Ethical hackers demonstrate the importance of safe apps
The safety of ITLCs and associated apps cannot be taken lightly. That can be concluded after a few attempts by ethical hackers to ‘break into’ intelligent traffic lights. The hackers did manage to lead two uncertified cycling apps down the garden path, but attempts to manipulate the approved Talking Traffic apps failed. The ethical hackers now label the working method for cybersecurity in the Talking Traffic chain a ‘good example’.
It was a confirmation for all partners involved that the Talking Traffic partnership has things well in order, at least for now. Ethical hackers recently manipulated two cyclist-oriented apps. These apps were developed on the initiative of two providers of traffic lights. And both apps fall outside of the Talking Traffic community: they do not work with the Talking Traffic architecture, nor have they been tested and approved against the requirements applicable within Talking Traffic. Via those uncertified apps, it turned out to be quite easy to mislead the system.
More specifically: by manipulating the apps, the hackers could suggest that a large number of cyclists were approaching the traffic light, prompting an unnecessary green light for them and red lights for other traffic participants. This is called spoofing: a relatively simple, well-known way to create the impression that a road user is at a certain location, while in reality he or she is not there. In this particular case, road safety was never in jeopardy. There was never a situation in which intersecting traffic flows were simultaneously given green lights and no accidents were caused by the manipulation. At most, some motorists had to wait for some non-existent cyclists.
Various media covered the hack. The suppliers of both non-certified apps have since pledged to take measures to improve the security and reliability of their product.
For the record: Talking Traffic has strict requirements for admission. Road managers are strongly advised not to give access to their traffic lights to apps other than those that have been approved. The ethical hackers noticed that those certified apps are not so easy to manipulate. They also attempted to hack an app that had indeed been developed in accordance with all Talking Traffic requirements. They did not succeed in ‘breaking in’ nor did they succeed in misleading a traffic light.
For all Talking Traffic partners, it was a confirmation that it pays out to have strict procedures, given all the measures in the area of cybersecurity and data chain security. In the contact that Habers had with them, the hackers appeared pleasantly surprised at the carefulness in the Talking Traffic community: since 2018, the Talking Traffic partners themselves have been conducting regular penetration testing and security/privacy audits in their own chain.
Since, according to the hackers, Talking Traffic is a good example of how governments should deal with cybersecurity, they also included this example in their presentation at an international hacker conference on cybersecurity. They will also highlight the correctness of Talking Traffic’s working method during an upcoming meeting of the Council: it pays out to stick to the strict requirements in the areas of security, data protection and controls, continue to conduct audits and penetration testing and keep an eye on improvements in the area of information security.
And speaking of app controls: the ‘Truckmeister’ app was recently proven to meet all applicable connection requirements and has therefore been added to the list of approved apps. The verification process is still currently ongoing for ‘GreenFlow’, ‘RingRing’ and ‘Tracefy’; these apps are expected to be included in that list soon.