|
Getting your Trinity Audio player ready...
|
Redwood City and the California Department of Transportation say they’ve fixed the security flaw that allowed hackers to tamper with crosswalk accessibility buttons earlier this year.
The issue began on April 12 when pedestrians in Menlo Park, Redwood City and Palo Alto heard distorted messages voiced to sound like Elon Musk and Mark Zuckerberg instead of standard crossing instructions.
The compromised buttons in Menlo Park were the only buttons operated by Caltrans. All three jurisdictions disabled the systems in response. Caltrans and Redwood City assured residents that the issue has been resolved and new protocols are in place. Palo Alto declined to comment nor provide the cause or solution to the issue.
“All known changes to the crosswalk messaging have since been reverted and the systems have been restored to normal operation. Additionally, we have enhanced our internal procedures to help prevent future tampering,” said Redwood City Deputy City Manager Jennifer Yamaguma.
Yamaguma claimed the issue was caused by users gaining access to the manufacturer’s app, Polara Field Service, created by Polara Enterprises, one of the largest manufacturers of accessible crosswalk infrastructure.
For years, Polara has had a publicly accessible app on the Google Play Store and the Apple App Store that allowed city officials to access Polara systems. Within 48 hours of the incident being reported in Silicon Valley, the app was pulled from the stores.
Theoretically, access to the crosswalk buttons requires a four-digit numeric code created by the city. However, many online commenters have pointed out that some cities never change the default password: 1234. Polara later republished the app with additional password security requirements. While a four-digit password allows for 10,000 possible combinations, some cybersecurity experts say it can be cracked instantly.
Polara has since added a lockout feature that limits users to two password attempts and gave cities the ability to disable connectivity altogether.
Neither Caltrans nor Redwood City would say how the hack occurred. In a statement to another news organization, Polara said it does not believe its systems were compromised and that the individuals used “valid credentials,” which could include the default password. Polara did not respond to multiple requests for comment.
“We want to reassure the public that the upgrades have been completed and the additional protections that we implemented should prevent anything similar from happening again,” Caltrans Public Information Officer Jeneane Crawford said in response to questions about the password.
“All Caltrans’ pedestrian push buttons that were compromised in April have been fixed and are fully operational. The supplier upgraded its software, and Caltrans has implemented the upgrades across all its crosswalk infrastructure,” Crawford added.
She declined to say what caused the incident or what improvements have been made.
This is not the first time Caltrans equipment has been compromised. For years, individuals have accessed portable messaging signs due to a lack of robust security procedures. Caltrans issued a directive in 2020 advising engineers of security features.
Other traffic infrastructure companies said cities often forget to change default passwords.
A few days following the incident in Silicon Valley, a similar incident occurred in Seattle, focusing on Amazon founder Jeff Bezos.
