A critical vulnerability in a traffic light controller deployed on roads across Europe could cause “sustained traffic chaos”, according to a security expert from the firm that discovered the problem.
The hardware (Swarco CPU LS4000), which controls traffic lights at intersections, had a debugging port open by default, allowing attackers to gain root access without needing to bypass access controls.
The flaw – which has now been patched by Austrian manufacturer Swarco Traffic Systems – was exploitable remotely with modest technical skill, according to a US-CERT advisory issued last week.
Although the vulnerability has a CVE number (CVE-2020-12493) – and the maximum CVSS score of 10 – it’s a misconfiguration problem rather than “a bug or software defect”, Professor Peter Fröhlich, managing director at ProtectEM, which discovered the flaw, told The Daily Swig.
ProtectEM, a German industrial cybersecurity consultancy, found the flaw during a security audit for an unnamed city in Germany.
Exploiting the flaw
Professor Fröhlich, an expert in the security of embedded systems, said ProtectEM demonstrated a scenario where an automated attack exploiting the configuration error could have deactivated all traffic lights simultaneously.
Here, the traffic lights would phase from blinking amber lights, to solid red, to off.
“This attack could have been made persistent in a way that only physical access to each controller would have remedied the problem,” Professor Fröhlich said.
This could have led to “sustained traffic chaos”.
However, the ability to set all lights to green – a potentially more dangerous scenario – “was prevented by an underlying safety mechanism”.
Explaining the exploitation process, Professor Fröhlich said researchers ran replay attacks on the embedded field bus, and accessed internal devices by routing the driver through.
That allowed access to both the application control and I/O levels.
“Bricking was easy, but also command could be sent directly to the I/O via fieldbus,” he added.
“No domain specific knowledge was necessary; only general embedded programming and system skills.”
What’s more, attackers could readily detect an open port on a city network-connected controller with “tools like nmap”, added Professor Fröhlich.
Difficult to fathom
Andrew Tierney, a consultant specializing in IoT security at Pentest Partners, told The Daily Swig that exploiting such flaws in a “coherent and malicious” way was complicated by the fact that traffic control systems are often “difficult to fathom without diagrams and detailed domain knowledge.
“A lot of ICS gear still run RTOS, which makes it challenging to compromise outside of the normal scope of operation – you could control the lights, but not get an OS-shell.
Gaining access to “segregated networks” on which most industrial control systems sit – whether via “Windows machines on the city council network” or by “stealing a SIM card” from a street cabinet – poses another hurdle, he said.
If they’re “sat on the open internet”, exploitation becomes rather easier.
Tierney adds: “Of course, defence-in-depth tells us that having open root access is still a bad idea, but we’re unlikely to see a script kiddy going all Italian Job/Die Hard 4.0 on us.”
Tierney, who said traffic light controllers rarely appear on IoT search engine Shodan, said unauthenticated debug ports in industrial control systems were rare.
Patch and mitigation
ProtectEM’s Martin Aman reported the problem in July 2019, and Swarco Traffic Systems rolled out a patch for the controller that closed the port in April, said Professor Fröhlich.
The flaw affected all versions of the controller’s operating system back to G4.
“Since this vulnerability also affects KRITIS applications, from the very beginning we worked closely with CERT@VDE [Germany’s computer emergency response team dedicated to industrial automation, which published its own advisory] to guide us through the process of responsible disclosure,” said Fröhlich.
Swarco has created a new product security role in the wake of the process, while the German city in question “has taken additional measures to harden their intelligent traffic systems beyond the patch”, he added.
Pending application of the patch, the US Cybersecurity and Infrastructure Security Agency (CISA) advises engineers to minimize industrial control systems’ network exposure to the internet; isolate firewall-protected control system networks and remote devices from the business network; and use virtual private networks for remote access.
Professor Fröhlich said industrial IoT vendors should learn from the vulnerability.
“Embedded controllers not only run traffic lights but also lighting systems, heating and cooling, elevators, doors and many other automated systems,” he warns.
Many such, increasingly connected systems neglect cybersecurity, he warned, so vendors must “ramp up their focus, expertise and processes.”