With a focus on assuring next-generation transportation systems are foolproof and protected from cybercriminals, researchers from the University of Michigan discovered that connected cars are susceptible to deception. One vehicle transmitting fake data can trigger a crippling traffic jam, while multiple vehicles could be capable of shutting down miles worth of roadways. To reach a point where connected cars eliminate the need for traffic lights, stop signs and guardrails, these flaws must be addressed in next-generation transportation systems of connected vehicles. The most unsettling part about the discovery is the weaknesses discovered aren’t within the communication technology itself, but the algorithms these systems would use to manage traffic flow.
Algorithms are supposed to absorb various inputs. The ones used in transportation systems of connected vehicles, for example, might calculate factors like how many cars are in various locations around an intersection or an output that meets a particular goal like mitigating their collective delay at traffic lights. Most algorithms automatically assume these inputs are genuine, with those used for traffic control in the Intelligent Traffic Signal System (I-SIG) being no exception. Hardware and software can be modified in modern cars either through the vehicle’s diagnostic ports or wireless connections. Someone wanting to compromise the I-SIG system, for example, could simply drive and park near a targeted intersection, hack, and instruct their own car to transmit false information.
In this particular scenario, the research team discovered an attacker could utilize two weaknesses this algorithm contains to control the extent of time it takes for a lane’s light to turn green and vice versa. The first vulnerability discovered was termed “last vehicle advantage,” and is a way to prolong a green light signal. The last vehicle advantage algorithm monitors approaching cars, estimates the lengths of car lines, and determines the time it could take for all these vehicles to get through the intersection.
While logic is instrumental in helping the algorithm serve as many vehicles as possible through each round of light changes, the system can be manipulated. An attacker could order their car to falsely report it’s about to merge in the line of cars very late, causing the algorithm to hold the green light long enough for this nonexistent vehicle to pass. This in turn will lead to a green light and (correspondingly) red lights for the other intersecting lanes much longer than necessary for the actual cars on the road.
Referred to as “curse of the transition period” or the “ghost vehicle attack,” the second weakness involves “lying” about a vehicle’s actual position and speed relative to an intersection. The I-SIG algorithm was designed with the fact in mind that not all cars currently possess vehicle-to-vehicle communication. The system uses driving patterns and information of newer, connected cars for inferring real-time locations and speeds of older non-communicating vehicles.
If a connected car reports stopping a long distance back from an intersection, the algorithm will assume there is a long line of older vehicles ahead. The system will then issue a long green light because of the lengthy line of vehicles it thinks is present (but really isn’t). To clarify, this kind of attack only happens if the device lies about its own position and speed. Since this strategy is vastly different to conventional cyberattack methods, most known defenses against cybercrime won’t be effective against a lying device.
These attacks enable an attacker to prolong green lights to lanes with little or no traffic and do the same with red lights for more congested lanes. These conditions will inevitably cause traffic to keep building, thus causing major delays. Since this kind of attack exploits the actual smart traffic control algorithm, fixing it requires collaborative efforts of individuals and entities from the transportation and cybersecurity fields.
You can read the University of Michigan research team’s full report here.
Filed Under: Cybersecurity, M2M (machine to machine)