A critical vulnerability in a traffic light controller has been found, which might allow attackers to change the lights and cause a traffic jam.
A traffic signal controller is one of the most essential devices for controlling traffic at junctions. A trained professional programs the sequence that dictates who gets to go when and for how long a light remains green or red into the traffic controller.
Researcher Andrew Lemon of Red Threat, a cybersecurity company, examined Intelight X-1, which allowed any user to gain complete control of the traffic signals.
A blog post from last week states that “once an attacker bypasses the authentication prompt, they have full access to make any changes they want on the controller.
An attacker can increase the duration of a specific phase, upload their own configuration, or throw the intersection into 4-way flash mode”.
Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo
Authentication Bypass Vulnerability
A collection of standards called the National Transportation Communications for Intelligent Transportation System Protocol (NTCIP) is intended to make computers and electronic traffic control equipment from various manufacturers interchangeable and interoperable.
The researcher retrieved the MIBs to query controllers using SNMP alone and obtain accurate results. Despite having an excellent mission statement, Freethemibs cannot succeed if the merchants fail to provide the mibs.
Q-Free requested for MIBs; however, no follow-up was sent, and the MIBS were never made available.
To enumerate all SNMP, the key was the MIB Browser, which was discovered on IReasoning. The researcher was able to launch the default MIBS and begin collecting controller data right away.
Researcher said 90% of the data required can be queried with the SNMPV2-MIB, which is contained in Ireasoning’s MIBS folder.
“After I completed a mib walk of our Econolite controller I noticed the majority of values are writable without the need for authentication. With that I could change values like sysLocation to anything I wanted”, researchers explained.
Finally when the Intelight controller was queried, the MIB browser was utilized to change the readable value to 1 and disable Web Security on a controller that has NTCIP enabled, as we know that when we enable security, the OID value is set to 2.
Alternatively, the researcher said we can query the OIDs for username .1.3.6.1.4.1.1206.3.36.1.6.10.2.0 or password .1.3.6.1.4.1.1206.3.36.1.6.10.3.0 and the controller will return them in clear text.
MIB Browser to change the login credentials
Hence, he said we have the option to use MIB Browser to change the login credentials, or we may use the ones we already know. This authentication bypass vulnerability is tracked as CVE-2024-38944.
There are specific MIBs for every type of technology, which suggests that the OID value on Digital Signs might be compromised via the same technique.
“At this time I’m unable to confirm this until a customer brings digital signage into the scope of an engagement or one of them goes up for sale on eBay”, the researcher said.
Highway Digital Signs were “hacked” in an event that occurred in 2014 as a result of default credentials being left behind after installation and telnet being accessible online.
Join our free webinar to learn about combating slow DDoS attacks, a major threat today.