The Dumbest Hack of the Year Exposed a Very Real Problem

In the early morning One night last April, someone stopped at about 20 intersections in Silicon Valley and launched an unprecedented cyberattack that eventually spread to several states, embarrassing local officials and prompting them to question their security practices. Authorities suspect the unknown culprit took advantage of weak, publicly available default passwords to wirelessly download personalized recordings played every time a pedestrian pressed a crosswalk button.

Instead of normal recordings telling people to wait or cross the street, pedestrians heard the doctored voices of billionaire tech CEOs. A fake Mark Zuckerberg told a Menlo Park intersection that people would not be able to stop AI from being “forcefully” inserted “into every facet of your conscious experience.” At another, he celebrated the “attack on democracy.” At another intersection, an altered Elon Musk described President Donald Trump as “actually very sweet and tender and loving,” while on a nearby street his fake voice complained about being “so alone.”

Government emails and text messages obtained by WIRED through public records requests show how the cities of Menlo Park, Redwood City, Palo Alto, and later Seattle and Denver, rushed to respond to the crosswalk button tampering. The communications, as well as interviews with security experts and former employees of the button maker, highlight how governments and the company overlooked the vulnerabilities of a widely used technology.

In Redwood City, then-City Manager Melissa Diaz questioned staff about who should be blamed for the incident. “We need to understand who should be responsible for the security of these systems and what we can do to hold the responsible staff or external party accountable,” she wrote in an email to colleagues in the days after the hack.

Nick Mathiowdis, Redwood City’s current manager, told WIRED that staff approached the problem based on “lessons learned and evolving best practices” but refuses to share details to avoid encouraging further hacks.

Edward Fok, a former Federal Highway Administration cybersecurity official who briefly investigated the hack before retiring as DOGE swept the government, says cities need to do a better job ensuring cybersecurity clauses are built into contracts with technology vendors and installers, especially as powerful AI tools and sensors are increasingly integrated into transportation infrastructure.

Redwood City, for example, had contractually required its button installation and maintenance provider to “exercise reasonable care and best judgment” at the time of the hack, but had not specified anything about passwords or digital security.

In an unsigned statement to WIRED, the highway administration said it previously issued a technical advisory outlining “safety measures to ensure that ideological idiots do not endanger the safety of Americans when they use our crosswalks.”

The police investigation into the hacked buttons in Silicon Valley has remained unanswered. Authorities could not determine who was behind the scheme because the buttons do not track who is uploading audio and surveillance footage from the area was not helpful, according to Redwood City Police Lt. Jeff Clements.

Public warning

Polara Enterprises, based in Greenville, Texas, has been a leading supplier of crosswalk push buttons for decades. Some have the option for cities to upload personalized audio clips via Bluetooth to give pedestrians, including those who are blind or visually impaired, additional cues like which street and direction they are crossing.

Official online manuals and videos for the thousands of technicians who service the buttons across the country describe how Bluetooth-enabled Polara models come with a default password of “1234” and are configurable through a publicly available app. About eight months before last year’s button hacking wave, a physical security vlogger who goes by the name Deviant Ollam posted a YouTube video highlighting how easy it would be to tamper with the buttons. “I don’t encourage anyone to try completely guessable passwords and upload their own content because, remember, that would be bad. It would probably be a crime or something. Talk to your lawyers about that,” he said in the video.