A new, remotely exploitable vulnerability in Daktronics’ Vanguard software could make it even easier for attackers to hack electronic road signs, a task that was reportedly never very difficult to begin with.
Daktronics’ Vanguard dynamic highway message sign configuration software was initially said to contain hard-coded credentials last week. The company that manufactures the software has contested that claim, saying that the credentials are not hard-coded, but merely default credentials that can be changed by the person in charge of maintaining the signs running on the Vanguard software.
According to an alert published by the Department of Homeland Security’s Industrial Control System Cyber Emergency Response Team (ICS-CERT), there is a proof-of-concept attack available online that can be followed to remotely modify sign messaging. ICS-CERT is advising that those in control of signs running the affected software “review sign messaging, update access credentials, and harden communication paths to the signs.”
In order to remedy the problem, Daktronics and the Federal Highway Administration are advising that Vanguard displays are not present on publicly accessible IP addresses. The displays, they say, should be on a private network or VPN. Furthermore, it is recommended that administrators disable the telnet, webpage, and web LCD interfaces when not needed and change the default password to a strong one on all installed devices as soon as possible.
In addition to these, ICS-CERT is further recommending that affected parties minimize network exposure for all control systems so that they are not connected to the broader Internet. Administrators should also make sure to place all such devices behind firewalls and isolate them from the business network. When and if remote access to systems are required, ICS-CERT continues, users should connect using a secure method like a VPN.
Image via Amy Guth’s Flickr Photostream