In the early hours of April last year, a significant cybersecurity incident unfolded across Silicon Valley, impacting about 20 street intersections. This unprecedented attack was executed by an unidentified individual who exploited weak, publicly accessible default passwords to wirelessly upload altered audio recordings. These recordings played in response to pedestrians pressing crosswalk buttons, ultimately embarrassing local officials and raising questions about their security protocols.
Instead of the standard messages instructing pedestrians to wait or cross, individuals were met with spoofed voices mimicking prominent tech company executives. At one intersection in Menlo Park, an altered recording of Mark Zuckerberg claimed that people couldn’t prevent AI from being “forcefully” integrated into their daily lives. At another location, he provocatively remarked on “undermining democracy.” Similarly, an impersonated Elon Musk described former President Donald Trump in unexpected terms, all while the faux Musk lamented feelings of isolation.
Government communications obtained through public records requests reveal the frantic response by cities including Menlo Park, Redwood City, and Palo Alto, as well as later scrutiny by Seattle and Denver. These documents, along with interviews with cybersecurity experts and employees of the button manufacturer, underscore a troubling lack of preparedness in safeguarding these commonly utilized technologies.
In Redwood City, Melissa Diaz, the then-city manager, sought clarity on accountability, asking via email about the responsibility for the breach and possible repercussions for staff or external parties involved. Current city manager Nick Mathiowdis confirmed ongoing efforts to address the incident’s implications, emphasizing the incorporation of lessons learned and evolving best cybersecurity practices while intentionally withholding details to deter further attacks.
Edward Fok, a former Federal Highway Administration cybersecurity official, indicated that municipalities need to incorporate robust cybersecurity clauses into contracts with technology vendors, especially as advancements integrate AI and advanced sensors into roadway infrastructure. Redwood City’s contract with its button installation vendor required “reasonable diligence and best judgment,” but lacked explicit provisions regarding digital security, leaving significant vulnerabilities unaddressed.
An unbranded statement from the highway administration noted prior advisories aimed at safeguarding public safety from ideological threats related to infrastructure misuse. However, the investigation into the incidents has stalled, with authorities unable to pinpoint the perpetrator due to a lack of audio tracking capabilities and unhelpful surveillance footage near the crime scenes.
Manufactured by Polara Enterprises—a leading provider of crosswalk push buttons—these devices allow customization of pedestrian audio cues through Bluetooth technology. With default passwords set to “1234,” these models’ configurations can be accessed via a public application, raising serious security concerns. Approximately eight months before this hacking spree, a security-focused content creator underscored the ease with which such vulnerabilities could be exploited, highlighting the pressing need for stricter security measures.
In summary, this incident raises critical issues around initial access and potential privilege escalation tactics within the MITRE ATT&CK framework. Moreover, it emphasizes the necessity for rigorous cybersecurity measures in public infrastructure, as cities increasingly adopt advanced technology without sufficient safeguards.