Red Light, Green Light, Hacked: Dutch Traffic System Vulnerable
A serious vulnerability has been discovered in the Netherlands’ traffic light management system, allowing malicious actors to remotely control signals at thousands of intersections across the country. This revelation has raised significant concerns among authorities.
Alvin Peppels, a 29-year-old ethical hacker, uncovered a dangerous flaw in the shortwave radio communication system (KAR), which has been used to manage traffic lights since 2005. He demonstrated how a homemade device could be employed to change signals to green or red from several kilometers away.
The KAR system was initially designed to give priority to emergency services and public transport. However, it can be easily exploited, causing chaos on the roads or hindering the work of emergency services. Researcher Dave Maasland, in an interview, emphasized that such threats, once considered the stuff of science fiction, are becoming a reality in modern society. The particularly alarming aspect is that the attacker does not need to be in close proximity to the traffic lights to execute the attack.
The Dutch Ministry of Infrastructure and Water Management has acknowledged the severity of the issue. The only effective solution is a complete replacement of the vulnerable traffic lights with modern systems. However, this process will take several years, with completion expected no earlier than 2030.
Nonetheless, a plan is already in place. The new technology, which currently appears to be the best alternative, is called Talking Traffic. It will operate via mobile internet connection rather than radio signals. Yet, Peppels warns that a centralized system could introduce new risks, potentially allowing attackers to control traffic across an entire province.
Moreover, this vulnerability could be exploited not only to create chaos at intersections but also for more serious criminal purposes. The National Cyber Security Centre (NCSC) of the Netherlands stresses that hacking traffic lights is a criminal offense that could endanger the lives of hundreds, if not thousands, of people.
Indeed, the enthusiast’s discovery raises broader questions about the protection of critical infrastructure in the digital age. As Maasland notes, many systems were designed in an era when the digital world was less hostile, and now these vulnerabilities are surfacing in a time of geopolitical tension.
