GoKawiilIn the wee hours of the night last April, someone stopped at roughly 20 street intersections across Silicon Valley and launched an unprecedented cyberattack that would eventually spread to multiple states, embarrassing local officials and prompting them to question their security practices. Authorities suspect the unknown culprit took advantage of weak and publicly available default passwords to wirelessly upload custom recordings that played whenever a pedestrian pressed a crosswalk button.
Instead of the normal recordings telling people to either wait or cross the street, pedestrians heard the spoofed voices of billionaire tech CEOs. A fake Mark Zuckerberg said at one Menlo Park intersection that people would not be able to stop AI from “forcefully” being inserted “into every facet of your conscious experience.” At another, he celebrated “undermining democracy.” At a different intersection, an altered Elon Musk described President Donald Trump as “actually really sweet and tender and loving,” while on a nearby street his faked voice whined about being “so alone.”
Government emails and text messages obtained by WIRED through public records requests show how the cities of Menlo Park, Redwood City, Palo Alto, and later Seattle and Denver scrambled to respond to the crosswalk button tampering. The communications, along with interviews with security experts and former employees of the button manufacturer, highlight how governments and the company had overlooked vulnerabilities in a widespread technology.
In Redwood City, then-city manager Melissa Diaz quizzed staff about who should be blamed for the incident. “We need to understand who should be accountable for the security of these systems and what we can do to hold either staff or the external responsible party accountable,” she wrote in an email to colleagues in the days after the hack.
Nick Mathiowdis, Redwood City’s current manager, tells WIRED that staff have been addressing the issue based on “lessons learned and evolving best practices,” but declines to share details to avoid encouraging further hacks.
Edward Fok, a veteran Federal Highway Administration cybersecurity official who briefly investigated the hacking before retiring as DOGE swept through the government, says cities need to do a better job ensuring that cybersecurity clauses are baked into contracts with suppliers and installers of technology, especially as AI tools and powerful sensors are increasingly integrated into transportation infrastructure.
Redwood City, for example, had contractually required its button installation and maintenance vendor to “use reasonable diligence and best judgment” at the time of the hack but had not specified anything about passwords or digital security.
In an unsigned statement to WIRED, the highway administration said that it previously issued a technical advisory outlining “security measures to make sure ideological idiots are not jeopardizing Americans' safety when utilizing our crosswalks."
The police investigation into the hacked buttons in Silicon Valley has run cold. Authorities couldn’t figure out who was behind the scheme because the buttons don’t track who uploads audio, and surveillance footage from the area wasn’t helpful, according to Redwood City police lieutenant Jeff Clements.
WIRED has made this article free for all to read because it is primarily based on reporting from Freedom of Information Act requests. Please consider subscribing to support our journalism.
... continue reading