It is a staple of too many action films to count: the hackers/police taking over traffic light systems to cause havoc/spring a trap on the bad guys.
It could have easily been the reality in Germany, with a routine audit of an unnamed city’s networked traffic systems turning up a security howler in its infrastructure, which has been given the maximum CVSS score of 10
To blame: traffic light and infrastructure provider SWARCO, which had left a port for debugging open by default; an attacker could access it remotely without needing any access controls, getting immediate root access.
The bug (in in SWARCOs CPU LS4000 Series) was spotted by researchers at German security firm ProtectEM, who uncovered the vulnerability during a routine audit of an unnamed city’s networked traffic systems.
According to cyber security framework NIST. If left unchecked: “A malicious user could… disturb operations with connected devices”.
Traffic Light Vulnerability
The vulnerability was given the CVE-2020-12493 with a maximum CVSS (a way of measuring vulnerability severity) score of 10.
The faulty SWARCO controller runs Blackberry’s QNX real-time operating system, which is designed to control traffic lights at an intersection, but the bug was a design fault rather than a software vulnerability, per se.
Austria based traffic light company SWARCO was founded in 1969 and is a leading producer of street and road infrastructure.
A patch is now available. As NIST reminds anyone who’ll listen: “Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
“Locate control system networks and remote devices behind firewalls, and isolate them from the business network [and] when remote access is required, use secure methods, such as VPNs, recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.”