Malicious hackers and pranksters could have hijacked billboard lighting systems by exploiting vulnerabilities found in a service provider’s mobile application.
While trying to find out how the lights on highway billboard signs are controlled, security researcher Randy Westergren came across SmartLink, a cellular controller system designed for remotely controlling and monitoring billboard lights. SmartLink, which has been installed more than 50,000 times, is provided by OutdoorLink, a company that specializes in helping outdoor advertising companies monitor and manage energy usage.
An analysis of the SmartLink Android app revealed that the user authentication mechanism could be easily bypassed, allowing an attacker to gain access to SmartLink customer data.
In addition to authentication flaws, the expert discovered that the mobile API used HTTP to transmit data, which exposed user credentials and other information to man-in-the-middle (MitM) attacks. Furthermore, one of the accessible web directories included files containing the API source code and log files storing user logins for the past six months, including usernames and passwords in clear text.
“It seemed OutdoorLink had broken every basic rule in the book and left all of their customers carelessly vulnerable to attack — it would be simple for an attacker to make his own “highway adblock” by killing all of the billboard lights in the system,” Westergren explained in a blog post on Sunday.
The vulnerabilities were reported to OutdoorLink in late July and fixes were rolled out by the company over the next several months. The HTTP issue was addressed in mid-August and a fixed version of the SmartLink Android app was released in late August. A patched version of the SmartLink iOS application was only made available on the Apple App Store in early November when OutdoorLink also decommissioned the old, vulnerable API.
OutdoorLink has provided SecurityWeek the following statement:
“In his investigation, Randy Westergren found specific vulnerabilities in the interface between the app and the SmartLink™ website. To summarize his findings, there were debug log files he found present on the web server, and he found that it might be possible to create a malicious version of the SmartLink™ Android app, and use it to bypass security and login to the system, potentially gaining control of the illumination schedules of billboards.
OutdoorLink took quick steps to resolve some issues he found with the server side of the app interface the day we received his report, and quickly released new apps within a matter of days for Android and iOS that forced the use of SSL to mitigate security concerns while we overhauled the apps for security. A fully redesigned Android app was released within one month of receiving the initial report. It took a little over two months to release an updated iOS app due to other changes required for iOS 9 support as well as the much more extensive review process Apple requires before approving app updates in their store.
There is no evidence in system security and audit logs that any true exploits of this app vulnerability ever occurred, and it is important to note that this vulnerability did not extend to the OutdoorLink website, which is the primary user interface to the SmartLink™ system. We appreciate the fact that Randy was willing to delay his disclosure until after new apps had been released that addressed the security concerns he discovered.”
This is not the first time Westergren has found serious security holes in the mobile applications of major companies. Last week, he reported discovering a flaw in United Airlines’ mobile app that could have been exploited to access customer information and manage flight reservations. It took United Airlines nearly six months to patch the vulnerability.
*Updated with statement from OutdoorLink
Related Reading: Army Experts Call for Vulnerability Response Program
Related Reading: Invitation-Only Bug Bounty Programs Becoming More Popular