Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
in the morning In the nighttime hours of last April, someone stopped at nearly 20 intersections across Silicon Valley and launched an unprecedented cyberattack that would eventually spread to multiple states, embarrassing local officials and causing them to question their security practices. Authorities suspect that the unknown perpetrator took advantage of the vulnerable and publicly available default Passwords To wirelessly upload personalized recordings that are played when a pedestrian presses the crosswalk button.
Instead of the usual recordings telling people to either wait or cross the street, passersby heard imitation voices of billionaire tech CEOs. Mark Zuckerberg is fake He said At a Menlo Park intersection, people won’t be able to prevent artificial intelligence from “forcibly” inserting itself into every aspect of your conscious experience. And in another it is celebrate “Undermining democracy.” At a different intersection, a changed Elon Musk appears described President Donald Trump described him as “actually kind and caring and loving,” while his fake voice on a nearby street complained about being “so lonely.”
Government emails and text messages obtained by WIRED through public records requests show how the cities of Menlo Park, Redwood City, Palo Alto, and later Seattle and Denver scrambled to respond to pedestrian button tampering. The communications, along with interviews with security experts and former employees of the button manufacturer, highlight how governments and the company have ignored vulnerabilities in the widespread technology.
In Redwood City, then-city manager Melissa Diaz questioned staff about who should be blamed for the accident. “We need to understand who should be responsible for the security of these systems and what we can do to hold employees or the external responsible party accountable,” she wrote in an email to colleagues in the days after the hack.
Nick Matthewdis, Redwood City’s current manager, tells WIRED that staff is addressing the issue based on “lessons learned and evolving best practices,” but he declines to share details to avoid encouraging more breakouts.
Edward Fauke, a veteran cybersecurity official at the Federal Highway Administration who briefly investigated the hacking before retiring DOGE also swept the governmentHe says cities need to do a better job of ensuring that Cybersecurity provisions They are concluded in contracts with suppliers and installers of technology, especially artificial intelligence tools and Powerful sensors Increasingly Built-in In transportation infrastructure.
For example, Redwood City contractually required its button installation and maintenance vendor to “use reasonable care and best judgment” at the time of the breach, but did not specify anything about passwords or digital security.
In an unsigned statement to WIRED, the Highway Administration said it had previously issued a technical advisory outlining “security measures to ensure that ideological idiots do not put the safety of Americans at risk when using our crosswalks.”
Police investigation into hacked buttons in Silicon Valley has gone cold. Authorities couldn’t figure out who was behind the scheme because the buttons don’t track who is uploading the audio, and surveillance footage from the area wasn’t helpful, according to Redwood City Police Lieutenant Jeff Clements.
General warning
Polara Enterprises, based in Greenville, Texas, has been a leading supplier of crosswalk push buttons for decades. Some have the ability to upload personalized audio clips via Bluetooth to cities to give pedestrians, including those who are blind or visually impaired, additional cues such as which street and direction they are crossing.
Official online Brochures and videos Targeting thousands of technicians who maintain buttons across the country, it describes how Bluetooth-enabled Polara models ship with a default password of “1234” and can be configured through a publicly available button. program. About eight months before last year’s button hacking spree, a physical security vlogger known as Deviant Ollam posted a video on YouTube Pointing out How easy it would be to manipulate the buttons. “I don’t encourage anyone to try completely guessable passwords and upload their own content, because that would be bad, remember. It might be a crime or something. Talk to your lawyer,” he said in the video.