View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Hacking This City’s Traffic Lights Would Have Been Like Taking Cake from a Baby

Debug this...

By claudia glover

It is a staple of too many action films to count: the hackers/police taking over traffic light systems to cause havoc/spring a trap on the bad guys.

It could have easily been the reality in Germany, with a routine audit of an unnamed city’s networked traffic systems turning up a security howler in its infrastructure, which has been given the maximum CVSS score of 10

To blame: traffic light and infrastructure provider SWARCO, which had left a port for debugging open by default; an attacker could access it remotely without needing any access controls, getting immediate root access.

The bug (in in SWARCOs CPU LS4000 Series) was spotted by researchers at German security firm ProtectEM, who uncovered the vulnerability during a routine audit of an unnamed city’s networked traffic systems.

According to cyber security framework NIST. If left unchecked: “A malicious user could… disturb operations with connected devices”.

Traffic Light Vulnerability

The vulnerability was given the CVE-2020-12493 with a maximum CVSS (a way of measuring vulnerability severity) score of 10.

The faulty SWARCO controller runs Blackberry’s QNX real-time operating system, which is designed to control traffic lights at an intersection, but the bug was a design fault rather than a software vulnerability, per se.

Content from our partners
Why all businesses must democratise data analytics
Unlocking the value of artificial intelligence and machine learning
Behind the priorities of tech and cybersecurity leaders

Austria based traffic light company SWARCO was founded in 1969 and is a leading producer of street and road infrastructure.

Read This! Sophos Patch for Critical VPN Security Bug Led to “Even More Versatile Exploit” 

A patch is now available. As NIST reminds anyone who’ll listen: “Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.

“Locate control system networks and remote devices behind firewalls, and isolate them from the business network [and] when remote access is required, use secure methods, such as VPNs, recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.”

Websites in our network
NEWSLETTER Sign up Tick the boxes of the newsletters you would like to receive. Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
I consent to New Statesman Media Group collecting my details provided via this form in accordance with the Privacy Policy
SUBSCRIBED

THANK YOU