 Hi, welcome everybody. We would like to talk today about research projects we did, hacking traffic lights and we would like to share our findings and our, well, the things we found in our research. Well, first of all we, my name is Wesley Nele and my colleague's name is Rick van Duin and we both have been mainly pen testing in the past years for about seven, eight years. Of course we also have our own interests. For example, I like to play around with Internet of Things and the security of it and innovations like that. Rick likes to play with malware and investigate that. I would like to, at least one disclaimer, we are no smart traffic experts. We're just, well, two guys that are interested in this kind of innovations. So we decided to do research on it. We do use bicycles because we're Dutch, but that doesn't really help us in our investigation, in our research. Well, a small introduction. Well, what we've seen, they are creating a platform, multiple vendors are creating a platform to exchange information between traffic information. For example, road signs can report dire states on a network, the parking spots, how many are still available and how many are occupied. Traffic status, for example, is there a traffic jam and stuff like that. But they are even trying to connect the traffic lights, the actual traffic light systems to the same network so it can act, well, on the messages that are sent on the network. And one of the examples is that they actually want to connect the road users to the network as well. For example, cyclists, cars, trucks and even the rescue vehicles, the emergency vehicles. Well, I have to mention that in this research we mainly have been focusing on the cyclist. And the reason for this is that, well, there was an app available that allows you as a cyclist to install it. And if you're cycling on a road, you will get, well, the time to the green will be decreased or maybe even instant green. So because it was available, we focused on that. Well, important fact is that in the Netherlands, there are a lot of bicycles, 23 miljoen en we have a lot of cycling infrastructure. So, well, imagine that on every intersection, there's almost a cycling traffic light. So it's quite important in our country. Well, like said, we see multiple apps being released. So we are mainly interested in the fact that we are able to talk to traffic lights somehow. And for example, how are we able to talk to them? And what if we are able to manipulate it? What is possible? And what can we manipulate? So that was pretty interesting and the reason why we started the research. Well, one of the things we see in the Netherlands, there is an ongoing partnership. And the goal of that partnership is to realize smart traffic. And the goal is to improve the safety, comfort and traffic flow. Well, a lot of things are happening in that partnership. But some of the things are, for example, the cyclist app that I was talking about. They are trying to give the user the ability to install an application on its phone. And when he's cycling on an intersection, the cyclist light time will decrease to go to green or maybe even instantly go to green if there is no other traffic at the intersection. But another thing is, for example, for trucks. They are trying to realize a green flow on multiple traffic lights. So the trucks have to stop less, which is, of course, a great idea. And the emergency vehicles, well, that's maybe even the most interesting one. Because those will get instantly green if they will be passing a connected traffic light. But also other users of the road users will be notified so that there is a vehicle coming. I'm coming up, emergency vehicle. A important thing within the partnership is VRIs. VRIs are the systems that are actually at an intersection that are actually, well, controlling the actual traffic lights. And they are replacing the old systems for intelligent ones. So that it is compatible with the network and that this is possible to communicate to it. But also that it is able to send its own information to the network. And what we've seen that currently about 500 IVRIs or VRIs have been replaced for IVRIs, which is about 10% of the total amount of VRIs. And to give you an idea how the things are connected to each other, on the right you will see the road users, for example, cars, cyclists or trucks. And they are connected to the network, for example, by using an app. Like I said earlier, but it is also possible that it might be an onboard computer within the truck, for example. And those systems are talking to the, well, to cloud services, which are also like the apps created by multiple vendors. And in the cloud, the information that they send to the cloud can be sent onto the network. And for example, to traffic lights. And one of the important things in there is that mostly this is done by using common objects, which is a standard that allows you to, well, to communicate with each other within a traffic light network, a traffic network. And Rick will be explaining more on that. Cool. So when we initially looked at the first app that allowed users to get the green light, we saw lots of references to common objects. En we saw that the app was building gum objects with the position, stuff like that in it. And for us, it was unclear what those were. So we started googling and we figured out that it's actually part of the intelligent transport system standard, which is a European standard. There's a different one. As far as we know, there's a different one in the US. And it might even be a different one in your country. So important part of this standard are the cooperative awareness messages, so common messages. In the US, they're called basic safety messages. These contain all kinds of information about the intelligent transport system. So could be a car telling you its speed, stuff like that. So when we looked into the objects itself, we noticed that they contain lots of different information. So we can see the position, what type of vehicle you are. Important to note, we'll later, we can see why you shouldn't use the station type to determine what a user is and what they can do. But there's also a different container. So there's a high frequency container, which contains data that changes often. So stuff like data, the direction, information like that. And there's a low frequency container, having data that's more static, such as my lights are on or off, and this was my history, my path history. But more importantly, we came across a special vehicle container. En this container contains information such as I am transporting dangerous goods, or I am in an emergency vehicle, and I need to have green lights right now, stuff like that. So this for us was the point where we were like, okay, can we manipulate this and can we send this to the traffic lights that are connected to our apps. We started looking into this. We actually figured out that the intelligent transport system standard already has a security standard in it. It's based on public infrastructure, where, very simplified, your vehicle receives a certificate. The certificate contains information about your vehicle, well, not necessarily your identity, but that you are a vehicle and what you are allowed to do. Which allows other systems on the road to actually validate what you are sending to them. So part of the COM messages and the certificate are the SSP and the ITS-AID. So the ITS-AID is the intelligent transport system application ID, and it describes some basic permissions such as you are allowed to send COM messages. En there's a service-specific permission that's also in there that allows you to actually say, I'm allowed to do this. So for example, I'm in an emergency vehicle and I'm allowed to tell the world that I need green lights right now. So every message you send out, you sign and is combined with the certificate in order to let other systems on the road identify that the message you are sending them is actually valid. You are allowed to send it and that you actually have the correct permissions to request this. So when we were preparing this presentation, we actually came across some interesting work already that's being done on this. So there's a cool paper by Joseph Kamel, which goes on to assume, let's say, our authentication authorization is already correct. What can we do with a valid car? So can I say to others, I'm putting on the emergency brakes right now. Will other cars immediately start breaking? So there's really interesting research being done. There's also some cool software being released in order to look for abuse on the network already. So the security for this exists. However, when we started looking into the apps that Wesley will talk about soon, we noticed that there's still some work to be done. Like earlier mentioned, we saw multiple Android applications that a cyclist could install on his phone. And if he installs it and he's approaching an intersection, he will get green. The time will be decreased to green or able to instantly get green. So when we saw that, we were like, OK, what's going on? How does this app work? And what is it exactly doing? And what we did, we decompiled the applications and we saw that common projects are being sent over MQTT. And that was pretty interesting because if we are able to create those common projects ourselves and send it over MQTT, for example, using Python, we might be able to trick the system. The thing was, at that time, we didn't know what common projects exactly were at that time. So we had quite a hard time imitating the behavior and doing it in Python the same. And also because of the ASN and the protobuf encoding that was done by the application. So during that time, we decided to take another approach and let's use another tool, which was called Frida. And at that time, it was the first time we used it. Well, and it's really an amazing tool that allows you to hook into an application, for example, an existing Android application that's running on an Android device. And for example, print the information that's in the function or call other functions and do modifications, for example. So, well, after trying, we were able to print out the common object. And on the right, you can see a snippet of that information. And like Rick was talking about, you see the basic container, the station type, and GPS coordinates. So we were like, this is pretty interesting. What and how the system will react if we are going to manipulate this information. So in order to do so, we also used Frida. And we were able to write the script that's on the left. And what it is doing is, again, just hooking before the published COM function is being called. So the common project is published on MQTT. Just before that, we modified the information. For example, the speed, the GPS coordinates, and information like that. And our goal was to imitate the behavior that you see in the right in the image to let the system believe that there is a cyclist cycling on the intersection all the time. And that in a loop. The thing was at that time, we weren't just recognized as one cyclist. We wanted to bypass it. We wanted to be continuously, well, a loop of cyclists that are passing the intersection. So we are trying to bypass that. And well, the way to bypass it was quite simple. Because we found out that just before the COM is being published, disconnect and connect on the MQTT channel, we are recognized as a different and a new cyclist. So by just disconnecting and connecting, we were able to, just before every common project was being sent, we were able to act like we are a different cyclist instead of one. So that was cool. We were able to get that flow continuously. Later on, we found another similar application, which is also an application. And if you install it as a cyclist, you will get, well, the time will be decreased or you will instantly get a green, depending on the situation at intersection. But this application was even easier because it was just sending one post-request, as you can see in the slide, with similar information that we saw in the previous app, like speed, GPS coordinates, and information like that, also the station type. And that was being sent to the server. So somehow, this is probably converted, for example, to COM by the backend. So we didn't have to take care of that at all. We just have to send one post and the system will react on it. And the interesting thing, there was no authentication. So there's no way to distinguish cyclists from each other within the system. And that was quite an interesting part because maybe we can, well, fake a lot of cyclists in the city, for example. Well, we wrote a pie-descript to just send this post with the correct information. And, well, we recorded a demo on it, and I would like to show the demo. Here you will see a video where we are at a connected traffic light on an intersection. And in this video, there is other traffic at the intersection. And you will see that the system reacts and the waiting sign turns on. But, well, it will wait until it goes to green, well, when it's saved. So that's quite important to note. The safety system stays intact. So it will never turn two lights at green at the same time. So that's just luckily and good that that's still in the place. Also, we recorded a second video also at a traffic light, but in this case without any other traffic. And as you can see, well, it reacts quite quickly and instantly. If we send one post request, the system instantly turns to green. So it just goes quite quickly. So what could we do with this vulnerability? Well, it's abuse of functionality. But, well, like we mentioned, it is not able to see multiple cyclists. It's just, well, using every request and doing an action on that. So what we could do is use the previous script and do it on a lot of traffic lights at the same time because that system was running in 10 cities currently. So you could just interrupt the traffic in a complete city at the time. So in conclusion, I think as we are, the place we are now is that there's no real use of the security part of the standard. They are using cooperative awareness messages to determine where vehicles are. But there's no clear distinction on what they are, who you are, or if you even authorize to do so. Luckily, now we're working with public betas where cyclists are being used. But there are some closed betas going on for trucks, for emergency vehicles, and especially those who could pose a real threat for traffic. Luckily, security systems will stay intact so there's no hacker style, all the lights green at the same time, cars hitting each other, stuff like that. So just currently we're able to annoy you, which is already fun. So the reason we are giving this presentation is we really believe that this is something that's coming and we need to be sure that this is actually working properly, meaning that authentication, authorization are correctly implemented. We've seen it with email, we're still having issues determining if a mail you've received is actually from the person you received it from. And so it's really important that the moment our physical lives, the traffic is being controlled by these systems, that this is something that's actually properly working. We would recommend that these apps start to use some form of authentication, at least knowing that there's one person operating one app. If they choose to spoof whatever it is they do, at least we would know they would only be able to control one digital cyclist. And it's becoming more and more important to detect and monitor abuse on the back end of things, meaning that the central system receiving all these messages and distributing them to the different traffic lights would need to look for unexpected or implausible behavior and block users accordingly, which would reduce the impact of somebody trying to manipulate this. And I mean, after that we'll need, if the moment we have the authentication of authorization under control, we will have to see and look into abuse from a allowed user. But that's the next step. So this is as much as our presentation encompasses. If you have any questions and you want to join in the Q&A, it will be on the 6th of August between 1.30 and 2 o'clock. Or if you need to contact us directly, check it out on Twitter. Thank you. Thank you.