crap out of him.


I do this all the time at an intersection off the highway near my house. Late at night and nobody’s around I flash my high beams repeatedly a few times to force the light to change just long enough to go thru. Works great.


This doesn’t actually sound that bad. Hardware interlocks against dangerous configurations, and only vulnerable to local mischief? Yeah, it would be better if it were secured, but on the list of “public infrastructure with security vulnerabilities” it is pretty far down on the list of stuff I am actually worried about. This is the sort of problem you can deal with when it actually becomes a problem. And if you want to fix them, the first thing isn’t any sort of encryption or access control, but simply adding reliable logs to the controller (which it may already have) so that you can detect tampering if needed.


If I was going to go through the trouble to hack traffic lights, I’d fix them instead. Half the ones on my route are either timed incompetently or timed to cause congestion.


Obligatory XKCD:

Long Light

“You can look at practically any part of anything manmade around you and think ‘some engineer was frustrated while designing this.’ It’s a little human connection.”
–R. Munroe