Security Review: Automated Traffic Enforcement

By alexmeng at 11:35 pm on February 5, 2009 | 2 Comments

Security Review: Automated Traffic Enforcement
Summary:

This security review was motivated on a family member of mine receiving a ticket from this technology: the automated traffic enforcement. This is a fairly new system cities are using to enforce traffic laws. They are using systems that detect when drivers run red lights and speed in certain zones. The purpose of these systems is to reduce traffic infractions in area and overall improve traffic safety. The Stop Red Light Running systems work by taking two photos, a front and back picture, of the vehicle running the red light. The sensors are synchronized with the traffic lights and are able to detect vehicles driving through intersections on red lights. The sensors trigger the cameras that record the day, time and place of the violation. As for the speeding systems, they use photo radar, which measures the speed of the vehicle, and snaps two pictures of the front and back of the vehicle. Once a vehicle is detected as violated, it is sent to traffic enforcement and the traffic infringement is mailed to the owner of the vehicle.  The traffic enforcement expects the delivery of the letter to be reliable such that if you do not submit a payment within the time frame, the vehicle owner will receive a late notice and the ticket fee increases.  Unfortunately, this is what happened to my family member.
Although I agree that this is step in the right direction to improve traffic safety. One question that poses in my mind is how accurate are the infractions? In the case of a vehicle running a red light, it is apparent if the car in the middle of the intersection and the light is red. But for a speeding infraction, how accurate is the system in correctly identifying infractions, meaning does it generate false positives? Also, is it possible for someone to access the traffic enforcement network and speeding systems to generate false speeding infractions?

Assets & Security Goals

  • Drivers’ Info, we do not want the driver’s information stored in the DMV to read by parties other than the person who made the infraction. If this is not secure, privacy can become an issue.
  • Tickets, we do not want the system to distribute false tickets based on false information.  If this is not accurate, the system can be recognized as not usable.
  • Streets, we want to drivers to abide to traffic laws in all areas such that it does not endanger the safety of other drivers and pedestrians. We want to ensure traffic safety overall.

Potential Adversaries & Threats

  • Malicious users – A user can obtain unauthorized access to the system and begin printing out false tickets, having information from the DMV sent out to vehicle’s owner and intercept that parcel to read information about the vehicle’s owner.
  • Unauthorized car users – A person who has unauthorized access to another person’s car can force tickets upon the vehicle’s owner by break the law at known automatic traffic enforcement sites. This is because there isn’t a form of verification from this system. It only uses the infraction and vehicle, not driver.

Potential Weaknesses

  • Weak passwords or mis configuration of the automatic traffic enforcement may exist such that they are known and malicious users are able to obtain this information to gain unauthorized access.
  • Eavesdroppers can intercept the ticket notification through the mail to read sensitive information in the parcel.
  • A hijacker/malicious driver can obtain unauthorized access to a car and perform these infractions. However, the system will always send tickets to the vehicle’s owner address. Therefore, a malicious user can “rack up” many tickets for a vehicle’s owner despite the vehicle’s owner not performing the infraction

Potential Defenses

  • Strengthen aspects of the system to prevent unauthorized access to the ticketing system.
  • Determine a new method to notify a vehicle owner of the infraction they have made.
  • Redesigned the system to include verification of the driver performing the infraction such that it does not default to the vehicle owner.

Conclusions
Despite some of this system’s weaknesses, there has been a noticeable improvement on traffic infractions and traffic collisions due to running red lights and speeding. It was stated that in New York City, crashes that were caused by running red lights were reduced by 70%. As a result of this, it improved traffic safety. Before this system was created, traffic infractions were cited only if an officer on duty was able to spot it, either with their own vision if it was someone running a red light or with their radar gun. With this new system, this allows officers to improve their public safety coverage and focus on things other than traffic enforcement.  Furthermore, the system acts as a deterrent as well because drivers are well aware that if they do speed or run red light they will be caught. Prior to the system, many people are aware of the laws and aware of the consequences but weight it against the notion if they are caught performing the act. Most of the time, drivers believe they won’t be caught because they bank on the fact cops are not at specific areas for 24 hours a day, 7 days a week. With this automatic system, it allows this 24/7 coverage. The next steps for this system would to be reducing false positives and ensuring delivery of tickets. This is because delivery is never guarantee to be reliable.

Filed under: Security Reviews2 Comments »

2 Comments

  • 1
    Get your own gravatar for comments by visiting gravatar.com

    Pingback by UW Computer Security Research and Course Blog » Current Event: Rigged Red Lights

    February 6, 2009 @ 1:05 am

    […] means that, since they use cameras to automatically give tickets to people running red lights (see security review of automated traffic cameras for a different look at that aspect of it), they can make money off residents who are given […]

  • 2
    Get your own gravatar for comments by visiting gravatar.com

    Comment by Evil Rocks

    February 6, 2009 @ 11:29 pm

    I kicked an idea for a protocol-oriented traffic control system around last week and it pretty much boiled down to this: the best system that I could design in the fifteen minutes that I spent doodling on the topic was completely agent-centered. I came to this conclusion because I don’t think centralized traffic control will ever work.

    Anyways the crux of the system I came up with revolved around a dash-mounted HUD that displayed a little relational map of [driver’s car] and [surrounding cars] and displayed warnings whenever the driver attempted to move into an occupied space or if surrounding drivers speeds changed so as to threaten the principle driver.

    I eventually came to the conclusion that you could make a few million making and selling displays that show the driver’s car in relationship to surrounding cars that has the alert system mentioned above. Of course, actually making money off the damn thing would entail lots and lots of attention testing to make sure the product didn’t *cause* more accidents than it prevented.

RSS feed for comments on this post