Security experts have discovered a new flaw in Daktronics’ Vanguard software which could be remotely exploited by hackers to hack electronic road signs.
A week ago, it was reported that Daktronics’ Vanguard dynamic highway message sign (DMS) configuration software contain hard-coded default credentials, but the company remarked that this is not a security issue because credentials could be changed by the organization that manage Daktronics’ Vanguard application.
The Department of Homeland Security’s Industrial Control System Cyber Emergency Response Team (ICS-CERT) has issued a specific alert on the vulnerability discovered in Daktronics’ Vanguard software.
“ICS-CERT is aware of a public report of a hardcoded password vulnerability affecting Daktronics Vanguard highway dynamic message sign (DMS) configuration software. According to this report, the vulnerability is a hardcoded password that could allow unauthorized access to the highway sign. This report was reported to ICS-CERT by the Federal Highway” states the ICS-CERT alert.
The ICS-CERT revealed the existence of a proof-of-concept attack online that can be followed by bad actors to remotely modify sign messaging. The Emergency Response Team suggests to those in control of signs running the affected Daktronics’ Vanguard dynamic highway message sign (DMS) configuration software to “review sign messaging, update access credentials, and harden communication paths to the signs.”
Daktronics and the Federal Highway Administration provided the following recommendations:
ICS-CERT suggest organizations to perform risk assessment prior to taking defensive measures, and of course to report to ICS-CERT any anomalous activities to their systems.
Yesterday I published another interesting post on the alert provided by ICS-CERT related to risks of cyber attacks to ICS systems exposed on-line, the number of cyber attacks is increasing and problems like the one discovered in Daktronics’ Vanguard could be exploited by attackers to cause serious problems and harm Homeland security.
(Security Affairs – ICS-CERT, Daktronics)