A Device to Turn Traffic Lights Green

Here’s a story about a hacker who reprogrammed a device called “Flipper Zero” to mimic Opticom transmitters—to turn traffic lights in his path green.

As mentioned earlier, the Flipper Zero has a built-in sub-GHz radio that lets the device receive data (or transmit it, with the right firmware in approved regions) on the same wireless frequencies as keyfobs and other devices. Most traffic preemption devices intended for emergency traffic redirection don’t actually transmit signals over RF. Instead, they use optical technology to beam infrared light from vehicles to static receivers mounted on traffic light poles.

Perhaps the most well-known branding for these types of devices is called Opticom. Essentially, the tech works by detecting a specific pattern of infrared light emitted by the Mobile Infrared Transmitter (MIRT) installed in a police car, fire truck, or ambulance when the MIRT is switched on. When the receiver detects the light, the traffic system then initiates a signal change as the emergency vehicle approaches an intersection, safely redirecting the traffic flow so that the emergency vehicle can pass through the intersection as if it were regular traffic and potentially avoid a collision.

This seems easy to do, but it’s also very illegal. It’s called “impersonating an emergency vehicle,” and it comes with hefty penalties if you’re caught.

Tags: , , ,

Posted on February 22, 2023 at 7:30 AM25 Comments

Comments

Winter February 22, 2023 8:09 AM

It’s called “impersonating an emergency vehicle,” and it comes with hefty penalties if you’re caught.

And it rightfully does!

aserraric February 22, 2023 8:28 AM

As the article points out, this is not something particular to the Flipper Zero (which is a neat little device), but could have just as well haven been built with an Arduino board or even some discreet logic, if one was so inclined.

I’m afraid that the take away for far too many people will not be “It’s too easy to spoof being a emergency vehicle” and instead turn to “this hacking device should be made illegal!”

Count0 February 22, 2023 8:42 AM

Of course this system isn’t perfect. There was a case in Minneapolis where light rail trains use this technology to keep from stopping at grade crossings but there was confusion on the part of emergency responders about who had priority at any given light if they used theirs at the same time a train did. They thought emergency vehicles took priority. They were wrong and an ambulance got hit by the train.

Peter A. February 22, 2023 9:15 AM

There are a lot of systems which use unauthenticated “secret” signals to perform automatic actions. The assumption was that the system shall be simple so it “always works”, but shall be kept secret so it won’t be abused by unintended persons. There might be also an assumption that nobody (or very few people) would be competent enough to construct a device emitting such signals, or that persons who are competent would be ethical enough not to use it and not to disseminate or leak the information. In the age of Internet and easy access to technology all such assumptions are false.

Two examples from my corner of the woods.

Many city tram systems here use IR signals to operate rail switches. The driver has a “magic box” with two buttons: left and right. A few years ago there were many tram derailments resulting from someone operating the switch (using a self-made device) while the tram was passing over it. In one case a pedestrian was killed by a tram car skidding sideways while negotiating a curve and crushing the person against a building wall.

The railroads had an emergency stop system operating via FM radio normally used for voice communication between crewmembers and dispatchers. A special signal (a particular sequence of tones and a voice message in a loop) could be send by any driver spotting an emergency by hitting emergency button on the radio. All locomotives within range will apply emergency braking automatically after a few seconds of such signal. Older locomotives did not have the system, but the driver should apply braking himself after hearing the characteristic signal and voice message. It has been abused quite a few times, disrupting traffic. There were no casualties as far as I know. The system may have been phased out already in favor of private GSM network but I am not 100% sure.

Clive Robinson February 22, 2023 10:10 AM

@ Bruce, ALL,

Re : Engineered OUT security.

There are thousands of different “short range” systems using the EM spectrum not quite from “DC to Daylight” but VHF-UHF using “Private Mobile Radiom(PMR) and unforgivably the unlicensed “Industrial Scientific Medical”(ISM) bands. Some realy cheap ones use “InfraRed”(IR) and even visable light. As well as some “piggy-backing” on existing EM systems such as using X-Band that the automatic traffic lights use for Doppler RADAR these days rather than coils in the road. However “rail roads” also still use LF signalling like a “big daddy” version of the “Near Field Communications”(NFC) systems you find in “contactless cards”, “Passports” and these days “Smart Devices”.

Way to many use commercially available chips almost the same as either “Key Fobs”, “Garage Door Openers”, and “TV Remote Controls”

In essence they are read the data sheet put the “suggested circuit” on PCB buy the chip and LED mount on PCB and flog it to a customer…

Most do not use any form of security sending the equivalent of plaintext. The reason this is the easiest to design…

So in the UK we have “streat pillars” that use ~450MHz UHF PMR frequencies to control valves for Gas, Water, and even electricity. The employee “drives by” and presses a button in his vehicle and a valve will close or open.

Anyone with a “Software Defined Radio”(SDR) dongle and FOSS can record this plaintext how it’s modulated etc and then do the equivalent of a “replay attack”.

Even when the security is supposadly higher, it’s not even up to that of those old frequency inverting voice scramblers.

You might remember I’ve been moaning about NIST’s lack of producing framework standards to stop this insecurity…

Has anyone heard about “progress” in this area over two decades later?

No, and it’s likely to be strongly lobbied against if security does come up these days…

Just remember some of these devices control trains and crains almost like are old style RC planes…

wiredog February 22, 2023 11:16 AM

Here in Virginia we don’t have those systems. Emergency vehicles have bright flashing lights and extremely loud sirens and if you can’t see or hear them coming, well, the average fire truck is pretty hefty…

Aaron February 22, 2023 11:48 AM

Where there is a problem, there is opportunity:

"The 3M OptiCom units that GTT sells to city fire [departments] cost $5,000 each. Not all fire departments have that kind of money to spend on MIRT devices."

Why just “hack the system” illegally, when you can legally profiteer off of it?

If companies are going to be ignorant enough to build the cheapest solution possible (e.g. – no security) and you can reverse engineer their design and build your own device for a fraction of the market price, why not sell it? Especially in a market where there seems to be almost no competition!

Tatütata February 22, 2023 3:19 PM

Not a particularly novel item.

I remember reading twenty years ago an item in the newspaper about some tramways in Poland getting derailed because the infrared-controlled track switches were thrown by a third party as a vehicle was passing over it. (How this cause was established wasn’t mentioned, IIRC). IR is used in a few other countries.

German traffic signals usually run a fixed program locked to the DCF77 time signal transmitter in Braunschweig. The 77kHz receiving loop antenna is easily recognisable at every intersection. (The old style looks like an inverted L tube, the newer is shaped like an upside-down canoe).

I’ve wondered for a while what would happen if one was to spoof time signals close to an intersection. An induction coil connected to the sound output of a smart phone might probably be enough). I suspect that the controllers aren’t overly clever, and that repeatedly sending the same time code would probably jam the cycle at that particular point.

Ted February 22, 2023 3:30 PM

From the story:

Many cities with newer traffic preemption systems configure them so they are encoded and log the vehicle requesting the preemption, as well as when failed and successful preemption attempts are made.

I wonder when these newer features rolled out. Rob Stumpf linked to a log interpretation
video, and it seems like the logs capture a lot.

I see that GTT has 20+ patents listed on their website. I’ve only briefly skimmed through two so far. But they do mention the use of security codes and encryption. I’m still trying to figure out how these might be implemented.

https://www.gtt.com/patent-list/

Patent 8830085:

The security code, consisting of the vehicle identification is encoded in the signal by interleaving data pulses between the base frequency pulses.

Patent 7307547:

The optical emitter transmits light pulses that represent an encrypted code that is an encryption using a time-varying encryption key of at least an identification code.

JW February 22, 2023 3:49 PM

When I wrote the emergency vehicle priority system for the traffic signals in Australia we specifically avoided any comms like this. Instead the vehicles communicate to their dispatch centre what their location and speed are, the dispatch centre tells the traffic management system which lights it wants changed and when, then we alter the cycle times to give a green light without disrupting traffic as much as possible. Can do it several minutes ahead and all via SSL so no chance of spoofing.

Security and proper authentication does actually matter.

JonKnowsNothing February 22, 2023 4:25 PM

@modem phonemes, All

re: traffic circles, roundabouts, glorietas

  1. Saca la mano
  2. Interdiction de tourner à droite
  3. Sens interdit

flossie February 22, 2023 5:33 PM

Traffic circles are unfair in certain circumstances, notably on roads where heavy straight-through traffic dominates and there’s nothing nearby to create gaps (like regular crossing by pedestrians, or nearby signal lights). Cars can then follow one-after-another along that vector, blocking traffic for the other entrance(s) from which nobody can legally enter till there’s a gap.

They could probably replace a large majority of traffic signals, anyway, although I wonder how they’d affect emergency response times. The only real data I found was a 1996 Portland Oregon study saying that a traffic circle delays a fire vehicle by 1.3 to 10.7 seconds—but it doesn’t say whether they tested with sirens and flashing lights, how much traffic there was, or how that compares to signal lights. I guess if they caused major problems we’d have heard about it from European emergency responders.

Wolfger February 22, 2023 6:15 PM

The key words being “if you’re caught”. Given that it’s a directional IR beam rather than an RF transmitter, I’d imagine it’s rather hard to detect, and probably nobody designed these systems with catching imposters in mind, so it would have to be considered a problem large enough to be worth the cost of stopping.

Clive Robinson February 22, 2023 6:31 PM

@ Tatütata,

Not heard from you for a while, I hope you are well?

Re : Time locked or not.

“I’ve wondered for a while what would happen if one was to spoof time signals close to an intersection.”

Probably not much that you would see directly.

The usual reason for time syncing road signals –unlike rail signals– is not realy anything to do with what most would consider “safety” but can have a lot to do with “health”.

Usually the time syncing is to do with wide area traffic control to ensure even flow thus pasivate traffic and help reduce polution (both exhaust and rubber from tires, both of which cause micro or smaller particulate).

So that would “slip” and traffic would become more start-stop and drivers more aggressive thus heavy footed on the accelerator and brake.

So causing polution to rise, which at certain times of the year would increase hospital admissions for respiritory cases which they realy realy don’t want as that coincidences with when those heading into retirment or later tend to get significant chest infections.

modem phonemes February 22, 2023 7:11 PM

@ JonKnowsNothing @ flossie

This paper discusses modern roundabouts

https://www.asce.org/publications-and-news/civil-engineering-source/civil-engineering-magazine/issues/magazine-issue/article/2021/03/modern-roundabouts-boost-traffic-safety-and-efficiency

“ Although existing traffic circles are sometimes converted to modern roundabouts, most often it is a traditional intersection — with a stop sign or traffic light — that gets changed to a roundabout, notes Wen Hu, Ph.D., the senior research transportation engineer at the Insurance Institute for Highway Safety. After such conversions, crash rates at those intersections tend to fall, according to an IIHS website about roundabouts. Citing several studies involving U.S. traffic crashes, the IIHS site reports a 72 to 80 percent decline in vehicular crashes that cause injuries and a 35 to 47 percent reduction in all crashes ”

JonKnowsNothing February 22, 2023 8:23 PM

@ modem phonemes, @ flossie, All

If you have ever really had to use a roundabout you know

1) You need a shotgun rider so they can Stick Out Their Hand (saca la mano) to signal you need to move over to a right lane to make the exit. It’s a common phrase in Mexico.

2) No Right Turns except when you need to turn right.

3) No Entry/Wrong Way directions when you are stuck in an infinite loop going around the circle after you missed the only exit for your direction of travel.

There was a very funny comedy routine by a French comic about getting stuck in a roundabout with no exit. I’ve forgotten the comic’s name but I remember ROFLMAO over the routine.

Adrian February 28, 2023 11:08 AM

[Speaking only about the give-emergency-vehicles-the-green-light system…]

I could imagine that leaving the signal unencrypted was an intentional engineering choice. A simpler one-way signal broadcast repeatedly from an emergency vehicle to a physically local traffic device is likely to be very robust. That’s a huge plus. And if most emergency vehicles use the same system, then first responders from a neighboring municipality aren’t hampered when called in to help on a larger issue.

A selfish driver who cheats to improve their own experience would cause very little disruption to traffic patterns. Each illicit use alters just one cycle of the traffic control lights at one intersection. The disruption to the flow of traffic is minimal and very short-lived (based on my experience of seeing emergency vehicles pre-empting the traffic lights). The cheater doesn’t want to hang around one intersection to repeatedly interrupt the normal cycle; they want to get to the next intersection.

The insecurity of the system matters only if there are many cheaters or if somebody exploits it to repeatedly attack at a single location with the intent of snarling traffic. But vulnerability already exists. I’ve seen people abuse the buttons pedestrians use to get the WALK signal to cross the intersection. (Most recently, I saw it exploited by my county’s sheriff’s department who had officers on foot going from car to car to solicit donations for a charity as the drivers waited for the red lights which were lengthened by other officers repeatedly pressing the crossing buttons.)

If many cheaters becomes a problem, it may be simpler to catch and prosecute them than to make a more secure system. If the traffic lights control logs whenever it responds to an emergency vehicle signal, that information could be correlated with GPS data from actual emergency vehicles and video from traffic cameras.

Jeff March 15, 2023 8:05 AM

In the two cities I’ve lived in that used this preemption system, there is an additional, white, light (looked like a standard floodlight from your house, but single bulb) mounted near the traffic light. When the preemption was active, that white light was illuminated, letting the oncoming vehicle (we had it for Emergency and city buses) know they had control of the intersection…but it would also alert anyone nearby (police) that the system had been activated – if they didn’t see a bus or an emergency vehicle, they might realize that something was up…

chris watts March 16, 2023 5:21 PM

the solution is to make the device in question turn ALL lights in all directions RED, not green. This way everyone stops, (except the first responders) and there is no advantage to hacking the system.

if it could make the red light flicker in a distinctive way it would be even better- the ambulance driver would know that the lights for perpendicular traffic were also red.

csw

ParityTheUnicorn March 16, 2023 5:49 PM

@chris watts Wouldn’t that miss the point of the system in the first place though? You might as well have no system at all, since at least that way the emergency vehicles don’t have to navigate through stopped traffic when the light would have been green for them anyway. It also would completely ruin the aspect of the system that is supposed to minimize traffic disruption.

chris watts March 17, 2023 12:36 PM

@ParityTheUnicorn
I don’t think so, though i see where youre coming from.

I’ve noticed that ambulances etc often drive down the opposite side of the street from the regular traffic flow as they cross an intersection, and then merge back into the direction of traffic flow just afterwards. As long as all the traffic pulls over (as they are required to do) they’ll be fine.

Any ambulance drivers care to chime in?

cw

Clive Robinson March 17, 2023 3:57 PM

@ chris watts

“Any ambulance drivers care to chime in?”

I know quite a few ambulance staff some quite well, enough to know their names and birthdays (due to me having way to many “frequent flyer miles” with them[1])

I’m almost certainly going to run into some again this month, I can ask about “South and East London” where yes they quite frequently drive down the wrong side of the road, especially in some areas where drivers have absolutly no consideration of others[2]…

[1] I have due to my size and incipient old fart status, got an interesting collection of heart, cirulatory, blood, and other conditions that appear to want to fight to my death… Whilst it can be amusing to pass out in a supermarket and end up making the place look untidy it’s not good for other aspects of my life (mind you joking with the ambulance crew that being in the back is now taking over as my prime social life might get the odd smile, I can assure you I’d rather be ripping it up on the dance floor etc).

[2] One place you do not want to drive in London is Brixton-Balham. I’ve seen drivers just stop in the traffic, get out and pee up against walls, in the middle of the day. Whilst others likewise just stop in traffic go into a sandwich shop or MacDonalds and similar to get their lunch… Sometimes some other driver will loose it compleatly and get out and wreck the stopped vehical with a sledge hammer or machete… As a friend who was a Surgeon and, used to live in “St reatham” (actually just Streatham) used to say in a very posh accent “all part of the local colour old boy, yes, all part of making the world go aground” (his father was an African Diplomat and Eaton had been one of his educational stops as had Cambridge and he had a very funny out look on life having played rugby with a determination to win)…

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.