[ISN] 2 deny hacking into L.A.'s traffic light system

From: InfoSec News (alerts@private)
Date: Tue Jan 09 2007 - 22:12:00 PST


By Sharon Bernstein and Andrew Blankstein
Times Staff Writers
January 9, 2007

Back in August, the union representing the city's traffic engineers 
vowed that on the day of their work action, "Los Angeles is not going to 
be a fun place to drive."

City officials took the threat seriously.

Fearful that the strikers could wreak havoc on the surface street 
system, they temporarily blocked all engineers from access to the 
computer that controls traffic signals.

But officials now allege that two engineers, Kartik Patel and Gabriel 
Murillo, figured out how to hack in anyway. With a few clicks on a 
laptop computer, the pair one a renowned traffic engineer profiled in 
the national media, the other a computer whiz who helped build the 
system allegedly tied up traffic at four intersections for several days.

Both men pleaded not guilty Monday morning to felony charges stemming 
from the case, and Murillo's lawyer said his client meant no harm when 
he signed on to the system that day.

But authorities say the pair picked their targets with care 
intersections they knew would cause significant backups because they 
were close to freeways and major destinations.

They didn't shut the lights off, city transportation sources said. 
Rather, the engineers allegedly programmed them so that red lights would 
be extremely long on the most congested approaches to the intersections, 
causing gridlock for several days starting Aug. 21, they said.

Cars backed up at Los Angeles International Airport, at a key 
intersection in Studio City, onto the clogged Glendale Freeway and 
throughout the streets of Little Tokyo and the L.A. Civic Center.

The engineers' arrests last Friday point up the vulnerability of L.A.'s 
complex traffic control system.

City leaders said Monday they also underscore the delicate balance that 
employers must strike in a highly technical environment in which workers 
must be trusted enough to have access to important systems.

Some officials Monday called for an immediate review of ways to tighten 
security of the computer system, which manages 3,200 of the city's 4,300 
traffic signals.

"The issue here was public safety," Councilwoman Wendy Greuel said. 
"What if there had been a major accident and we were not able to control 
the lights while the officers were on their way?"

Details of the case emerged Monday in interviews and court documents.

After access to the system was cut off for all but top managers, Murillo 
signed in as one of them, according to the criminal complaint. Murillo 
had helped design the nationally recognized system.

By signing in, the engineers allegedly obtained the codes needed to 
unblock the computers that control traffic lights throughout the city. 
Soon, the lights at those four intersections were reprogrammed with a 
code that prevented city officials from fixing them.

"The red signal would be on too long for the critical approach and the 
green signal would be on too long for the noncritical approach, thus 
resulting in long backups into the airport and other key intersections 
around the city," said one source in the traffic department, who spoke 
on condition of anonymity.

Murillo was charged with two felonies: one count of identity theft and 
one of unauthorized access to a city computer. Patel was charged with 
five felonies: one count of unauthorized access to a city computer and 
four of unauthorized disruption or denial of computer services.

Los Angeles County Superior Court Commissioner Catherine J. Pratt 
released the men on their own recognizance on the condition that they do 
not access city computers or set foot on Department of Transportation 
property without their attorneys.

If convicted on all charges, the pair could face several years in state 
prison, although authorities said that is unlikely because they have no 
criminal records.

Murillo's lawyer, James Blatt, said that his client was on paternity 
leave when the incident took place and did not receive an e-mail 
indicating that access to the traffic signal control center would be 
blocked during the strike.

He said Murillo didn't mean to do anything wrong.

"The issue in the case is Mr. Murillo's intent when he logged into the 
system," Blatt said. "Mr. Murillo has been an engineer there [at the 
Department of Transportation] for 17 years. He's highly regarded and 
respected by management and employees. It was not his intent to 
jeopardize the system or the citizens of Los Angeles."

Alan Eisner, who is representing Patel, said his client "unequivocally 
denies the charges against him and specifically denies illegally 
accessing or disrupting the [computerized traffic light] system. Mr. 
Patel has been an employee of the Department of Transportation for more 
than 12 years and has an outstanding work history. He and his family are 
traumatized by the allegations, and he looks forward to responding to 
the allegations in court."

After the arraignment Monday, city employees filled the hallway outside 
the courtroom, creating an impromptu receiving line as they filed past 
the defendants and their families. Officials from their union were not 
in court and did not return calls seeking comment.

In deciding how to handle security in the future, the city faces a 
difficult choice: set up systems that could impede the smooth 
functioning of its crucial traffic control efforts, or do nothing and 
risk another hacking incident.

Clifford Neuman, a computer security expert and the director of the USC 
Center for Computer Systems Security, said there are two primary ways to 
design computers to guard against malicious activity by insiders, but 
each can interfere with employees' ability to do their tasks and would 
probably be prohibitively expensive for the city.

Copyright 2007 Los Angeles Times

Subscribe to InfoSec News

This archive was generated by hypermail 2.1.3 : Tue Jan 09 2007 - 22:25:06 PST