A critical vulnerability in traffic light controllers designed by SWARCO could have been exploited by hackers to disrupt traffic lights.
SWARCO is the world’s largest manufacturer of signal heads and the number two internationally for reflective glass beads.
Researchers at ProtectEM discovered that SWARCO’s CPU LS4000 traffic light controllers have an open port designed for debugging that could be exploited by attackers.
The flaw, tracked as CVE-2020-12493, is an “improper access control” issue that could allow hackers to grant root access to the device without access control via network.
“An open port used for debugging grants root access to the device without access control via network.” reads the security advisory published by the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
The flaw could be exploited by low-skilled attackers, it was rated with a CVSS score of 10 and affects all OS versions starting with G4 SWARCO of CPU LS4000.
“An open port used for debugging grants root access to the device without access control via network.” reads the advisory published by the CERT-VDE
“A malicious user could use this vulnerability to get access to the device and disturb operations with connected devices.”
ProtectEM researchers reported the vulnerability to the vendor in July 2019, which released a patch in April.
The good news is that this family of systems is not exposed online and attackers need physical access to the targeted network to exploit the flaw.
An attacker that could achieve physical access to vulnerable controllers in a city could cause the caps by deactivating traffic lights simultaneously.
The researchers demonstrated how an attacker could control traffic lights and manipulated them to cause traffic accidents or traffic jams.
(SecurityAffairs – traffic lights, cybersecurity)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.