More than 150,000 traffic controllers spread across the continental US run a vulnerable software that has yet to be patched, despite warnings of the dangers, a security researcher has discovered.
When most people think of vulnerable devices connected to the internet, traffic controllers or traffic lights aren’t top of mind. But the truth is that many such devices are online for ease of management. Like any other hardware device, though, these devices, even traffic lights, can have vulnerabilities.
Security researcher Rustam Amin discovered that more than 150,000 traffic controllers in the US are running an out-of-date version of the EOS software, leaving them vulnerable. The ability of a third party to gain control and change traffic lights on a whim is a terrifying prospect.
Making matters worse, the company making the software didn’t initially respond to US Cybersecurity and Infrastructure Security Agency’s (CISA) notification when confronted about the problems, according to a reportby The Stack.
“All versions of Econolite EOS traffic control software are vulnerable to CWE-328: Use of Weak Hash, and use a weak hash algorithm for encrypting privileged user credentials,” read the official advisory. “A configuration file that is accessible without authentication uses MD5 hashes for encrypting credentials, including those of administrators and technicians.”
Its threat score, at 9.8 out of 10, is pretty much as bad as it gets. But there’s also a second vulnerability tracked as CVE-2023-0452, which has a base score of “only” 7.5.
“The affected product lacks a password requirement for gaining “READONLY” access to log files, as well as certain database and configuration files,” states the advisory. “One such file contains tables with message-digest algorithm 5 (MD5) hashes and usernames for all defined users in the control software, including administrators and technicians.”
From what has CISA published so far, Econolite apparently responded eventually and is now working on patches.