Digital road signs along federal highways and interstates are a familiar sight to American drivers: they typically warn of delays, construction and accidents up ahead, or they not-so-gently remind to ‘click it or ticket.’ But don’t be surprised if they’re soon found to be warning drivers of zombie infestations or escaped tribbles instead of passing along safety information.
The US Department of Homeland Security’s Industrial Control System Cyber Emergency Response Team (ICS-CERT) is warning of a password vulnerability affecting Daktronics Vanguard highway dynamic message sign (DMS) configuration software. And, it has a proof-of-concept exploit publically available.
The Federal Highway Administration originally confirmed the vulnerability is a hardcoded password that, being static, is easily defeated. Daktronics, however, said that the issue actually arises from a default password that can be changed upon installation – but if it isn’t, it could allow unauthorized access to the highway sign.
“ICS-CERT recommends entities review sign messaging, update access credentials and harden communication paths to the signs,” the body said in the advisory.
Daktronics and the Federal Highway Administration recommended that displays be separated from publicly accessible IP addresses, first and foremost: placing a display on a private network or VPN helps mitigate the lack of security. Administrators should also disable the telnet, webpage and web LCD interfaces when not needed, and of course change the default password to a stronger one as soon as possible on all installed devices.
Digital signage is notoriously hackable, and the pixel screens are attractive targets for code kids and the nuisance-minded. In one high-profile incident, two Serbian teenagers hijacked an electronic billboard in Belgrade last year, and used their iPhones to play Space Invaders on it for 20 minutes – much to the amusement of passersby.