Hack the lights: The Italian Job in terms of cybersecurity

We trace how the perception of hackers has evolved based on the classic traffic-light-hacking scheme in three versions (British, American, Indian) of The Italian Job.

We trace how the perception of hackers has evolved based on the classic traffic-light-hacking scheme in three versions (British, American, Indian) of The Italian Job

Protagonists, or their opponents, taking control of a city’s transportation management system is standard movie fare. The characters’ aim is to create either a traffic jam for pursuers or a getaway route for themselves. Hackers, Live Free or Die Hard and Taxi are a tiny sample of the artistic incarnations of this hacking scheme. The once-original set-piece has long since turned into a Hollywood cliché.

The trope most likely began with the 1969 British film The Italian Job. Unsurprisingly for that era, it was the only cyber-related incident in the movie. But the traffic sabotage plot point spawned many imitations, including in two remakes of the original picture, one by Hollywood (The Italian Job, 2003) and one by Bollywood (Players, 2012).

In its various iterations, the traffic-light scene remains pivotal. Thus, by comparing the three versions, we can trace the evolution of moviemakers’ and moviegoers’ attitudes about critical infrastructure hacks.

The Italian Job (1969), the British way

The future-oriented Turin is depicted basically as a smart city of the time. In the movie, a supercomputer controls every traffic light from a single center, where data from traffic cameras is also collected. The mastermind behind the robbery, who dies early on, bequeaths to main character Charlie Croker a detailed plan for a daring heist, along with malware for the supercomputer and an unexplained gadget that can disable cameras.

The program’s origin is unknown; someone probably got hold of the original source code and modified it with chaos in mind. Of course, in 1969 not only was there no Internet, but even local area networks were not properly rolled out. The only way to install the malware onto the computer is to sneak into the building and manually swap the magnetic tape in the drive. That requires the services of Professor Peach, supposedly the top computer expert in the country.

To get into the traffic control center and change the program, the computer needs to be stopped. Croker takes on the mission, hurling his bicycle into a power substation and cutting off not only the traffic control center, but also most of the rest of the city (and plunging a lavish mafia feast into darkness).

Now Peach enters the game, removing the tape reel from the drive and loading another. With the power out, that’s really all that’s left to do, anyway. So, they got a computer expert just to perform the task of a lab assistant. In case you missed that absurdity, that tech genius is played by funnyman Benny Hill.

The next phase of the plan is to knock out the cameras. To throw the traffic control center off the scent, and conceal the actual robbery, the criminals plant some devices — probably jammers, but the details are not revealed — on trash cans and roofs in the vicinity of the cameras. Traffic cameras in those days could not transmit wireless signals, but the mysterious gadgets manage to disable the cameras.

The result: Everything goes like clockwork. The cameras switch off, the traffic lights start blinking, the city roads are paralyzed, and Peach is arrested for indecent behavior on public transportation (don’t ask).

British version: Takeaways

Cybersecurity

  • The film displays a rather dismissive attitude toward the physical security of critical infrastructure. Both the power substation and the traffic control center are practically unguarded. The attackers get to the drive without a hitch and successfully replace the tape.
  • The computer accepts the substitute program without question. That’s actually excusable; code signing wasn’t invented until much later.

Perception

  • Computer hacking is perceived as something highly complex. To fool the computer, the gang spends a lot of energy recruiting the best computer expert in the land (only to have him change a tape reel).
  • There is no attempt to explain the technical side of things; instead, black-box gadgets miraculously disable the cameras.

The Italian Job (2003), the American way

The Hollywood version, in my view, cannot be considered a direct remake of the British film. Sure, the characters have the same goal (to steal gold bars), and the chase scene is practically a carbon copy of the original, but the motivations are very different. Psychology and morals aside, they still have to mess around with cameras and traffic lights. But these criminals do not have to look for a specialist; they already have a computer genius on the team: Lyle, whose day job happens to involve 3D modeling of buildings for planning and coordinating robberies. That’s your digital transformation at work. In 2003, having a computer specialist on the team is considered pretty normal.

What’s more, the American version of the movie requires a bit more hacking. First, the criminals try to hack into a phone company’s remote monitoring system, convince its employees that it is a legal wiretapping operation, and ultimately redirect the audio stream to their own listening post. Lyle has experience with the latter, having spent years eavesdropping on his ex.

But the main hack is unchanged. Getting inside the Los Angeles Automated Traffic Surveillance and Control Operations Center in 2003 is way easier than getting into Turin’s system was in 1969 — the center is connected to the Internet and even has a graphical user interface (GUI). Lyle sits at his laptop and tries to figure out the password — manually. He enters password after password without success, until at last the magic words “Access Granted” appear on the screen.

The operations center predicts traffic flow and automatically changes traffic lights based on camera captures. But it has a manual mode too, and Lyle uses that to take control of the lights. As a demonstration, he changes all of the lights at one intersection to green, causing an accident. But he quickly switches the lights back, and the center writes off the incident as a glitch.

The gang’s plan is to make a wave of green that lets them speed through while gridlocking the rest of Los Angeles. On the day of the robbery, a somewhat dazed Lyle sits on a baggage carousel at Union Station armed with a laptop and router, monitoring the situation on the roads, changing signal lights (not only on the road, but also in the subway), and paralyzing the control center by displaying the message “You’ll never shut down the real Napster” on every screen. (As a comic plot element, Lyle claims that he invented the Napster peer-to-peer network and that Shawn Fanning stole his idea. Lyle likes to call himself Napster. He does, to be fair, resemble the stereotypical computer whiz kid.)

Thanks to the well-coordinated operation, the gold is stolen, everyone gets away, and the dastardly villain falls into the hands of the Ukrainian mafia, whose path he manages to cross.

US version: Takeaways

Cybersecurity

  • If the password for remote access to a system can be picked manually, it’s a bad password.
  • Critical infrastructure needs to use a secured Internet connection and should not be controllable through a Web-based GUI. And it should go without saying that staff should not fix its gaze on an idiotic message instead of trying to do something about it. Even the fictional Italians of 34 years before were more clued-in!

Perception

  • By 2003, hacking is a common occurrence, so pulling off the heist relies on more than just disabling a few traffic lights. In this nonremake remake, penetrating the traffic control center is a standard operation that arises naturally during the planning phase.
  • Lyle/Napster is forever explaining what he’s doing and how. What he says is nonsense, of course, but the point is that the moviemakers wanted to root the on-screen events in some version of reality.

Players (2012), the Indian way

The Indian filmmakers tried to extract the best bits of both versions of The Italian Job and spice it up with Bollywood glam, including racing, singing, dancing, high-minded morality and, of course, hacking. The plot is admittedly pretty wild: Russia is returning to Romania some gold that the Romanian government hid in Russia before the German invasion in 1915. Nasty Russian army officers are transporting the gold, the even nastier Russian mafia is hunting it, and a group of noble Indian robbers wants to steal the gold and use the funds to build a school for orphans.

Naturally, the smash-and-grab operation needs the best hacker in the world. And he needs a real hacker handle: in this case, it’s Spider. One problem, no one knows where to find him. Fortunately, the main character’s girlfriend has a master’s degree in computers with a gold medal and a master’s degree in ethical hacking (sure, why not?). She breaks into the systems of “the best hacker in the world” and discovers that he actually lives nearby. Having kidnapped him, they persuade him to take part in the raid.

According to the plan, the kidnapped hacker has two tasks to perform. First, he must hack into the Russian army’s website to get information about the officers carrying the cargo. Second, he has to hack a satellite monitoring the movements of the train with the gold in real time (and paralyze the control center).

He copes with both tasks easily by tapping a few keys on a laptop — but he turns against the gang, snatches the gold for himself, and runs. That leaves the job of disabling the traffic lights to the master ethical hacker. Incidentally, she does so in exactly the same way, with a quick drum roll on the keyboard to gain control of the traffic lights.

Indian version: Takeaways

Cybersecurity

  • There is no cybersecurity to speak of. All systems can be hacked remotely, without preliminary preparation — just tap away on the keyboard, the faster the better.

Perception

  • Hackers are magicians.

The Italian Job: Conclusion

In all three movies, the criminals try to avoid bloodshed, and in the last two, they are even guided (partly) by noble intentions: revenge for a teacher’s murder and desire to build a school for orphans. However, they never stop to think about the consequences of gridlocking a huge city, including for firefighters, ambulances, and the like. And that means civilian casualties. Even though the robbers are portrayed as good guys, it’s hard to sympathize with them.

As for cybersecurity, the image of the “genius hacker” has changed dramatically over half a century. If earlier the hacker was a gifted but strange, otherworldly kind of guy, now a hacker is depicted as a self-confident, near-omnipotent technowizard. Seizing control of traffic lights has evolved from a complex technical operation to a standard trick that is taken for granted. The reality, of course, is very different. Hacking a city’s traffic control system is far harder than it seems on the silver screen.

The omnipotence of hackers in movies negatively affects perceptions of the threat of critical infrastructure break-ins. According to our colleagues at Kaspersky Security Awareness, the cinematic stereotype of the genius hacker harms the security of real companies. People are so sure that bad actors can do anything that they don’t bother with maximum protection, leaving unnecessary loopholes.

That’s why we strongly recommend security awareness training for employees that shows them how things are in the real world. For example, our Kaspersky Automated Security Awareness Platform provides lessons that separate fact from fiction.

Tips