Unauthorized MIRT use is now a federal crime

| Comments (5) | TrackBacks (19) |
The Safe Intersections Act bans unauthorized use of mobile infrared transmitters (MIRTs)--gizmos that let police and firefighters override traffic signal timing.
Lawmakers took an interest in the devices, called mobile infrared transmitters, or MIRTs, a couple of years ago, when it emerged that impatient commuters could purchase rogue boxes online for around $500. Several states outlawed unauthorized possession of the transmitters, and Sen. Mike DeWine (R-Ohio) introduced the federal bill in 2003. The measure won support from police and firefighter groups.

"When you first look at it, you think, 'It's not such a big deal,'" says DeWine spokesman Jeff Sadosky. "But when you realize the possible implications, somebody using one of these to go 80 miles an hour through rapidly changing lights, you realize it could be life-threatening."

Selling a device to an unauthorized user can land the vendor up to a year in prison; using an MIRT without authorization will carry a penalty of up to six months.

"We agree with the provision," says Gerald Donaldson, senior research director with Advocates for Highway and Auto Safety. "We see how (MIRTs) can be used by people who pose a security threat to American institutions and people."

If it's such a big threat, you might ask why the manufacturers of traffic signals didn't make them with better security features [*]. Had they done so, it would have been effectively impossible to make a private MIRT and this entire law would have been unnecessary. Indeed, the article goes on to say that 3M's newer pre-emption systems have just such a security feature.

This kind of thing drives security people nuts. You install some system that has clear vulnerabilities that are attractive to attack, easily exploited and easily repaired (cf. analog cell phone cloning). Then, when the market in attacking your system predictably appears you act surprised and scramble to make the attack illegal. Note that I'm not saying that unauthorized traffic pre-emption shouldn't be illegal--merely that we should never have been in a situation where it was an issue.

19 TrackBacks

Listed below are links to blogs that reference this entry: Unauthorized MIRT use is now a federal crime.

TrackBack URL for this entry: http://www.educatedguesswork.org/cgi-bin/mt/mt-tb.cgi/371

criminal investigation from criminal investigation on August 17, 2005 6:15 AM

criminal investigation Read More

ohio travel Read More

polyphonic ringtones from polyphonic ringtones on August 27, 2005 11:32 PM

polyphonic ringtones Read More

Interesting.... nice Read More

Forced sodomy pictures from Pakistani raped pics on October 23, 2005 1:10 PM

Free hentai vidio sex Japanese manga sex movies Free samples xxx ebony Photos fre anal blondes Read More

You are absolutely right Read More

Big Naturals from Big Naturals on November 2, 2005 9:44 PM

Red Cross Relief In Higher Gear Read More

Daddy fucks mom from Young men mom sex free on November 7, 2005 9:57 AM

Sexy mature housewifes Sex girldogmomboyhorse Boy raped prison Japanese girl rape jpg Read More

internet poker from internet poker on December 8, 2005 1:58 PM

credit Mynheer bewilder originality Rollins highness?bought poker hands http://poker-hands.rohkalby.com/ Read More

5 Comments

Building a secure system would have cost the manufacturer money; passing and enforcing a law costs the public money. So the manufacturer had an incentive to do exactly what it did: sell a weak system and let the public clean up the ensuing mess.

Of course, the public could have asked for better security when it bought the systems in the first place; but few localities have the expertise to tell good security from bad.

Okay, I guess you guys are just way better security system designers than I am. I've been trying to think up a way to design "better security" for this system, and I'm stuck. The requirements, as I understand it, are:


  • It absolutely mustn't increase the failure rate of legitimate attempts to use it (which, after all, could be a matter of life and death);

  • It mustn't substantially increase the cost per unit of the many thousands of devices deployed throughout the city, either at the traffic light end, or the emergency responder end;

  • It mustn't require building and maintaining an enormously costly new highly reliable security management infrastructure for either set of devices; and

  • It must resist cloning attacks on emergency responder devices, more cheaply and effectively than simply spotting and arresting people using cloned devices to change traffic lights.



  • Maybe I'm missing something, and it's really easy. But it seems to me that if you've got a solution that really works and really meets these criteria, you might be able to interest the RIAA and MPAA in it....

    It generally helps to start with more reasonable requirements.

    1. Who says it can't increase the failure rate of legitimate attempts? If the failure rate is already 5%, increasing it to 6% doesn't sound that bad. Remember, the whole premise here is that people being able to forge these communications is also bad.

    2. Who says it has to resist cloning attacks? At the moment, a single transmitter is going to work for *any* system by a given manufacturer. Requiring people to actually capture transmissions and clone them makes the problem much harder.

    So, with these facts in mind, I would argue that even a simple per-municipality secret that's transmitted in the clear over the air would be superior to the current system. If you want to get real fancy, have it be some sort of PRNG that changes daily (with some allowance for clock skew). If the secret is ever compromised you simply rekey. For extra credit, you can have an automatic rekeying system for the traffic signals.

    Note that this problem is vastly easier than the DRM problem because the people in possession of the authorized transponders aren't the enemy.

    One of the more obvious things they could have done is to start with a global (per-manufacturer) key, and then allow overriding with some local keys. Have the transmitter send a key ID and a MAC including an approximate timestamp (say, down to five minute blocks), and have the receiver check the timestamps before and after their current one. If we assume a key ID of 32 bits and a MAC of 32 bits, we need 64 bits, which doesn't seem like a big problem. We can probably shorten both fields, since the attacker really needs to be able to pretty consistently change lights if he wants to sell a product to people. Giving me a 1% chance of switching my light from red to green isn't likely to be a big win. The transmitter can just keep sending the current "let me through" signal once a second, updating the timestamp whenever it needs to.

    By starting with a default key, you give everyone some level of resistance to spoofing, while allowing better resistance over time. (Ideally, you'd allow public key or scheduled local rekeys, but that gets more complicated.)

    I don't see what's hard about this. These guys could have done decent security, but they didn't know they needed to, or they didn't care enough to spend the money. Similar statements apply to garage door openers, cordless phones, and all kinds of other stuff.

    --John

    I think the problem is much closer to the DRM problem than to the problem of cordless phone or garage door security. The latter case involves managing keys for at most a half-dozen devices. The traffic light system, on the other hand, is a lot like satellite broadcast systems--you want to be able to distribute to a very large population of mostly-but-not-100-percent-honest people the capability to authenticate themselves very cheaply and reliably as legitimate users of a similarly cheap, reliable system, while preventing a few bad guys with enormous financial incentives from being able to clone and redistribute exactly the same capability. That just seems to me to be a very, very hard problem.

    And in some ways, the traffic light problem is even harder. For example, traffic lights, unlike satellite broadcast "head-ends", are themselves distributed authenticators. And both they and their authenticating client devices have to be quite cheap, since their cost can't be folded into a monthly user fee. That means they'll almost certainly be less reliably online than the endpoints of satellite television systems. Revocation with rapid online update is therefore unlikely to be a feasible strategy.

    If I wanted to market cloned devices, I'd probably follow the lead of the satellite piracy pioneers, with a few modern updates. I'd make the devices reprogrammable via the customer's PC. That way, I could distribute updates to customers--say, via email--in response to changes in keys and devices (thus assuring myself a recurring revenue stream). Getting many thousands of emergency response personnel in a city to update their devices more than once in a long while will be very difficult--and that means that my updates won't need to be very frequent, either, absent an expensive per-device revocation system regularly updating every traffic light.

    Of course, satellite broadcasters went in for elaborate, fairly expensive anti-piracy measures anyway. But then, they stood to get the money back by increasing their subscription base. Moreover, they had no choice--fighting piracy any other way was extremely difficult, because satellite piracy is something that's done in the privacy of one's home. Changing traffic lights, on the other hand, is a conspicuous, public action, and it seems likely to me that vigorous enforcement of the legal prohibition stands a much better chance of effecting deterrence than in the case of satellite piracy.

    Leave a comment