The Dumbest Hack of the Year Exposed a Very Real Problem

In the wee hours of the nighttime past April, idiosyncratic stopped astatine astir 20 thoroughfare intersections crossed Silicon Valley and launched an unprecedented cyberattack that would yet dispersed to aggregate states, embarrassing section officials and prompting them to question their information practices. Authorities fishy the chartless culprit took vantage of anemic and publically disposable default passwords to wirelessly upload customized recordings that played whenever a pedestrian pressed a crosswalk button.

Instead of the mean recordings telling radical to either hold oregon transverse the street, pedestrians heard the spoofed voices of billionaire tech CEOs. A fake Mark Zuckerberg said astatine 1 Menlo Park intersection that radical would not beryllium capable to halt AI from “forcefully” being inserted “into each facet of your conscious experience.” At another, helium celebrated “undermining democracy.” At a antithetic intersection, an altered Elon Musk described President Donald Trump arsenic “actually truly saccharine and tender and loving,” portion connected a adjacent thoroughfare his faked dependable whined astir being “so alone.”

Government emails and substance messages obtained by WIRED done nationalist records requests amusement however the cities of Menlo Park, Redwood City, Palo Alto, and aboriginal Seattle and Denver scrambled to respond to the crosswalk fastener tampering. The communications, on with interviews with information experts and erstwhile employees of the fastener manufacturer, item however governments and the institution had overlooked vulnerabilities successful a wide technology.

In Redwood City, then-city manager Melissa Diaz quizzed unit astir who should beryllium blamed for the incident. “We request to recognize who should beryllium accountable for the information of these systems and what we tin bash to clasp either unit oregon the outer liable enactment accountable,” she wrote successful an email to colleagues successful the days aft the hack.

Nick Mathiowdis, Redwood City’s existent manager, tells WIRED that unit person been addressing the contented based connected “lessons learned and evolving champion practices,” but declines to stock details to debar encouraging further hacks.

Edward Fok, a seasoned Federal Highway Administration cybersecurity authoritative who concisely investigated the hacking earlier retiring arsenic DOGE swept done the government, says cities request to bash a amended occupation ensuring that cybersecurity clauses are baked into contracts with suppliers and installers of technology, particularly arsenic AI tools and almighty sensors are progressively integrated into proscription infrastructure.

Redwood City, for example, had contractually required its fastener installation and attraction vendor to “use tenable diligence and champion judgment” astatine the clip of the hack but had not specified thing astir passwords oregon integer security.

In an unsigned connection to WIRED, the road medication said that it antecedently issued a method advisory outlining “security measures to marque definite ideological idiots are not jeopardizing Americans' information erstwhile utilizing our crosswalks."

The constabulary probe into the hacked buttons successful Silicon Valley has tally cold. Authorities couldn’t fig retired who was down the strategy due to the fact that the buttons don’t way who uploads audio, and surveillance footage from the country wasn’t helpful, according to Redwood City constabulary lieutenant Jeff Clements.

Public Warning

Greenville, Texas-based Polara Enterprises has been a starring supplier of crosswalk propulsion buttons for decades. Some person the quality for cities to upload customized audioclips via Bluetooth to springiness pedestrians, including those who are unsighted oregon visually impaired, other cues similar the thoroughfare and absorption they are crossing.

Official online manuals and videos aimed astatine the thousands of technicians maintaining the buttons crossed the state picture however Bluetooth-enabled Polara models vessel with a default password of “1234” and are configurable done a publically disposable app. About 8 months earlier past year’s fastener hacking spree, a carnal information vlogger who goes by the sanction Deviant Ollam posted a YouTube video pointing retired however casual it would beryllium to tamper with the buttons. “I'm not encouraging anyone to effort wholly guessable passwords and upload their ain contented because, remember, that would beryllium bad. That would astir apt beryllium a transgression oregon something. Talk to your lawyers,” helium said successful the video.