A researcher has discovered two potentially serious vulnerabilities affecting Econolite traffic controllers. Exploitation of the security flaws can have serious real-world impact, but they remain unpatched.
Cyber offensive researcher Rustam Amin informed the US Cybersecurity and Infrastructure Security Agency (CISA) that he had identified critical and high-severity vulnerabilities in Econolite EOS, a traffic controller software developed for the Econolite Cobalt and other advanced transportation controllers (ATC).
The California-based vendor’s website says it has deployed more than 360 systems, 150,000 traffic cabinets, 120,000 traffic controllers, and over 160,000 sensors. In December 2022, the company reported reaching more than 10,000 installations of its EOS software.
Amin discovered two types of vulnerabilities. One, rated ‘critical severity’ and tracked as CVE-2023-0452, has been described by CISA as an issue related to the use of a weak algorithm for hashing privileged user credentials.
“A configuration file that is accessible without authentication uses MD5 hashes for encrypting credentials, including those of administrators and technicians,” CISA said in its advisory.
The second issue, tracked as CVE-2023-0451 and rated ‘high severity’, is an improper access control issue. An attacker can view log, database and configuration files that can contain username and password hashes for users, including administrators and technicians.
These vulnerabilities can allow a remote, unauthenticated attacker to gain full control of traffic control functions.
Amin has conducted an internet search to see how many EOS systems are exposed to attacks from the web. He told SecurityWeek that he identified roughly 50 exposed controllers that are running older firmware. These systems are not affected by the flaws he discovered, but they are still not secure.
In addition, he discovered approximately 30 controllers running 2018-2020 versions of the EOS software and these systems are vulnerable to remote attacks.
He also found roughly 500 instances of associated devices that can be found in the affected controllers’ proximity, including routers and cameras, which have their own security issues.
The researcher explained in a post on LinkedIn that the vulnerable devices are typically located on toll roads and in small cities and counties. While the exposed devices are not in major cities, they do appear to be near international airports, border crossings, shopping centers, universities and hospitals.
A hacker who successfully exploits these vulnerabilities can control traffic lights, but the researcher pointed out that they cannot turn all the lights green, which would have a serious safety impact.
“Still, an attacker can make it very hard to pass the controlled crossroad, making green very short, and red very long, or just green very long in one direction,” the researcher explained. “An attacker can create VIP routes for runaway vehicles [and] slow down some targeted vehicles, like ones with valuable things. And much more. People will lose time, money and hopefully not their life.”
He added that once they have access to the controller, an attacker can also hack related equipment, such as sensors and cameras.
The vendor has not responded to SecurityWeek’s request for comment.
CISA initially said in its advisory that Econolite had not responded to the agency’s attempts to coordinate disclosure of the vulnerabilities. However, after Amin described the impact of his findings on LinkedIn, CISA updated its advisory to say that the company is working on patches.
Until patches are released, Amin recommends disconnecting affected controllers from the internet, ensuring that controller cabinets are secure against physical attacks (an attacker with physical access to a control can take complete control of the system), isolating the networks housing controllers, installing firmware updates when available, and changing passwords and WLAN access codes.
Amin told SecurityWeek that the Econolite EOS vulnerabilities were discovered as part of a bigger research project whose results will be made public in the upcoming period.
Related: Critical Vulnerability Could Have Allowed Hackers to Disrupt Traffic Lights
Related: Senators Ask DHS, DOT About Transportation Infrastructure Cybersecurity