A Major Hack Reveals a Critical Security Flaw

In April 2025, a series of coordinated cyberattacks struck street intersections across Silicon Valley, eventually spreading to other states. The incident exposed a critical security flaw in public infrastructure, embarrassing local governments and forcing a reckoning over basic cybersecurity practices. Authorities believe an unknown individual exploited weak, publicly available default passwords to wirelessly upload custom audio files to pedestrian crosswalk buttons.

When pedestrians pressed the button, they did not hear the standard instructions to wait or cross. Instead, they were met with spoofed recordings of prominent tech billionaires. At one Menlo Park intersection, a fabricated Mark Zuckerberg voice claimed people could not stop AI from being “forcefully” inserted “into every facet of your conscious experience.” At another, the same voice celebrated “undermining democracy.” Elsewhere, a falsified Elon Musk recording described former President Donald Trump as “actually really sweet and tender and loving,” while another fake clip featured him complaining about being “so alone.”

Internal government communications obtained through public records requests reveal how the cities of Menlo Park, Redwood City, and Palo Alto, followed later by Seattle and Denver, scrambled to respond to the tampering. These documents, along with expert analysis, highlight how both municipalities and the equipment manufacturer had long overlooked vulnerabilities in this widespread technology.

In Redwood City, then-city manager Melissa Diaz immediately pressed her staff on accountability. In an email to colleagues days after the hack, she emphasized the need to understand “who should be accountable for the security of these systems” and how to hold responsible parties, whether internal staff or external vendors, to account.

The city’s current manager, Nick Mathiowdis, stated that staff have been applying “lessons learned and evolving best practices” to address the issue, though he declined to share specific details to avoid inspiring copycat attacks.

The police investigation in Silicon Valley ultimately stalled. According to Redwood City police lieutenant Jeff Clements, authorities could not identify a suspect because the buttons do not log who uploads audio, and available surveillance footage proved unhelpful.

Cybersecurity veteran Edward Fok, who briefly investigated the hacking for the Federal Highway Administration before retiring, argues that cities must improve how they manage vendor contracts. He stresses that robust cybersecurity clauses need to be explicitly baked into agreements with suppliers, especially as AI and advanced sensors become more integrated into transportation networks.

Redwood City’s experience illustrates this gap. At the time of the hack, its contract with the installation vendor only required the company to “use reasonable diligence and best judgment,” with no specific language mandating strong passwords or digital security protocols.

The manufacturer at the center of the incident is Polara Enterprises, a Texas-based leader in crosswalk push buttons for decades. Some of their models allow cities to upload custom audio clips via Bluetooth, providing additional cues for blind or visually impaired pedestrians. Official manuals and training videos for technicians nationwide show that Bluetooth-enabled Polara units ship with a default password of “1234” and are configurable through a publicly available app.

Notably, about eight months before the hacking spree, a physical security researcher known as Deviant Ollam posted a YouTube video demonstrating how easily the buttons could be compromised. In the video, he pointed out the guessable passwords while adding a disclaimer that actually attempting such access would be unlawful. His warning, however, went unheeded by the responsible parties until the widespread breach made the systemic vulnerability impossible to ignore.