Emails released under California public records law show Caltrans left default passwords on talking crosswalk devices that were later altered to play spoofed voices at intersections in Palo Alto, Menlo Park and Redwood City.
The altered audio drew attention in April after pedestrians reported the accessible pedestrian signals, used to assist people who are blind or have low vision, were playing satirical messages impersonating Elon Musk and Mark Zuckerberg instead of standard guidance.
Caltrans disabled the audio feature during the response and later restored it, according to the Palo Alto Daily Post’s reporting based on the released emails and a follow-up report by NBC Bay Area.
Menlo Park officials told news outlets at the time that the affected devices were on Caltrans-controlled infrastructure, including along El Camino Real, a state highway corridor where Caltrans operates and upgrades pedestrian facilities as part of its roadway work.
Chip in once
If this reporting helped you, a one-time tip helps cover hosting, tools and future investigations.
Support us monthly
A small monthly pledge keeps independent coverage and our reader tools online for everyone.
The Daily Post reported that the manufacturer warned Caltrans and local agencies to use strong passwords. Caltrans later identified other intersections needing changes and updated those credentials to prevent a repeat.
Local reporting in June said cities and vendors made additional security changes after the incident, including limiting password attempts and giving agencies the ability to disable connectivity used to configure the devices. In a statement cited by that reporting, the manufacturer Polara said it believed the individuals used “valid credentials,” which could include a default password.
Polara’s support documentation lists a factory default passcode of “1234” and directs operators to change it during setup.
The Bay Area incident was part of a broader run of public-facing system takeovers. In Encinitas, city officials said portable message boards were broken into after locks on the keyboard housing were cut and the signs were reprogrammed on-site. In Seattle days later, officials said crosswalk audio at multiple intersections had been altered, and transportation officials told KUOW they shut off communications at some locations that appeared to have been accessed wirelessly.
At Harrisburg International Airport, an airport spokesman said an unauthorized user gained access to the public-address system but declined to describe how during an active police investigation. Reuters reported officials at Victoria International Airport attributed a similar PA takeover to hackers breaching third-party software.
Caltrans, the state transportation agency, maintains about 15,000 miles of state highways in California, including routes that run through local downtowns.
