A critical vulnerability affecting traffic light controllers made by SWARCO could have been exploited by hackers to disrupt a city’s traffic lights.
SWARCO is an Austria-based company that specializes in traffic management, traffic safety, road marking and other solutions typically found in smart cities. Its products have been deployed in over 70 countries around the world.
Researchers at ProtectEM, a Germany-based company that provides cybersecurity guidance and solutions for industrial and embedded systems, discovered that SWARCO’s CPU LS4000 traffic light controllers are vulnerable to attacks due to an open port designed for debugging.
The flaw, tracked as CVE-2020-12493 with a CVSS score of 10, was reported to the vendor in July 2019 and a patch was provided by SWARCO to customers in April. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Germany’s VDE CERT recently published advisories for the vulnerability.
Peter Fröhlich, managing director at ProtectEM, told SecurityWeek that the vulnerability was discovered during a security audit conducted for a city in Germany that hired his company to analyze networked traffic systems.
The affected SWARCO controller runs BlackBerry’s QNX real-time operating system and it’s designed to control traffic lights in one intersection. The system had a debug port open, which granted root access over the network without a password, allowing an attacker to remotely shut down or manipulate impacted controllers.
Fröhlich says his company has found no evidence that these types of systems are exposed to the internet — at least not in the case of the city whose network they analyzed. The more likely attack vector involves gaining physical access to the targeted network, which, as he described it, is “by its very nature distributed throughout the city.”
“In the unpatched system, an attacker gets unlimited root access to any traffic light controller without requiring any credentials through a well documented and known feature of the underlying operating system. The access is meant for debugging, so it is not a bug or software defect that can be exploited. Rather the system was deployed in a configuration not meant for a production system with no security in place for this access port. As documented for the operating system, for a production system this debug option needs to be turned off,” Fröhlich explained.
ProtectEM has demonstrated to its client and SWARCO how an automated attack targeting this vulnerability could have “deactivated all traffic lights simultaneously,” requiring physical access to each impacted controller to resolve the problem. Such a scenario would involve “an intentional, malicious attack with criminal intent (e.g. extortion),” Fröhlich noted.
The cybersecurity firm has shown how an attacker could cause the controller to turn all traffic lights off, turn them all red (this would bring all traffic to a standstill and cause traffic jams), or set them to blink on yellow. Making all the lights turn green, which in a real-world scenario can have the most severe impact as it would increase the risk of traffic accidents, is likely prevented by an additional lower safety level in the controller, Fröhlich said, noting that they were not tasked to validate that.
Researchers showed on several occasions in the past that smart city systems are often vulnerable to hacker attacks, but patching vulnerabilities is only part of the solution. ProtectEM said the city whose systems it analyzed took additional measures to harden its intelligent traffic systems to prevent attacks.
“As we move to smart cities the industry faces new challenges with respect to hardening their system against intentional and untargeted security threats. Embedded controllers not only run traffic lights but also lighting systems, heating and cooling, elevators, doors and many other automated systems which affect a large number of people. Manipulation of the the behavior of such systems or mere denial of service can create significant impact,” Fröhlich concluded. “Yet many of those systems have not yet been created with a focus on cyber security. With increased connectivity and networking these systems become vulnerable. As can be seen in this specific example, vendors of such embedded systems are facing new challenges and will need to ramp up their focus, expertise and processes.”