A year after it was notified about a security vulnerability, a company in charge of manufacturing sensors used in traffic control systems has patched a series of previously disclosed bugs that could have opened the products up to a handful of exploits.
A warning from the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) late last week confirmed that the company, Berkeley-Calif.-based Sensys Networks, updated its products to mitigate vulnerabilities first discovered earlier this year by Cesar Cerrudo, a researcher and CTO at the computer security firm IOActive.
While ICS-CERT claims the company’s products are deployed primarily in U.S. cities, sensors – around 200,000 worldwide – also exist in the UK, France and Australia, among other countries, Cerrudo acknowledges.
Until last week, with the right equipment, traffic systems running the sensors in question, VSN240-F and VSN240-T, could be rendered inoperable or tweaked to run on predetermined timed intervals.
The devices are small wireless vehicle detection sensors, embedded in the ground, that transmit data about cars’ presence and movement.
The technical problem, according to ICS-CERT, is that the traffic sensors accept software modifications without double-checking the code’s integrity, something that puts them at risk of “modification and damage.”
Cerrudo was even able to verify his attack vector by flying a drone and launching his attack via programmable cheap hardware to send fake data to the systems. His exploits could go on to seriously disrupt traffic data, and according to ICS-CERT, “have a limited impact on traffic control for an intersection.”
If any traffic lights were linked to the sensors in question, those too could have be impacted, according to ICS-CERT.
When Cerrudo discussed the vulnerabilities in an IOActive blog back in April, he declined to disclose the name of the vendor or the exact vulnerabilities, adding that it was an uphill battle convincing the company it was a serious issue. Cerrudo did mention the then unnamed vendor had been initially contacted one year ago, in September 2013, through ICS-CERT, regarding the vulnerabilities.
“I tried several times to make ICS-CERT and the vendor understand that these issues were serious, but I couldn’t convince them,” he wrote at the time.
The price – “approximately $100,000 of vulnerable equipment buried in roads around the world that anyone can hack,” as Cerrudo pointed out in July – likely had something to do with it.
Roughly a year after the bugs surfaced, Cerrudo went on to discuss the attack in a presentation at DEF CON in August.
One of the fixes Sensys pushed last week enabled encrypted software downloads for sensors and sensor data authentication for devices – something that should thwart would-be hackers from installing modified software on the devices going forward.
While it hasn’t stated there’s an inherent issue in other sensors it produces, according to ICS-CERT, Sensys is planning future updates for older model access points later this month.
