The audio enhancement feature at public crosswalks is normally meant to assist the visually impaired by providing notifications to alert pedestrians when the walk light is activated.
But at several intersections around Seattle on Wednesday, people were greeted with a voice sounding like Jeff Bezos.
“This crosswalk is sponsored by Amazon Prime, with an important message — please, don’t tax the rich, otherwise all the other billionaires will move to Florida, too,” the voice said.
This comes on the heels of reports out of the Bay Area of similar occurrences with voices sounding like Meta CEO Mark Zuckerberg and Tesla CEO Elon Musk delivering equally implausible messages.
There are two hacks going on here. One is the use of AI to create spoofed audio of well-known figures to deliver messages they wouldn’t deliver themselves. The other hack is getting the crosswalk buttons to play that spoofed audio.
There is a lot of concern and discussion around AI-generated spoofs these days: that aspect of this hack isn’t all that surprising. The idea that the spoofed people are actually delivering these messages is outlandish enough that almost no one would think the messages are legitimate.
Taken together, these points make this hack more mischievous than malicious, more nuisance than threat.
But how did the people behind these hacks get that audio onto the crosswalk buttons’ audio? That is something relatively new and different and understandably can cause concern.
Since crosswalks are part of the traffic safety infrastructure and we’ve had years of concerns around attacks against critical infrastructure, it’s reasonable for people to be worried that this hack is much more serious and is (or could be) malicious and a threat.
A YouTube video showing how to carry out this kind of a hack makes clear that a very familiar problem can enable this: leaving well-known default credentials unchanged on the crosswalk button device. In fact, as that video notes, you can easily download an app and connect to a crosswalk button device to change the audio if you know the credentials for that device.
It’s not entirely clear how the hack in Seattle, or the Bay Area, was carried out. But let’s assume it was some form of what’s shown in the video above.
This tells us a few important things. First, that there is no widespread hack of the “crosswalk button system” or the “traffic safety infrastructure system.” Instead, this is a series of hacks against crosswalk button devices happening one-at-a-time.
Second, it tells us that attackers aren’t compromising anything other than the audio on these devices. This isn’t a sophisticated attack like the SolarWinds attacks or ransomware attacks: attackers aren’t going to pivot off these compromised devices to carry out other, more damaging attacks. The compromise starts and ends with the audio message only.
Finally, because this attack is essentially nothing more than replacing one message with another message, the recovery is simple (though a hassle): send a technician out to replace the hacked message with an official message.
The underlying problem is a familiar one. In fact, it’s the same problem I wrote about in 2019 that was behind a series of hacks against Amazon Ring devices: insecure default credentials.
And it turns out that poor default credentials were the cause of another spate of attacks against traffic safety systems back at the start of the last decade. Back then we saw a series of hacks altering road construction message signs to “warn” people about zombie attacks.
So why are we seeing these all happening now? Does this mean there’s a coordinated campaign?
No, not really. It means that there’s a “bandwagon” effect: people see this happening, think it’s neat and decide to follow suit. Sorry Seattle, it means the Bay Area was first this time.
Hacks have their own fads and trends, and this is another trendy hack just like those traffic sign hacks that came and went.
Another reason why this will fade is the defenders (i.e. traffic departments) now realize that attackers know about this weakness, and they will move to address it. Presumably, traffic departments will send crews out to fix altered devices and change the passwords as they do so. You can also bet that traffic departments will be working to change default credentials on devices that aren’t affected yet. And municipalities that haven’t seen this activity will be proactively checking and making changes.
That’s not to say this hack is entirely harmless: it does represent some danger by altering the audio message for crosswalk buttons. This can impact those who rely on those messages. But the message is clearly altered in a way that most people will understand it’s not working correctly. So overall, the crosswalk button audio hack also generally falls more into the “mischievous nuisance” than “malicious threat” category.
If you’re in security long enough, you see events like this come and go over the years. They always follow a certain predictable trajectory. You can expect a few more days and weeks of these hacks and then this will be mostly gone.
But it does serve one good purpose: it highlights a weakness that could have been used in a much more malicious way in the hands of others. By highlighting the risks of default credentials in crosswalk buttons in this way, it may help prevent greater harm in the future.
Read the full article here
