Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Unpatched Econolite Traffic Controller Vulnerabilities Allow Remote Hacking

Serious vulnerabilities found in Econolite EOS traffic controller software can be exploited to control traffic lights, but the flaws remain unpatched.

A researcher has discovered two potentially serious vulnerabilities affecting Econolite traffic controllers. Exploitation of the security flaws can have serious real-world impact, but they remain unpatched. 

Cyber offensive researcher Rustam Amin informed the US Cybersecurity and Infrastructure Security Agency (CISA) that he had identified critical and high-severity vulnerabilities in Econolite EOS, a traffic controller software developed for the Econolite Cobalt and other advanced transportation controllers (ATC).

The California-based vendor’s website says it has deployed more than 360 systems, 150,000 traffic cabinets, 120,000 traffic controllers, and over 160,000 sensors. In December 2022, the company reported reaching more than 10,000 installations of its EOS software. 

Amin discovered two types of vulnerabilities. One, rated ‘critical severity’ and tracked as CVE-2023-0452, has been described by CISA as an issue related to the use of a weak algorithm for hashing privileged user credentials. 

“A configuration file that is accessible without authentication uses MD5 hashes for encrypting credentials, including those of administrators and technicians,” CISA said in its advisory.

The second issue, tracked as CVE-2023-0451 and rated ‘high severity’, is an improper access control issue. An attacker can view log, database and configuration files that can contain username and password hashes for users, including administrators and technicians. 

These vulnerabilities can allow a remote, unauthenticated attacker to gain full control of traffic control functions. 

Amin has conducted an internet search to see how many EOS systems are exposed to attacks from the web. He told SecurityWeek that he identified roughly 50 exposed controllers that are running older firmware. These systems are not affected by the flaws he discovered, but they are still not secure. 


In addition, he discovered approximately 30 controllers running 2018-2020 versions of the EOS software and these systems are vulnerable to remote attacks.

He also found roughly 500 instances of associated devices that can be found in the affected controllers’ proximity, including routers and cameras, which have their own security issues. 

The researcher explained in a post on LinkedIn that the vulnerable devices are typically located on toll roads and in small cities and counties. While the exposed devices are not in major cities, they do appear to be near international airports, border crossings, shopping centers, universities and hospitals. 

A hacker who successfully exploits these vulnerabilities can control traffic lights, but the researcher pointed out that they cannot turn all the lights green, which would have a serious safety impact.

“Still, an attacker can make it very hard to pass the controlled crossroad, making green very short, and red very long, or just green very long in one direction,” the researcher explained. “An attacker can create VIP routes for runaway vehicles [and] slow down some targeted vehicles, like ones with valuable things. And much more. People will lose time, money and hopefully not their life.”

He added that once they have access to the controller, an attacker can also hack related equipment, such as sensors and cameras. 

The vendor has not responded to SecurityWeek’s request for comment. 

CISA initially said in its advisory that Econolite had not responded to the agency’s attempts to coordinate disclosure of the vulnerabilities. However, after Amin described the impact of his findings on LinkedIn, CISA updated its advisory to say that the company is working on patches. 

Until patches are released, Amin recommends disconnecting affected controllers from the internet, ensuring that controller cabinets are secure against physical attacks (an attacker with physical access to a control can take complete control of the system), isolating the networks housing controllers, installing firmware updates when available, and changing passwords and WLAN access codes. 

Amin told SecurityWeek that the Econolite EOS vulnerabilities were discovered as part of a bigger research project whose results will be made public in the upcoming period. 

Related: Critical Vulnerability Could Have Allowed Hackers to Disrupt Traffic Lights

Related: Senators Ask DHS, DOT About Transportation Infrastructure Cybersecurity

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Register

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Vulnerabilities

Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...