Josh Ruppe - Breaking the Speed Limit

good okay um thanks for coming I know there's another talk going on uh application security so I appreciate you being here I'm gonna be talking about uh mem death look into the vs LS system that the government has deployed through several yes I can um this is uh their variable speed limit systems they've been used in different capacities um since the 50s actually uh it says only nowadays to where you can get it networked and put into the internet of things so we're gonna be uh going through that today everyone else here has it's a disclaimer the work within represents my own research and opinion it does not reflect the views on my lawyer told to put that in there make sure it

was in there uh everybody wants that in there as soon as you ever tell them about it what you're doing especially this uh so moving on a little bit about me um professionally I work as a security analyst from Atlanta I've also born in the South so if you hear a little bit of a southern twing I apologize I have worked very hard to get rid of it it's impossible okay certain parts won't go away um but I try so uh so yeah work as a security analyst um pretty much also work as a security engineer DJ you know who I was talking about um before I got into my official infosec career I freelance as a security

consultant for about a year going around doing freelance work I'd go to someone's door and knock on it and say hey do you want a free uh vulnerability scan someone said yeah some said hell no go away I got my experience there though moved on and gotta learned what I needed to know um blows this contact information a little bit about me uh this would be available this will be available online later on so we're going to go through the history a lot of these systems exist in the first place how they function how they communicate and potential security risk listening so this is pretty much how the the this is my opinion the first generation

of these things granted like I said vsl has been around since the 50s in different capacities it's just the back in the day and they have to tell the Department of Transportation like hey go out to all the science and flip them up make them 55. flip them up make them 65. you know these got introduced back in the 80s sometimes in your 80s or stuff um they're standing these are known as variable measured signs or portable changeable message signs bunch of different ones uh if you've ever seen one and you've seen them in these States before they're very easy to get into it takes it takes it takes zero effort to get into these things for the most part

um most of these especially the orange ones are made by a company uh daktronic they've made pretty much all of them they also make the things that hang in the middle of Madison Square Garden they're very well known for what they do the bad part is is that when they ship these things they hard code in the default username and password Department transportation gives them says oh who could do the truck take it out there tell people there's snow on the road then Mario's in another Mario and the Princess later on um it was very simple you get access to it you have to walk you the controller you change it and put your message up

there I've seen funny ones and I've seen vulgar ones so uh don't recommend this not endorsing this don't do it uh then you had later on different ones so you had what I also considered the second generation it's not officially the second generation it's what I consider to be the second generation uh these were called variable message signs also known as changeable electronic Dynamic and in the UK they're known as Matrix signs these are a little bit these are a lot tougher actually to get into a lot of these also I don't believe they ever connected over fiber optic they could have sure the internet will let me know uh but they most of the time it's always

the EPL that went out to a box translated a signal could have signed up on the window the screen itself but you could also go up to it and there's a padlock box on the side that has a serial connector on the inside of it if you know Linux you can change it you can change the messages displayed on it um people will also got a hold of that as well um the one of the top one to write uh was actually done somewhere I think in Raleigh Asheville area of North Carolina he got caught and arrested so don't do this uh they will find you because most of the time especially for the main

topic the vsls they have cameras pointing at all these things probably for this very reason so why do these exists why why spin and like I said I'm from Atlanta the Atlanta area around the belt that goes around Atlanta implemented this last year it goes up to five and a half million dollars to implement this system that was 88 signs so they're they're expensive so why go through all this trouble well first traffic control now that's primarily the reason why they do this these things can going off sensors that I'll go over will adjust speeds even though yes rush hour and it's Friday and it's gridlocked like this this guy here is trying to go 55 miles

per hour how many gets 10 feet in front of so when you when you get these signs installed you can just remotely say you know what 35 if anyone going past that get some red or they can rest they get pulled over get a ticket and it controls it gives a level of control secondly it reduces accidents and you don't want the I mean this is exactly like I really think it's like this um so it reduces accidents you know you get to these types of situations to where people want to speed every moment they get 10 15 20 feet ahead of them they're going to hit somebody eventually I got hit the other week I was in one of these

areas not perfect I suppose at that point but this is another reason why they do it and third statistics basically they want to have statistics they want to know how many people are traveling these roads a day how many people are getting in accidents a day but by using these they can say well if the speed limit was lower then you know we had this many accidents if it was higher we have these so obviously nowadays there's always statistics and metrics and any other kind of information gathering activity that you can do is that really function well they use on they use a combination of sensors in order to change the uh the display speed that's up there some of us

automatic some can be manual it depends it really comes down to the person that's controlling the vsls which will be selling in Department of Transportation Seattle Bes I don't know if anyone's ever noticed these things up on the road I have them a whole lot I've never known what they did never looked into them until I got the going down this rather than figuring out all these things what it does is it counts cars going by or it can count cars going by but at the same time like the one on the right you can count the height of the car that way they can say with as many cars goes by this many trucks go by these many semis go by so

they get that so that point they can say well in the last five minutes you know 2 000 cars went by here instead of the normal 500. they know then the system is going to go through a series of algorithms that's going to say we need to lower the speed because the traffic also works out weather centers this is graphic up down I'm sure they don't all look like this but you know you'll have things that goes off wind speed humidity any kind of moisture level is going on and this all feeds into the system and it works into telling the um main main control that whether or not you know if the world's getting too wet

then adjust the speed if it's getting too cold then we need adjusted speed etc etc and also road conditions sensors so these things the little black one in the middle is a puck that would be installed in the actual ground in the pavement on the road and it can tell whether or not uh some sort of maybe even a flammable liquid has been poured on top of it if a oil-based liquid has been put on poured on top of it and it can go vaccine alerts through filters and say you know exist dispatch EMS you know the response personnel so how they communicate primarily because of the distance that are involved in these things at least in

Atlanta in 285 um there's like I said there's 88 of them each one I believe is two to two and a half miles apart they're always a mile down from the nearest on-ramp so the fiber optic is obviously the the best idea to communicate to these things unless of course you know you're going past this General distance without a regenerator being put into uh in between but you would think that point you know you know by long as five rock has been around they'd be better uses for it other than you know what they typically do uh such as these things these things are also used for five rockets they shouldn't be people get behind they get

in advance they slam on the back of your next they make noise it's not good it's not a good path so that's overall the primary primary function of fiber optics secondly there's wireless communication so a lot of these and I have a picture of the ones that are deployed in Atlanta if anyone's been here up on I-4 I4 has some of these things installed they're a little bit different than the ones we have in Atlanta but uh they still work the same way uh still get a signal I believe it's three fiber optic I look into the one in Florida but Florida's website on Department of Transportation allows you to or Georgia yeah Georgia Department

transportation has a website you can look at the project you can download the PDFs you can look at all the original construction notes how there's no order notes you can really go through everything Florida does not so wireless communication is another one this is cellular long distance Wi-Fi standard radio it really depends uh I know here lately the SDR Community has really been blowing up getting a lot bigger so I'm sure somebody probably take a look into that see you know exactly how they're communicating per state I'm sure it's always different however they want to implement them so and then there's Standalone Standalone like the EMS is that like I said I would consider second generation uh someone has to go

out to plug a Serial cable into it and say they can program time program times really whatever they want you know as far as how they're gonna set the speed but maybe not you know when we break and remotely connect to it it sets itself that sort of thing so main point of this is where we spend most of our time I don't know if I'm a little bit too fast or not but it's like I said this is just outside the main point what are the security risks so like I said I've spent a lot of time I've been working on this for about six months because Atlanta implemented their system in September they finalized since September and got

it all going and as soon as I got into it I started wondering you know what if somebody got in there everybody in this room no one's going to disagree if somebody got into their systems and set all those speed limit signs at 99 miles per hour people are gonna go 90 99 miles per hour nobody would even second guessing um so what other potential security risk there is no encryption on these things I contacted a lot of the manufacturers of these these signs to specialize in anybody can make them all you gotta have is a controller that can receive the signal output it to a board and it'll display a number but there are companies

out there manufacturers out there that actually specialize in these things that make them they did as their day-to-day is what they make their money off of and I mean all the ones I can find can't say I can meet I talk to all of them but I talked to a lot I talked to 10 plus none of the music encryption they don't have the hardware that supports decryption on their side they don't have the ability to take in anything other than the plain text that they get so obviously that thing is just the biggest issue with it so with there being no encryption that obviously opens up the attack for a man in the middle

a man in the middle being is the most easiest and undetectable way to get into that um at least in the case of this if there's no encryption uh you would have to have I would imagine an IDs deployed down the line to actually see if somebody is getting in between you and the signs to actually see what's going on you also have the problem even if it is fiber optic you know people can say well it's a little hard against the fiber optic Network it's really not there's a fiber optic there's a five rock this way it's called bending you all you do is you bend the actual uh fiber optic you don't have to

cut into it you don't have to cut into the line you uh bend it literally literally physically bend it and you have a coupler on it so that's a little little tiny bin it lets a little bit of light radiate through the sheath that goes into a photo detector and sorry I haven't noticed here for this because this is a little bit I've never done it before obviously um but it has a little photo detector hook to it that connects to a little converter that then translates that to electrical signals and you have that convert to a network interface and then you can figure out exactly what's going on because it's just light you know it's just the way it just uh

transmits through the actual fiber optic cable so it doesn't make it hard so that being the case with vs cells you know what exactly would be the really the progress the the process in order to do this so basically you start out in the command center wherever that would be in your City Department of Transportation will control it so that would start at probably a server when it's XP hope not Windows 7 PC which will even go to a switch or router a firewall and that ends up going out to the road because I'll tell boxing Road these things can have amplifiers in them for um the signal is going out it kind of regenerators for fiber optic you can

have a converter just to convert it to the signal that may be going out depending on how it's being transmitted you have a collector now it's a lot of those boxes on the side of the road for cable companies or telecom companies this collector just collect all of them in essentially down to smaller line or you can go through the EPL really depends on whatever the city decides the best way of doing it that ends up going to another box that's on the back of the signs and I touch these these are the ones that are deployed in Atlanta does that mean for coming in down here up here and you have the actual main Tops

on there back side of the speed limit sign it goes into there it gets transmitted or translated and you need to get the uh the output on the sign itself so it's not like I said it's not it's like it's complicated it's not overly complicated but that's all there is really involved with um then you have social engineering now this may not seem like a big thing as far as you know the the security point of it but when you think about government you have people that have literally worked in the government for decades and these are people that aren't they're not technologically inclined they don't really understand so you could really call in and say you know

hey I'm out here on the side of the road I need to get one of these signs I get you I need to get the information for this you don't know who's Grandma's gonna let you into these things you never know and I did a little uh digging into the census the average age of a government employee is 45 in the U.S as a whole and even though I know there's people that are way older than me you know way more than I do you have to get into that mind of that standard government worker that doesn't know what they're trying to do they're trying to do their job they're trying to make someone happy and those are

obviously the people that anytime you ever turn the social engineer someone those are the people that you're really trying to get to so in past that you know I'm malware targeted malware uh problem with this is according to a censor support nonsense report but the Chief Information officer of the Department of Labor in 2015 said that even still in the United States inside um state and federal and government agencies there's over ten thousand computers per state still running Windows XP yeah so that's that's primarily the issue with that when is it I'm sure everyone knows when is xp's end of life um that opens up every door for every every uh zero day that was released on

April seven I believe last year so then you also have um uh Bluetooth inside these um inside the actual BSL depending on the company that makes them some of them either either in order to get into the box either connect to it via serial cable or you have to get into it via Bluetooth low power Bluetooth these things actually have a Bluetooth antenna inside of it the ones in Atlanta don't um I called and asked they're actually very helpful if you call and tell them that you know I'm looking into this sort of thing some of them are some of them are not some of them want to know exactly who you are where you live and

while you're talking to them so um I got that a couple of times and I was like who are you um so yeah see what Bluetooth and you know guys are here I think from hacker warehouse sell Uber tooth that's obviously a way of getting to it then you have things like BT scanner blue diving blue snarf BT crack I think is that right yeah BT right the standard is standard Bluetooth from what the manufacturer told me um like I said the ones in Atlanta obviously I wasn't going to test it by the way I did not connect to any of these yes

we do car stuff behind it so much you can do so much more damage like that you had the sign where it had Steel all right somebody here's the number on it right what breaking the white side and putting it over that game you know like when you're driving you don't see okay fine then you know it says 99 on there and people so right so and just the same as as like unless unless from one of those boxes and then going back to say you know fpot and then attacking after still you have maybe access to cameras like I just don't really see what the big what what is the big potential security risk well security risk would be and

that's after this or after the next slide but that to address it said it's serious would be to set speed limit size to what they're not supposed to be that being the case I mean we all have loved ones that we have you don't want these things to happen because people will go that speed people will hit those speed limits and even though yeah you know yeah you could post up a sign or so that says you know 99 miles per hour thing is is when it comes to that stuff if you were to go to that you couldn't say oh well the sign told me it was told me it was 99 miles per hour because you're

going to know whether or not unless you get a hold of an actual Department of Transportation speed limit is on but well hopefully yeah hopefully hopefully won't be that easy you just pull up the side of the highway and actually install one or put it over top of one it is personally you know with changing the number I don't think that the dangers are actually really there because places like in Europe where people are all driving that speed right okay

well one like on the Autobahn or something in Germany when someone goes slow you're just gonna so like you're saying it is very real like somebody could accelerate instantly to 100 miles per hour or something like that there's still someone in front of them going like 45 right down the road so right one car's driving by just flicking all these behind them officer and then they get off the road all the cars that they were going with are not yeah I mean it just comes down to it comes down to like I guess the physical safety of everyone traveling and that was the first thing I thought like I said when I saw this and I saw

them deployed the first thing I thought it was somebody got in there and actually changed the speeds there would be people that would obey it and people who wouldn't obey it because even still all states still have a um yeah a maximum speed limit that you cannot and under no circumstance ever exceed not everyone knows that some people do some people don't if you don't know it and you see the sign you're going to think that you're legally able to go that speed so you're gonna have those on the interstate that are going 55 and you have people on the interstate they are going 99 and they're just getting weave back and forth right so I mean I guess that's what I consider

the risk is just physical you know physical harm I mean yeah you could put a physical sign up um either or I mean yeah I mean there's all sorts of ways of doing it but with with the the what is the growing internet of things you know I guess I just wouldn't want that especially like I said with the other other systems within the Department of Transportation being older being on XP you know if somebody from China or or Korea or North Korea and their little Bureau that they have was just to get into it I don't know if anyone seen Die Hard 4 Ian mentioned Die Hard 3 but in dire4 yeah I mean yeah you know somebody was

just to try and do something like that whether or not they cared to do it or not the potential is there and even when I called um somebody's apartment transportations they they pretty much were kind of Blown Away too that you know that was that would be an issue and um like you had a question

yeah yeah yeah it's also possible

35 and then you could accelerate people behind them to about 100 right and you could have yeah and that that's that's pretty much the issue yeah

exactly yeah now I will say I will give at least Georgia's Department transportation some credit um I'll give him a lot of credit consistent I mean this system works great um I think it's done good on 285 especially on Fridays but um I don't know if you once been to Atlanta I don't know how traffic is around here I don't live here but laughs but uh in in Atlanta so they have where all the sensors that are tied into it they actually do it pretty much autonomously uh completely automatic they say there's very little in the paperwork that's offered by the Department of Transportation said it requires very little human input but if they wanted to if they wanted to

manually change it there's a drop down that they have that drop down has three speeds and it's 45 yeah 45 55 and 65. they can't change it outside of that but again no encryption man in the middle etc etc so going on with that I learned this it's the NT what is it ntcip this is the national Transportation communication for intelligent Transportation Systems protocol it's long there is no encryption requirement in this thing whatsoever this goes back into and again I'm sure the internet will correct me if I'm wrong this also ties into cameras that are controlled by the say red lights that are controlled by the state anything that's controlled by the state goes through or any any

intelligent transportation system like those all have to obey this uh this outline this guide now there are several parts to it there's several several parts to it but mainly this is the main guide this this goes through and basically says you know these are things you can and can't do but each one has its own elaborative separate document I went through them all all scanned for uh I'll search for encryption read most of them search for encryption search for the word Crypt nothing shows up so there is nothing outlined by and this is issued by the government that says you know you have to have encryption on these things and I think you know it's more so that's more of the

bigger issue

that's my last line so that's that really quick making everyone's life easier so uh is there any more questions or anything yes sir what do you think the password reuse you so it's not just that these encrypted tell me those passwords that you're seeing well let's see so when I called the the company that makes them in Atlanta I called them they weren't responsive to me asking them questions um I don't want to go the route of trying to show some social engineering answers out of them so I call it other companies and other companies they were more happy to talk to me mainly because they didn't have systems in Atlanta I'm sure but um some of them some of them do

but only only between what they have is basically they have a box between where you'd have maybe the department of transportation's main command center and it goes to another box and then that goes out to all of them because they all work one-off and or just one goes to next if one Falls and at least wherever they said they had a system um at whole thing fails it's not like that in Atlanta Atlanta doesn't work away it has a Wireless backup in Atlanta but some authenticate the rest of them no you just you send it information displays it on the screen no it's all one way I can't say for all of them but for the

ones that I got in contact with you know it's all one way because the they like I said most of them have um cameras that are pointed out that's their bi-directional authentication or not authentication but bi-directional way of figuring out whether or not this sign is displaying what it's supposed to or not the risks really I see two with that as you mentioned there's really more privacy concerns than anything you've created a surveillance Network that in that it chose to you utilize that that for your own purposes and then second I I see those those first gen and second gen as being the higher risk if you can create Panic by saying that there's a shooting

or something like that that diverts people off the roads that's a that's a real social safety issue and if you use an amber alert to take someone that you're not particularly happy with and say they're a license plate and that also true yeah thank you for that very good point uh yeah I mean it I just hope that something like this puts pressure on the government to lock these things down because I don't want this to happen my wife's in here with me I wouldn't want her to I wouldn't want nothing to happen to her I wouldn't have her family my family anyone's family we shouldn't like that happening you know like like he mentioned from Die Hard 4 through us

that Fail-Safe thing yeah granted they took over the entire government's infrastructure unlikely but I mean the potential is there when you don't employ encryption when you don't employ like you said maybe authentication in between the two and that's what worries me and if I'm putting my life or not my life I guess it's a little dramatic to say but if I'm putting myself on these interstates I don't want that to happen because I'm I'm gonna obey what I can at least whatever but I'm not gonna go 99 miles per hour on the interstate I would hope anyone would but there would be those that would and that that to me that's the risk you know that that's what I

would worry about because then you go back to that guy flying off the Run not touching these signs at all no no so like I said you know I called I called several Department of transportations I called several manufacturers talk to them some of them the moment I said you know I'm just doing some security research no no we're not talking to you we're gonna have nothing to do with you we don't want that information public we don't want anyone to know about this and you know that that's that thing worries me because I've never seen it it may exist I'm sure like I said internet will tell me but I don't know if it exists

they have security audits that are done on the on the state just not done by the state the state's not going to throw itself underneath the bus you know there's no way but if you had a third party come in to evaluate these things maybe then yeah they would see these and you know even these signs even like they are they have IP addresses attached to us is this outlined in the actual documentation it doesn't say what the IP addresses are but it won't be hard once you got into the system and start doing Network scan you see Ada did these things pop up that's the risk you know that's the concern and it goes into that

so no I never touched him I wasn't gonna as much as I would love to sell like the console up there or does this have this is a configuration it's not worth not not to me anyway but I would love to have done that and you know like I said a few of the people I talked to they were really helpful they taught me some of them taught me 30 minutes 45 minutes or so about it they're just real receptive to do it but you know at the end they're not they're going to say okay yeah sure connect in you know do whatever you like it'd be nice but no number three is anyone else

whoever

you see what sort of audit what kind of progress you can make right now

right and so when I call it a few of these yeah so when I call some of these people the manufacturers you know I said you know can you not enable encryption you know put it as in a feature a lot of them say they don't have the hardware to do it so it would require that I'm all for what you you know for what you said it's a camera I don't know can I hear them back there okay um I don't know I mean you could write the Department of Transportation I highly doubt they're like yeah sure we're going to do it but yeah I mean definitely I from what I understand could be wrong please correct me

um can contact him Department of Transportation private but Department of Transportation is controlled by the actual State there's only one in the state um so getting in touch with probably your Congressman your Governor so on and so forth telling them that these are the risks you know don't let your state be the one that you know has Die Hard 4 happen to it or anything like that don't let your state be the one that causes some massive 300 car pile up in the middle of Rush Hour on a Friday or something so yeah it's a really good idea everyone should get in touch with their local government and get that done

okay well that's all I got hope you enjoyed it hope everyone learns [Applause]