Last April, a cyberattack targeted crosswalk push buttons across roughly 20 street intersections in Silicon Valley and later spread to other states, including Seattle and Denver. According to reporting by WIRED, the attacker used weak, publicly available default passwords to wirelessly upload custom recordings that played when pedestrians pressed the crosswalk button—replacing the standard “wait” or “cross” guidance with spoofed voices tied to recognizable tech figures.
In Menlo Park, WIRED reports that the audio included a fake Mark Zuckerberg message about AI being “forcefully” inserted “into every facet of your conscious experience” and a separate line about “undermining democracy.” Elsewhere, an altered Elon Musk voice described President Donald Trump as “actually really sweet and tender and loving,” and on a nearby street his fake voice whined about being “so alone.” The episode triggered internal scrambling across multiple cities and raised questions about how local governments evaluate and secure the transportation technologies they deploy.
What the hack changed: audio guidance became software-defined
The core technology in this incident is not a social media platform or a consumer app; it is a piece of transportation infrastructure: Bluetooth-enabled crosswalk push buttons capable of accepting uploaded audio clips. WIRED says authorities suspect the attacker exploited default credentials to upload recordings that then played when pedestrians activated the button.
As described in the WIRED report, the official purpose of some button models is to provide additional accessibility cues. The story notes that Polara Enterprises, a Greenville, Texas-based supplier of crosswalk push buttons for decades, has models with the ability for cities to upload custom audioclips via Bluetooth. WIRED adds that these clips can give pedestrians, including those who are blind or visually impaired, extra cues about “the street and direction they are crossing.”
That same upload capability—when paired with weak authentication—turns the device into an attack surface. WIRED’s reporting links the incident to the presence of a default password and a publicly available configuration path. The story states that official online manuals and videos for technicians describe how Bluetooth-enabled Polara models ship with a default password of “1234” and are configurable through a publicly available app.
The report also includes a prior warning from a physical security vlogger. About eight months before last year’s button hacking spree, WIRED says a YouTube video by a creator named Deviant Ollam pointed out how easy it would be to tamper with the buttons. WIRED quotes the video’s disclaimer: “I’m not encouraging anyone to try completely guessable passwords and upload their own content because, remember, that would be bad. That would probably be a crime or something. Talk to your lawyers.”
In other words, the technical weakness—guessable default credentials—was not only present in deployed systems; it was also publicly documented in a way that could help attackers understand the mechanism.
How cities responded: contract language and operational controls
WIRED says the incident drew scrutiny from city officials and involved communications and interviews obtained through public records requests (Freedom of Information Act, per the report). The cities named in the story include Menlo Park, Redwood City, and Palo Alto, and later Seattle and Denver.
In Redwood City, WIRED reports that then-city manager Melissa Diaz asked staff in the days after the hack about accountability. In an email obtained by WIRED, Diaz wrote: “We need to understand who should be blamed for the incident. ” She continued: “We need to understand who should be accountable for the security of these systems and what we can do to hold either staff or the external responsible party accountable,” according to WIRED.
WIRED also quotes Redwood City’s current manager, Nick Mathiowdis, who tells the publication that staff have been addressing the issue using “lessons learned and evolving best practices,” while declining to share details to avoid encouraging further hacks.
Beyond internal response, the report emphasizes procurement and contract mechanics as a technical governance layer. WIRED includes comments from Edward Fok, a veteran Federal Highway Administration cybersecurity official who briefly investigated the hacking before retiring as “DOGE swept through the government,” as WIRED describes it. Fok’s point, as reported, is that cities need to “do a better job ensuring that cybersecurity clauses are baked into contracts with suppliers and installers of technology,” especially as “AI tools and powerful sensors are increasingly integrated into transportation infrastructure.”
That contract gap is illustrated by the Redwood City example. WIRED says Redwood City had required its button installation and maintenance vendor to “use reasonable diligence and best judgment” at the time of the hack, but it had not specified anything about passwords or digital security.
This is significant because it frames the incident as more than a one-off breach. If the deployed devices rely on credential-based access to upload content, then procurement language that does not explicitly cover authentication and secure configuration could leave cities with limited leverage over how vendors implement security.
Why investigators struggled: the system’s logging blind spots
WIRED reports that the police investigation in Silicon Valley “has run cold.” One technical reason is that the buttons do not track who uploads audio. WIRED attributes this to Redwood City police lieutenant Jeff Clements, who tells the publication that authorities couldn’t figure out who was behind the scheme because the buttons don’t track the uploader, and surveillance footage “wasn’t helpful.”
From a systems perspective, this suggests a mismatch between the threat model and the device’s observability. If an attacker can change the content presented to the public—here, by uploading audio that plays on activation—then the ability to attribute changes to a specific uploader becomes a key defensive requirement. WIRED’s account indicates that such attribution data was not captured at the button level.
The report also includes a statement from a highway administration source. In an unsigned statement to WIRED, the highway administration said it previously issued a technical advisory outlining “security measures to make sure ideological idiots are not jeopardizing Americans’ safety when utilizing our crosswalks.” WIRED characterizes this as part of prior guidance, but the report does not specify whether those measures were incorporated into contracts or configurations for the affected deployments.
What this episode implies for transportation cybersecurity
WIRED’s reporting frames the incident as a “very real problem” rooted in practical technology details: default credentials, Bluetooth-based content upload, and the absence of security requirements in at least one contract. While WIRED does not claim that every city’s implementation was identical, the named components—Bluetooth capability, “1234” default password, publicly available configuration app, and the lack of uploader tracking—describe a concrete chain of capabilities that can be exploited.
For industry observers, the broader implication is that transportation infrastructure increasingly behaves like connected software appliances. When systems accept remote configuration (such as uploading audioclips), they need controls that go beyond “reasonable diligence.” The story’s contract example in Redwood City—requiring “reasonable diligence and best judgment” but not specifying passwords or digital security—could be read as a signal that procurement documents may lag behind the technical realities of networked devices.
WIRED’s emphasis on AI tools and sensors being integrated into transportation infrastructure also suggests that the stakes extend beyond audio spoofing. Even if the crosswalk buttons in this incident were used to play ideological or personal messages, the underlying lesson is about authentication, configuration security, and auditability as systems become more software-driven.
At the same time, WIRED reports that some cities have been addressing the issue using “lessons learned and evolving best practices,” though it does not provide specifics. That restraint may reflect a common security tradeoff: publishing remediation details can help defenders but can also help attackers iterate. What is clear from the WIRED account is that the incident forced local governments and vendors to confront how default credentials, Bluetooth configuration, and weak contract requirements can combine into a public-safety risk.
Source: WIRED