Smart traffic lights cause jams when fed spoofed data

We’ve got smart cars (that would be connected vehicles, or CVs, in smart-transportation lingo). We’ve got a US Department of Transportation (USDOT) pilot program that, since 2016, has been testing traffic lights that rely on data sent wirelessly from those cars.
If it all were to play nicely together, eventually, a smart car helped out by smart traffic lights could encounter a smooth sequence of green lights, driving through intersections without getting stuck in traffic jams or wasting fuel as drivers idle, waiting for the light to change.
But no, we can’t have nice things like smooth, smart, algorithmically timed sailing through intersections – at least, not with the current state of traffic technology. A team of five researchers from the University of Michigan have found that the DOT’s I-SIG (Intelligent Traffic Signal System) is way too easy to spoof with bad data.
In fact, the researchers said in a paper recently published on Internet Society that the current signal control algorithm has been designed and implemented to be “highly vulnerable” to data spoofing attacks from even one, single, solitary attack vehicle.
By constructing practical exploits and evaluating them in real-world intersection settings, the researchers found that data-spoofing attacks can even cause a blocking effect to jam an entire approach to an intersection.
I-SIG, the CV-based traffic control system they were attacking was developed in the DOT’s Dynamic Mobility Applications (DMA) research program and takes in real-time vehicle trajectory data to best control traffic lights.
I-SIG has been tested in real intersections in Anthem, Arizona and Palo Alto, California, where it’s managed to cut vehicle delays by 26.6%. Well, kiss those time savings goodbye: the research team’s spoofed-data attack was so severe, they found that 22% of vehicles would need to spend over seven minutes for what would normally be a half-minute trip – a jam-up that makes the trip 14 times longer.
In other words, the vulnerabilities in I-SIG can be exploited to completely erase any benefit it attains, by slowing down traffic to make it 23.4% worse than if no such system had been adopted in the first place.
All they needed to turn smart into stalled: a device in a CV that’s been compromised so an attacker can send malicious messages to the I-SIG system. From the paper:

The only attack requirement in our study is that attackers can compromise the vehicle-side devices on their own vehicles or other people’s vehicles, and send malicious CV messages to the I-SIG system to influence the traffic control decisions.

They didn’t set out to crack the I-SIG’s messaging system; rather, they chose to generate the fake messages from a real vehicle. They also assumed that only one attack vehicle would need to be at an intersection. The attack car could be parked elsewhere: one of the team’s illustrations show the attacker parked at a nearby gas station.

Vehicles can request a green light for their arrival, and I-SIG decides whether this will be granted based on the queue it’s created of all incoming requests. The data-spoofing attack’s focus was to manipulate the values in an “arrival table” that I-SIG uses to manage queues, spoofing the attack vehicle’s predicted arrival time and the requested phase of the traffic lights.
From the paper:

The attacker can change the speed and location in its BSM [Basic Safety Message] message to set the arrival time and the requested phase of her choice and thus increase the corresponding arrival table element by one [second].

On average, the attack success rate is 94%, and it causes delays to increase by 38.2%, the team found.
The best way to harden I-SIG’s defense is to boost the robustness of the signal control’s algorithm, the researchers said. Another step would be to employ data-spoofing detection, with sensors controlled by the infrastructure that can detect and filter spoofed messages. As it is now, the I-SIG system is only relying on car-trajectory messages sent by the smart cars themselves – as in, messages that attackers can control.

To ensure high effectiveness, data spoofing detection on the infrastructure side needs to rely on data sources that attackers cannot easily control, e.g., infrastructure-controlled sensors, to cross validate the data in BSM messages.