In the wee hours of the night last April, someone stopped at roughly 20 street intersections across Silicon Valley and launched an unprecedented cyberattack that would eventually spread to multiple states, embarrassing local officials and prompting them to question their security practices. Authorities suspect the unknown culprit took advantage of weak and publicly available default passwords to wirelessly upload custom recordings that played whenever a pedestrian pressed a crosswalk button.
Instead of the normal recordings telling people to either wait or cross the street, pedestrians heard the spoofed voices of billionaire tech CEOs. A fake Mark Zuckerberg said at one Menlo Park intersection that people would not be able to stop AI from “forcefully” being inserted “into every facet of your conscious experience.” At another, he celebrated “undermining democracy.” At a different intersection, an altered Elon Musk described President Donald Trump as “actually really sweet and tender and loving,” while on a nearby street his faked voice whined about being “so alone.”
Government emails and text messages obtained by WIRED through public records requests show how the cities of Menlo Park, Redwood City, Palo Alto, and later Seattle and Denver scrambled to respond to the crosswalk button tampering. The communications, along with interviews with security experts and former employees of the button manufacturer, highlight how governments and the company had overlooked vulnerabilities in a widespread technology.
In Redwood City, then-city manager Melissa Diaz quizzed staff about who should be blamed for the incident. “We need to understand who should be accountable for the security of these systems and what we can do to hold either staff or the external responsible party accountable,” she wrote in an email to colleagues in the days after the hack.
Nick Mathiowdis, Redwood City’s current manager, tells WIRED that staff have been addressing the issue based on “lessons learned and evolving best practices,” but declines to share details to avoid encouraging further hacks.
Edward Fok, a veteran Federal Highway Administration cybersecurity official who briefly investigated the hacking before retiring as DOGE swept through the government, says cities need to do a better job ensuring that cybersecurity clauses are baked into contracts with suppliers and installers of technology, especially as AI tools and powerful sensors are increasingly integrated into transportation infrastructure.
Redwood City, for example, had contractually required its button installation and maintenance vendor to “use reasonable diligence and best judgment” at the time of the hack but had not specified anything about passwords or digital security.
In an unsigned statement to WIRED, the highway administration said that it previously issued a technical advisory outlining “security measures to make sure ideological idiots are not jeopardizing Americans’ safety when utilizing our crosswalks.”
The police investigation into the hacked buttons in Silicon Valley has run cold. Authorities couldn’t figure out who was behind the scheme because the buttons don’t track who uploads audio, and surveillance footage from the area wasn’t helpful, according to Redwood City police lieutenant Jeff Clements.
Public Warning
Greenville, Texas-based Polara Enterprises has been a leading supplier of crosswalk push buttons for decades. Some have the ability for cities to upload custom audioclips via Bluetooth to give pedestrians, including those who are blind or visually impaired, extra cues like the street and direction they are crossing.
Official online manuals and videos aimed at the thousands of technicians maintaining the buttons across the country describe how Bluetooth-enabled Polara models ship with a default password of “1234” and are configurable through a publicly available app. About eight months before last year’s button hacking spree, a physical security vlogger who goes by the name Deviant Ollam posted a YouTube video pointing out how easy it would be to tamper with the buttons. “I’m not encouraging anyone to try completely guessable passwords and upload their own content because, remember, that would be bad. That would probably be a crime or something. Talk to your lawyers,” he said in the video.
