Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Insecure App Exposed Billboard Lights to Hacker Attacks

Malicious hackers and pranksters could have hijacked billboard lighting systems by exploiting vulnerabilities found in a service provider’s mobile application.

Malicious hackers and pranksters could have hijacked billboard lighting systems by exploiting vulnerabilities found in a service provider’s mobile application.

While trying to find out how the lights on highway billboard signs are controlled, security researcher Randy Westergren came across SmartLink, a cellular controller system designed for remotely controlling and monitoring billboard lights. SmartLink, which has been installed more than 50,000 times, is provided by OutdoorLink, a company that specializes in helping outdoor advertising companies monitor and manage energy usage.

An analysis of the SmartLink Android app revealed that the user authentication mechanism could be easily bypassed, allowing an attacker to gain access to SmartLink customer data.

In addition to authentication flaws, the expert discovered that the mobile API used HTTP to transmit data, which exposed user credentials and other information to man-in-the-middle (MitM) attacks. Furthermore, one of the accessible web directories included files containing the API source code and log files storing user logins for the past six months, including usernames and passwords in clear text.

“It seemed OutdoorLink had broken every basic rule in the book and left all of their customers carelessly vulnerable to attack — it would be simple for an attacker to make his own “highway adblock” by killing all of the billboard lights in the system,” Westergren explained in a blog post on Sunday.

The vulnerabilities were reported to OutdoorLink in late July and fixes were rolled out by the company over the next several months. The HTTP issue was addressed in mid-August and a fixed version of the SmartLink Android app was released in late August. A patched version of the SmartLink iOS application was only made available on the Apple App Store in early November when OutdoorLink also decommissioned the old, vulnerable API.

OutdoorLink has provided SecurityWeek the following statement:

“In his investigation, Randy Westergren found specific vulnerabilities in the interface between the app and the SmartLink™ website. To summarize his findings, there were debug log files he found present on the web server, and he found that it might be possible to create a malicious version of the SmartLink™ Android app, and use it to bypass security and login to the system, potentially gaining control of the illumination schedules of billboards.

 

OutdoorLink took quick steps to resolve some issues he found with the server side of the app interface the day we received his report, and quickly released new apps within a matter of days for Android and iOS that forced the use of SSL to mitigate security concerns while we overhauled the apps for security. A fully redesigned Android app was released within one month of receiving the initial report. It took a little over two months to release an updated iOS app due to other changes required for iOS 9 support as well as the much more extensive review process Apple requires before approving app updates in their store.

 

There is no evidence in system security and audit logs that any true exploits of this app vulnerability ever occurred, and it is important to note that this vulnerability did not extend to the OutdoorLink website, which is the primary user interface to the SmartLink™ system. We appreciate the fact that Randy was willing to delay his disclosure until after new apps had been released that addressed the security concerns he discovered.”

This is not the first time Westergren has found serious security holes in the mobile applications of major companies. Last week, he reported discovering a flaw in United Airlines’ mobile app that could have been exploited to access customer information and manage flight reservations. It took United Airlines nearly six months to patch the vulnerability.

Westergren also identified security bugs in mobile applications offered by Verizon, Marriott, and Delmarva Power.

*Updated with statement from OutdoorLink

Related Reading: Army Experts Call for Vulnerability Response Program

Related Reading: Invitation-Only Bug Bounty Programs Becoming More Popular

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.