Monday, June 16, 2014

Godzilla, zombies, and more thanks to highway sign security flaws

One Friday in May, drivers in several North Carolina cities saw something unexpected on their morning commute. Electronic signs above several highways – which normally displayed traffic alerts or safety reminders – instead read “HACK BY SUN HACKER.” In one case the sign also included an invitation to connect with the hacker on Twitter.

This isn’t the first case of “unofficial alerts” showing up on street signs. Earlier in May, a sign in San Francisco warned of a Godzilla Attack. In this case, the sign was owned by an equipment rental business that had rented the sign to the city for the annual Bay to Breakers race, and was apparently not Internet-connected. Rather, it was a matter of obtaining the combination to or physically breaking the lock, and reprogramming the message in person. Five years ago, signs in Austin warned of an impending zombie attack, while signs in Indiana alerted motorists to dinosaurs. Again, the signs were reprogrammed in person – a trivial activity as long as one can get past the (often flimsy) lock and follow.

The NC hack was a different breed – the so-called Variable Message Signs or VMS are managed via a private network and can be programmed remotely, presumably from the Department of Transportation offices. They also were on a high-traffic highway rather than a surface street. Some have suggested this latest hack may be related to the release of the video game “Watch Dogs,” a highly-anticipated game that strongly features hacking in the game play. Specifically, gameplay includes hacking closed circuit TV cameras, street lights, cell phones, and yes, street signs. As an MS-ISAC alert acquired by Brian Krebs states, “[Center for Internet Security] believes it is likely that a small percentage of Watch Dog players will experiment with compromising computers and electronic systems outside of game play, and that this activity will likely affect government systems and Department of Transportation (DOT) systems in particular.”

These examples are pretty humorous (and harmless), but there are many ways the same compromises could be used to cause real harm. Imagine an Amber Alert that targets an innocent party, or a hurricane evacuation notice that directs traffic TOWARD the danger. The ability to abusively control highway signage could be used in some less humorous ways. Even if there is no malicious intent, unexpected messages tend to slow traffic and distract drivers.

Part of the problem is that some state agencies outsource their IT operations, and the outsourced firms may or may not have the same interest in security that the government entities have. A case in point is the Texas Department of Transportation, TxDOT. In April I found a credit card disclosure issue in the Texas Tollways web site. It turns out that TxDOT network and telecommunications, as well as IT security, were outsourced to NTT Data beginning about a year ago. Due to the separation between the state agency and the firm providing IT security, it proved very difficult to reach someone who had both an interest in it being fixed, and the capacity to do anything about it.

The organization did address the credit card disclosure quickly, but has still done nothing about a weak logon scheme. Accounts all have a predictable user ID, and about 1 in 5 account holders have foolishly selected 1234, 1111, or 1212 as their password. A determined hacker could easily automate the process of scanning all possible account numbers and within a few days have access to personal information contained in every one of those accounts. The Terrell Tribune reports that TxDOT has hired a developer to redesign the agencies toll billing system and simplify login. Perhaps that redesign will also address account security.

In many cases, consumers can "vote with their wallets," choosing to do business with organizations that protect their information, and not with organizations that are lackadaisical about security. Unfortunately there is no such option when it comes to government agencies - the only real choice is to not partake in the service offered by that agency. We can though let our state and local officials know we are not happy with the situation. And we can at least make the most of the security measures that are available: for goodness sake, don't use 1234 as a password!

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at), or hit me up on Twitter at @dnlongen