When Two Engineers Hacked LA’s Signal System, Wreaked Havoc On Streets

When Two Engineers Hacked LA’s Signal System, Wreaked Havoc On Streets

It may be over nine years since it happened but security experts have not learned their lessons giving hackers enough room to expose and prove how computerized and Internet-connected control systems are vulnerable to exploitation.

In August 2006, traffic in Los Angeles came to a halt when two traffic engineers, Kartik Patel and Gabriel Murillo, hacked into the city’s Traffic Surveillance Center and disabled the signals on four busy intersections chosen to cause significant backups because they were close to freeways and major destinations.

The union representing the city’s traffic engineers had threatened that “Los Angeles is not going to be a fun place to drive”. City officials temporarily blocked all engineers from access to the computer that controls traffic signals to save the city from a labor protest. After access to the system was cut off for all but top managers, Murillo signed in as one of them and obtained the codes needed to unblock the computers that controlled traffic lights throughout the city.

Patel, a civil engineer, and Murillo, a computer whiz who helped build America’s most sophisticated traffic-management system, programmed the lights so that red lights would be extremely long on the most congested approaches to the intersections, causing gridlock for several days. Cars backed up at Los Angeles International Airport, at a key intersection in Studio City, onto the clogged Glendale Freeway and throughout the streets of Little Tokyo and the LA Civic Center.

Patel was charged with five felonies: one count of unauthorized access to a city computer and four of unauthorized disruption or denial of computer services. Murillo was charged with two felonies: one count of identity theft and one of unauthorized access to a city computer. The two pleaded guilty to hacking into the city’s signal system and slowing traffic at key intersections and were sentenced to two years’ probation in 2009.

Despite the hack, city could not design secure computers or update old, weak systems to guard against malicious activity. In January this year, someone hacked a Los Angeles traffic sign used to alert drivers of construction up ahead and programmed it to display, “Read a f***ing book”.

Cesar Cerrudo, an Argentinean security researcher with IoActive, hacked New York’s traffic light system in April 2014. He was able to take control of the sensors – Sensys Networks VDS240 wireless vehicle detection systems – which are installed in 40 US cities, including San Francisco, Los Angeles, New York City, Washington, DC, as well as in nine other countries.

The vulnerability of Internet-based security systems is not limited to traffic. According to a 2013 research, power plants across the US and Canada could overheat, shut down or be caused to malfunction because of vulnerabilities that leave them open to hacking. If exploited, the vulnerabilities could be used to crash or potentially hijack the servers controlling electronic substations, water utilities and power plants.

In March 2015, South Korea blamed North Korea for a December 2014 cyber attack on its nuclear power plant operator Korea Hydro, which operates the country’s 23 nuclear reactors, aimed at stealing internal data that included plant blueprints and employees’ personal information.