View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Hacking This City’s Traffic Lights Would Have Been Like Taking Cake from a Baby

Debug this...

By claudia glover

It is a staple of too many action films to count: the hackers/police taking over traffic light systems to cause havoc/spring a trap on the bad guys.

It could have easily been the reality in Germany, with a routine audit of an unnamed city’s networked traffic systems turning up a security howler in its infrastructure, which has been given the maximum CVSS score of 10

To blame: traffic light and infrastructure provider SWARCO, which had left a port for debugging open by default; an attacker could access it remotely without needing any access controls, getting immediate root access.

The bug (in in SWARCOs CPU LS4000 Series) was spotted by researchers at German security firm ProtectEM, who uncovered the vulnerability during a routine audit of an unnamed city’s networked traffic systems.

According to cyber security framework NIST. If left unchecked: “A malicious user could… disturb operations with connected devices”.

Traffic Light Vulnerability

The vulnerability was given the CVE-2020-12493 with a maximum CVSS (a way of measuring vulnerability severity) score of 10.

The faulty SWARCO controller runs Blackberry’s QNX real-time operating system, which is designed to control traffic lights at an intersection, but the bug was a design fault rather than a software vulnerability, per se.

Content from our partners
Rethinking cloud: challenging assumptions, learning lessons
DTX Manchester welcomes leading tech talent from across the region and beyond
The hidden complexities of deploying AI in your business

Austria based traffic light company SWARCO was founded in 1969 and is a leading producer of street and road infrastructure.

Read This! Sophos Patch for Critical VPN Security Bug Led to “Even More Versatile Exploit” 

A patch is now available. As NIST reminds anyone who’ll listen: “Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.

“Locate control system networks and remote devices behind firewalls, and isolate them from the business network [and] when remote access is required, use secure methods, such as VPNs, recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.”

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.