Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Insecure App Exposed Billboard Lights to Hacker Attacks

Malicious hackers and pranksters could have hijacked billboard lighting systems by exploiting vulnerabilities found in a service provider’s mobile application.

Malicious hackers and pranksters could have hijacked billboard lighting systems by exploiting vulnerabilities found in a service provider’s mobile application.

While trying to find out how the lights on highway billboard signs are controlled, security researcher Randy Westergren came across SmartLink, a cellular controller system designed for remotely controlling and monitoring billboard lights. SmartLink, which has been installed more than 50,000 times, is provided by OutdoorLink, a company that specializes in helping outdoor advertising companies monitor and manage energy usage.

An analysis of the SmartLink Android app revealed that the user authentication mechanism could be easily bypassed, allowing an attacker to gain access to SmartLink customer data.

In addition to authentication flaws, the expert discovered that the mobile API used HTTP to transmit data, which exposed user credentials and other information to man-in-the-middle (MitM) attacks. Furthermore, one of the accessible web directories included files containing the API source code and log files storing user logins for the past six months, including usernames and passwords in clear text.

“It seemed OutdoorLink had broken every basic rule in the book and left all of their customers carelessly vulnerable to attack — it would be simple for an attacker to make his own “highway adblock” by killing all of the billboard lights in the system,” Westergren explained in a blog post on Sunday.

The vulnerabilities were reported to OutdoorLink in late July and fixes were rolled out by the company over the next several months. The HTTP issue was addressed in mid-August and a fixed version of the SmartLink Android app was released in late August. A patched version of the SmartLink iOS application was only made available on the Apple App Store in early November when OutdoorLink also decommissioned the old, vulnerable API.

OutdoorLink has provided SecurityWeek the following statement:

“In his investigation, Randy Westergren found specific vulnerabilities in the interface between the app and the SmartLink™ website. To summarize his findings, there were debug log files he found present on the web server, and he found that it might be possible to create a malicious version of the SmartLink™ Android app, and use it to bypass security and login to the system, potentially gaining control of the illumination schedules of billboards.

 

Advertisement. Scroll to continue reading.

OutdoorLink took quick steps to resolve some issues he found with the server side of the app interface the day we received his report, and quickly released new apps within a matter of days for Android and iOS that forced the use of SSL to mitigate security concerns while we overhauled the apps for security. A fully redesigned Android app was released within one month of receiving the initial report. It took a little over two months to release an updated iOS app due to other changes required for iOS 9 support as well as the much more extensive review process Apple requires before approving app updates in their store.

 

There is no evidence in system security and audit logs that any true exploits of this app vulnerability ever occurred, and it is important to note that this vulnerability did not extend to the OutdoorLink website, which is the primary user interface to the SmartLink™ system. We appreciate the fact that Randy was willing to delay his disclosure until after new apps had been released that addressed the security concerns he discovered.”

This is not the first time Westergren has found serious security holes in the mobile applications of major companies. Last week, he reported discovering a flaw in United Airlines’ mobile app that could have been exploited to access customer information and manage flight reservations. It took United Airlines nearly six months to patch the vulnerability.

Westergren also identified security bugs in mobile applications offered by Verizon, Marriott, and Delmarva Power.

*Updated with statement from OutdoorLink

Related Reading: Army Experts Call for Vulnerability Response Program

Related Reading: Invitation-Only Bug Bounty Programs Becoming More Popular

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.