In the field of hardware hacking, I’ve earned recognition for cracking open some really cool physical devices. I’m talking cars, phones, slot machines, you name it. If it has a circuit board, count me in. While I’m known for vehicle hacking—and exposing vulnerabilities that might surprise drivers—my expertise spans all hardware systems. Although I initially started with cars and malware analysis, I’ve evolved into a hardware hacking generalist. I don’t discriminate on what I’ll tear apart, and that’s what makes me particularly skilled at even the oddest, seemingly most un-hackable projects. Lately, water treatment facilities have captivated me, as their outdated technologies and alarming deficiencies can potentially affect millions.
It’s hard to watch the daily spectacle here unfold; bridges crumbling, power grids struggling, schools falling apart and closing. Hackers and attackers can easily expose how fragile the facade of security truly is. A laptop and a motive is all it has ever taken and we all hope it never lands in the wrong hands.
Outside of hacking, skateboarding gives me the same rush as breaking systems. I also play in a punk band, bumpin’ that anti-establishment energy that drives my work: challenge any assumptions, push boundaries, and question systems. Read more about me in my Spotlight.
What happened
I want to dissect the brilliant Bay Area crosswalk hack where pedestrians now receive “messages” from Mark Zuckerberg and Elon Musk. This clever act of electronic disobedience has media outlets buzzing, but nobody’s explaining the technical how-to. This is where I can offer at least some insight.
The modified crosswalk buttons perfectly embody the creative disruption I respect—turning everyday infrastructure into hilarious commentary on tech billionaires. I’ve analyzed the hardware that made this possible. I’ll admit, I initially thought I had it figured out, but after digging some more, I was a bit surprised by the path the hackers took. Read on for my theories on how hackers pulled this off and check out the media coverage here.
The device in question
I don’t have physical access to one of these devices. They’re hard to get a hold of (I tried). Without the device, I can only theorize what the hackers did and can’t truly test it using reverse engineering. Be that as it may, after a bit of research, I found a number of different crosswalk devices. The San Francisco area most likely uses the Polara iNavigator painted green. It is also referred to as the Polara iDS/iNS crosswalk system.
Look familiar?
If you’re interested, there are a few interesting public documents on these devices. You can find them on the manufacturers’ websites here, here and here.
The hack
Given my extensive history of breaking things and my sheer glee at causing some silly electronic disobedience, I jumped into this case. Initially, I suspected the hackers may have purchased a few crosswalk devices on eBay and done a bit of classic hardware hacking before redistributing their purchased and now-hacked devices to their target locations. They likely chose highly populated areas they could sneak into easily.
It seemed like an open-and-shut case. However, I couldn’t find any way to purchase one of these and without stealing a unit I was at a loss. This threw a wrench in my initial theories, so I started to wonder if this hack could’ve been done remotely. After reading the documentation listed above I noticed an android application. I was really skeptical that a simple app could provide access and achieve this hack. There was only one way to find out: testing. I downloaded the Android Package Kit (APK), which is conveniently not available on the play store anymore. But I was able to find the APK by using a couple of sketchy sites (don’t do this at home, kids). After taking a peek at some of the code, I hit the jackpot. I quickly found a few references to Bluetooth (BLE) connectivity and, more importantly, firmware endpoints. This means that these devices can be reached remotely.
Disclaimer: At this point in the article, I should probably state that disclosure is important and is absolutely required—not only by your friends and family but for sure by any lawyer. While we’re on the topic, always consult a lawyer first before reporting any vulnerability that does not have a safe harbor or VDP page with clear guidelines.
Now that I knew remote access was a possibility, my next step was to download the firmware from an endpoint listed in the apk. It didn’t take long before I found a way to transfer firmware from the endpoint referenced in the app, which was simply a PFW file that can be unzipped and easily reverse engineered in Ghidra (a software reverse engineering framework). After a bit of reversing I knew the crosswalk devices use an RF5 SDK 15.x BLE stack, and I could see many references that would allow me to transfer all kinds of information, authentication access, and everything else I would need to exploit this device remotely. As I combed through the information available to me, I became certain that it’s possible to transfer these files through BLE. Therefore, this is most likely how the hackers did it.
Final thoughts
I’d like to believe that a vigilante hacker simply took one of these devices off a pole using classic tools and brute strength and then modified and swapped it out with a reprogrammed unit. I say this because I just really enjoy breaking physical hardware and getting my hands dirty.
But after carefully reviewing the application, I identified several potential methods for gaining access to these devices remotely. This also explains why we are seeing more of these hacked devices pop up in different cities, like Seattle. (Seriously. As I write this, more are being discovered.) I am unable to truly test this specific crosswalk device because my state uses different crosswalk systems, so all of this is just conjecture based on being really smart and cool. I’d love for someone to follow up on my theories and see how accurate I was.
I’ll leave you with one final note. If I were the hacker who hacked these (I’m not), I’d program it to say, “Electronic disobedience is the new control. Keep it silly. Keep it safe. Hack for good.”
