In a bizarre incident last April, an unknown attacker targeted approximately 20 street intersections across Silicon Valley, launching a cyberattack that later spread to multiple states. The culprit exploited weak, publicly available default passwords to wirelessly upload custom recordings that played when pedestrians pressed crosswalk buttons. Instead of standard safety messages, pedestrians were greeted by spoofed voices of billionaire tech CEOs. A fake **Mark Zuckerberg** declared at one Menlo Park intersection that AI would be “forcefully” inserted “into every facet of your conscious experience.” In another instance, he celebrated “undermining democracy.” An altered **Elon Musk**, at a different intersection, described President **Donald Trump** as “actually really sweet and tender and loving,” while elsewhere, his faked voice lamented being “so alone.” ## The Aftermath and Finger-Pointing Government emails and text messages obtained by **WIRED** revealed the scramble by cities like Menlo Park, Redwood City, Palo Alto, Seattle, and Denver to respond to the crosswalk button tampering. These communications, along with interviews with security experts and former employees of the button manufacturer, underscored overlooked vulnerabilities in widespread technology. In Redwood City, then-city manager **Melissa Diaz** questioned who should be held accountable for the security breaches. **Nick Mathiowdis**, Redwood City’s current communications manager, stated that the issue is being addressed based on “lessons learned and evolving best practices,” but declined to provide specific details to avoid encouraging further attacks. **Edward Fok**, a former **Federal Highway Administration** cybersecurity official, emphasized the need for cities to incorporate cybersecurity clauses into contracts with suppliers and installers, especially with the increasing integration of AI tools and sensors into transportation infrastructure. Redwood City’s contract with its button installation and maintenance vendor only required “reasonable diligence and best judgment,” lacking specific stipulations on passwords or digital security. The highway administration, in an unsigned statement, claimed to have previously issued a technical advisory outlining “security measures to make sure ideological idiots are not jeopardizing Americans' safety when utilizing our crosswalks." The police investigation into the Silicon Valley hacks has stalled, as the buttons do not track audio uploads, and surveillance footage proved unhelpful, according to Redwood City police lieutenant **Jeff Clements**. ## The Vulnerability: Default Passwords  **Polara Enterprises**, a leading supplier of crosswalk push buttons, utilizes Bluetooth-enabled models that allow cities to upload custom audio clips. Official online manuals and videos demonstrate that these **Polara** models ship with a default password of “1234” and are configurable via a publicly available app. Months before the hacks, physical security vlogger **Deviant Ollam** highlighted the ease of tampering with these buttons in a **YouTube** video. html <iframe width="560" height="315" src="https://www.youtube.com/embed/mvvVSTlbqEI" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" allowfullscreen></iframe> **Ollam** noted that while he wasn't encouraging illegal activity, the vulnerability was evident. He considered the hack an “ideal prank” that raised awareness about an important societal issue. ## Manufacturer's Response **Josh LittleSun**, CTO of **Synapse ITS** (which now owns **Polara**), attributed the hacks not to default passwords but to installers using simple, widely shared passwords that were infrequently changed. Former **Synapse** employees claimed the company prioritized reliability over security due to limited competition and resources. However, **LittleSun** disputed this, stating that **Synapse** has increased engineering investment in **Polara** products and is focusing on security. Since the hack, stronger passwords and additional verification steps have been implemented. “The security of these critical community assets is essential,” **LittleSun** emphasized. ## Seattle Targeted Shortly after the Silicon Valley incidents, Seattle became a target, with a recording spoofing **Amazon** founder **Jeff Bezos**, urging against taxing the rich. **Abel Pacheco**, Seattle’s transit operations division director, stated that the city responded by assigning unique passwords to each button and establishing a list with