Andrew Lemon has found a serious vulnerability in the case of a traffic light controller. Lemon, a Red Threat cybersecurity researcher, shared his findings Thursday, revealing that Intelight X-1 controllers lack proper authentication. This allows just anyone to control the traffic light using the Web interface.
He simulated scenarios in which all the lights turn green, as in movies, but a device called the Malfunction Management Unit prevented such a scenario. Still, he said hackers could cause chaos on the roads by manipulating the light timings. Mr. Lemon added that manipulating timings could result in catastrophic traffic congestion.
Lemon disclosed the vulnerability to Q-Free, the owner of Intelight. The response from Q-Free was not one of collaboration, but a legal threat. The company claimed the controller had not been in production for nearly a decade. They told customers with legacy controllers to contact them to learn how to proceed.
Lemon discovered some other exposed Econolite devices that were vulnerable to attack. He notified the company, recommending that they upgrade their old models and lock up vital equipment. Econolite’s vice president of engineering, Sunny Chakravarty, confirmed the existence of these vulnerabilities. He said it was essential to follow network security best practices.
