Sensys Networks, a company that provides integrated wireless traffic data systems, announced last week the availability of software updates that address security issues identified last year.
In April, IOActive Labs CTO Cesar Cerrudo revealed the existence of several vulnerabilities in the sensor devices used by the traffic control systems installed in various cities across the United States, Canada, the United Kingdom, France, Australia and China. He conducted real-world tests in various U.S. cities and even simulated an attack launched from a drone.
“By exploiting the vulnerabilities I found, an attacker could cause traffic jams and problems at intersections, freeways, highways, etc,” the researcher explained back in April. “It’s possible to make traffic lights (depending on the configuration) stay green more or less time, stay red and not change to green, or flash. It’s also possible to cause electronic signs to display incorrect speed limits and instructions and to make ramp meters allow cars on the freeway faster or slower than needed.”
Cerrudo contacted the vendor through ICS-CERT in September 2013, but the company said the issues uncovered by the researcher were not critical. Last month, after the expert demonstrated his findings at the Def Con security conference, Sensys published a statement clarifying that its equipment does not directly control traffic signals, but “provides an input to third party traffic controllers who are responsible for the safe operation of traffic signals.”
“It is impossible to manipulate our systems, or data, to cause conflicting movements or phases to be displayed. Both the controller software and conflict monitor prevent the possibility of this scenario. Also, our system is not used to give priority to emergency vehicles and we cannot interfere with the operation of systems that do give such priority,” the company said.
Sensys also said its systems were not actually “hacked” by the researcher, and presented various “anti-vandalism features” that are available to customers. While the company maintains its position, last week it rolled out what it calls “new anti-vandalism enhancements” designed to protect systems against attacks (encryption and authentication), and notify operators in case of unauthorized access attempts.
The company says the enhancements will be included in all new hardware and software products, but they can also be wirelessly deployed to existing installations via the regular software update process. The software updates are free and there’s no need to replace any hardware, Sensys networks said on Friday.
According to ICS-CERT, the enhancements are actually fixes for the vulnerabilities identified by Cerrudo. In its advisory, the organization noted that Sensys Networks traffic sensors VSN240-F and VSN240-T (with software versions prior to VDS 2.10.1 and prior to TrafficDOT 2.10.3) are affected by insufficient integrity checks which could allow the installation of modified software that could damage the traffic sensors.
“A traffic sensor that has been rendered inoperable may cause the traffic system to default to a failsafe condition, prompting traffic lights of an intersection to operate on predetermined timed intervals. Only the traffic lights that are linked to compromised sensors may be impacted,” ICS-CERT said in its advisory. “Unencrypted communication between the traffic sensor and the access point could be modified and used to cause traffic collection data inaccuracies, which may have limited impact on traffic control for an intersection. Inaccurate collection of traffic data may yield limited influence over traffic light timing for an intersection.”
The integrity check issue has been assigned the CVE identifier CVE-2014-2378, while the lack of a mechanism for sensitive data encryption has been assigned CVE-2014-2379. ICS-CERT says the vulnerabilities can be exploited remotely by a highly skilled attacker.
Versions VDS 2.10.1 and TrafficDOT 2.10.3 address the flaws. ICS-CERT noted that an update (VDS 1.8.8) for older model access points will also be released this month.