According to the details of his research that he shared with Wired's Kim Zetter, the vulnerable part of the system is the communication protocol between the magnetic sensors embedded in the streets and the main controllers that are fed through them.
The system in question is Sensys Networks VDS240, whose sensors have been installed in practically all major US cities and some abroad.
The sensors send data about the traffic flow to nearby access points and repeaters, which then relay the data to the controllers.
But the proprietary protocol used to transport the data is not secure.
"By sniffing 802.15.4 wireless traffic on channels used by Sensys Networks devices it was found that all communication is performed in clear text without any encryption nor security mechanism," Cerrudo noted. "Sensor identification information (sensorid), commands, etc. could be observed being transmitted in clear text. Because of this, wireless communications to and from devices can be monitored and initiated by attackers, allowing them to send arbitrary commands, data and manipulating the devices.”
Technically, attackers wouldn't be able to directly control traffic lights and signals, but could trick the controllers and the system to believe that a street is clear when its not or vice versa, and make them change the "instructions" they will sent to the traffic signals.
Cerrudo claims that it would not be difficult for persistent attackers to reverse-engineer the protocol and use that information to create effective attacks. He also noted that the sensors' firmware is not digitally signed and access to them is not restricted to authorized parties - meaning that an attacker could mess with the firmware and reconfigure the sensors.
He contacted the company about these issues, but they haven't been very receptive to his inquiries. He then contacted the US DHS' ICS-CERT division to share his findings, and they have relayed them to Sensys Networks.
They responded by saying that "the option for encrypting the over-the-air information was removed early in the product’s life cycle based on customer feedback", and that firmware updates for newer sensors are now encrypted. Still, older sensors cannot be update without being dug up, so that for the time being ICS CERT wouldn't suggest such a costly action.
"If you can provide details of a vulnerability being exploited in this or the other products, ICS-CERT will revisit the issue at that time," they concluded.
Cerudo is understandably upset, but the reality of this world is that no one wants to spend money on account of a possible (but not likely) attack.
In my mind, the one thing that his research has definitely proven is that in this modern, interconnected world of ours, incorporating security from the get-go is something that should be mandatory for all manufacturers, especially if IT is involved.
Cerrudo will present the results of his research at the Infiltrate security conference set to be held in Miami in May.