A company boasting over 150,000 traffic controllers across the US has a critical and remotely exploitable vulnerability in “all versions” of its EOS traffic control software and has neither patched it nor responded to outreach from the US Cybersecurity and Infrastructure Security Agency (CISA), according to a new advisory.
The vulnerability, CVE-2023-0452, has been allocated a critical CVSS score of 9.8. It affects “all versions of Econolite EOS traffic control software” according to a CVE description provided by NVD.
The bug – which raises the prospect that hackers could wreak havoc on exposed traffic systems – was one of 14 CVEs in a new CISA advisory which warns of security flaws in eight Industrial Control Systems (ICS).
CISA said of the Econolite EOS traffic controller vulnerability that “a configuration file that is accessible without authentication uses MD5 hashes for encrypting credentials, including those of administrators and technicians.”
(The MD5 algorithm or password scrambler was invented in 1995 and has been seen as cryptographically “broken” and easy to crack in since 2005 – the increase in computational power means it is now possible to crack MD5-encrypted passwords on average consumer-grade hardware somewhere between a few hours and a few seconds depending on password complexity; doing this using cloud instances is likely instant.)
Econolite traffic controller vulnerability: Hundreds internet-accessible
Over 400 agencies across North America use Econolite’s software at over 57,000 intersections. Not all are internet-exposed: The traffic management software vulnerability was identified by offensive security researcher Rustam Amin, who said several hundred controllers and related systems are accessible by remote hackers.
The Tel Aviv-based researcher said the controllers were not normally in large metropolitan areas or wealthy areas but that he had geolocated exposed traffic controllers “near International Airports, border crossings, universities, shopping centers and hospitals”.
(In a series of suggestions to improve security for operators that he posted on LinkedIn, Amin started with: “1) Disconnect controllers from the Internet; 2) Put [a] "big lock" on the controller cabinet…”)
Follow The Stack on LinkedIn
An attacker can not turn all lights green, he added, so it could be worse. They can however make it “very hard to pass the controlled crossroad, making green very short, and red very long, or just green very long on [in] one direction etc. [An] Attacker can create VIP routes for runaway vehicles… slow down some targeted vehicles.”
Bridgepoint and Porsche SE, the owners of German smart traffic management company PTV, last year acquired a majority share in US-based Econolite (which “never before acknowledged any of cyber security related issues, so why to start now” Amid told The Stack drily). Given that they described the company as "the leading provider of traffic management solutions in North America" two new buyers may want to work on the company’s approach to security disclosures before someone takes more advantage than this white hat did and triggers them lawsuits.
Other companies with vulnerable products in the CISA ICS advisory included Mitsubishi, Rockwell Automation, and Sierra Wireless, with scores of ICS products used across manufacturing and other sectors found to have a range of security vulnerabilities. All other companies published patches or mitigation and advisories.