Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Unpatched Econolite Traffic Controller Vulnerabilities Allow Remote Hacking

Serious vulnerabilities found in Econolite EOS traffic controller software can be exploited to control traffic lights, but the flaws remain unpatched.

A researcher has discovered two potentially serious vulnerabilities affecting Econolite traffic controllers. Exploitation of the security flaws can have serious real-world impact, but they remain unpatched. 

Cyber offensive researcher Rustam Amin informed the US Cybersecurity and Infrastructure Security Agency (CISA) that he had identified critical and high-severity vulnerabilities in Econolite EOS, a traffic controller software developed for the Econolite Cobalt and other advanced transportation controllers (ATC).

The California-based vendor’s website says it has deployed more than 360 systems, 150,000 traffic cabinets, 120,000 traffic controllers, and over 160,000 sensors. In December 2022, the company reported reaching more than 10,000 installations of its EOS software. 

Amin discovered two types of vulnerabilities. One, rated ‘critical severity’ and tracked as CVE-2023-0452, has been described by CISA as an issue related to the use of a weak algorithm for hashing privileged user credentials. 

“A configuration file that is accessible without authentication uses MD5 hashes for encrypting credentials, including those of administrators and technicians,” CISA said in its advisory.

The second issue, tracked as CVE-2023-0451 and rated ‘high severity’, is an improper access control issue. An attacker can view log, database and configuration files that can contain username and password hashes for users, including administrators and technicians. 

These vulnerabilities can allow a remote, unauthenticated attacker to gain full control of traffic control functions. 

Amin has conducted an internet search to see how many EOS systems are exposed to attacks from the web. He told SecurityWeek that he identified roughly 50 exposed controllers that are running older firmware. These systems are not affected by the flaws he discovered, but they are still not secure. 


In addition, he discovered approximately 30 controllers running 2018-2020 versions of the EOS software and these systems are vulnerable to remote attacks.

Advertisement. Scroll to continue reading.

He also found roughly 500 instances of associated devices that can be found in the affected controllers’ proximity, including routers and cameras, which have their own security issues. 

The researcher explained in a post on LinkedIn that the vulnerable devices are typically located on toll roads and in small cities and counties. While the exposed devices are not in major cities, they do appear to be near international airports, border crossings, shopping centers, universities and hospitals. 

A hacker who successfully exploits these vulnerabilities can control traffic lights, but the researcher pointed out that they cannot turn all the lights green, which would have a serious safety impact.

“Still, an attacker can make it very hard to pass the controlled crossroad, making green very short, and red very long, or just green very long in one direction,” the researcher explained. “An attacker can create VIP routes for runaway vehicles [and] slow down some targeted vehicles, like ones with valuable things. And much more. People will lose time, money and hopefully not their life.”

He added that once they have access to the controller, an attacker can also hack related equipment, such as sensors and cameras. 

The vendor has not responded to SecurityWeek’s request for comment. 

CISA initially said in its advisory that Econolite had not responded to the agency’s attempts to coordinate disclosure of the vulnerabilities. However, after Amin described the impact of his findings on LinkedIn, CISA updated its advisory to say that the company is working on patches. 

Until patches are released, Amin recommends disconnecting affected controllers from the internet, ensuring that controller cabinets are secure against physical attacks (an attacker with physical access to a control can take complete control of the system), isolating the networks housing controllers, installing firmware updates when available, and changing passwords and WLAN access codes. 

Amin told SecurityWeek that the Econolite EOS vulnerabilities were discovered as part of a bigger research project whose results will be made public in the upcoming period. 

Related: Critical Vulnerability Could Have Allowed Hackers to Disrupt Traffic Lights

Related: Senators Ask DHS, DOT About Transportation Infrastructure Cybersecurity

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.