Hackers might create site visitors jams because of flaw in site visitors gentle controller, researcher says

A safety researcher says he discovered a flaw in a site visitors gentle controller that may probably enable malicious hackers to alter the lights and create site visitors jams. 

Andrew Lemon, a researcher at cybersecurity agency Crimson Risk, revealed two weblog posts on Thursday detailing his findings of a wider analysis challenge investigating the safety of site visitors controllers. 

One of many gadgets Lemon checked out is the Intelight X-1, the place he stated he discovered a bug that permits anybody to take full management of the site visitors lights. Based on Lemon, the bug may be very easy and fundamental: There isn’t any authentication on the internet-exposed net interface of the system. 

“I used to be simply in disbelief,” Lemon informed TechCrunch. “I used to be simply shocked that one thing so obvious might have been missed.”

Lemon stated he tried to see if it was attainable to set off a state of affairs just like the one proven on films like The Italian Job, the place hackers swap all lights in an intersection to inexperienced. However Lemon stated he discovered one other system known as the Malfunction Administration Unit prevents that state of affairs from taking place. 

“You’ll be able to nonetheless make adjustments to the lights and the timing. So in case you needed to set the timing to be three minutes, a technique and three seconds the opposite method. Principally it’s a denial of service within the bodily world, so you might clog up site visitors,” stated Lemon.

It’s unclear what number of weak Intelight gadgets are accessible from the web. Lemon stated he and his workforce discovered about 30 uncovered gadgets.

Lemon stated he reached out to Q-Free, the corporate that owns Intelight, to report the bug. As a substitute of responding and interesting with him to repair the flaw, Q-Free despatched him a authorized letter, based on Lemon, who revealed a replica of it in his weblog submit.

“We solely settle for vulnerability stories that relate to Q-Free merchandise which can be at the moment provided on the market. We wouldn’t have the sources vital to think about analyses of outdated gadgets,” learn the copy of the letter, which seems to be signed by Steven D. Tibbets, Q-Free’s normal counsel. 

The copy of the letter stated that the system Lemon analyzed just isn’t on the market, and that the best way he and Crimson Risk researched it might have been a violation of the anti-hacking regulation, the Pc Fraud and Abuse Act. The corporate didn’t specify how Lemon’s analysis might have violated the regulation. The letter then requested Lemon and Crimson Risk to commit that they’d not publish particulars of the vulnerability as a result of it might damage nationwide safety. 

“We additionally urge Crimson Risk to think about the influence of publication on the safety of vital infrastructure through which Q-Free gadgets are used. Opposite to your acknowledged goals of enhancing cybersecurity, publication of vulnerabilities might encourage assaults on infrastructure and generate related legal responsibility for Crimson Risk,” the letter learn. 

Lemon stated he was shocked by the letter, and that “it actually felt like they have been simply making an attempt to silence me with authorized threats and every little thing.”

Q-Free didn’t reply to a number of requests for remark. 

Lemon stated that in his analysis he additionally discovered some site visitors controller gadgets made by Econolite uncovered to the web, and run a protocol that’s probably weak.

The protocol is known as NTCIP and it’s an business normal for site visitors gentle controllers. Lemon stated that for the gadgets which can be uncovered on the web, it’s attainable to alter the values within the system with out being logged in. These values, he stated, might management how lengthy the lights flash, or set all of the lights in an intersection to flash on the identical time. 

Lemon stated he hasn’t reached out to Econolite because the NTCIP points are beforehand recognized. 

Sunny Chakravarty, the vp of engineering at Econolite, confirmed this when reached for remark. Chakravarty informed TechCrunch that the Econolite gadgets examined by Lemon have been end-of-life “for a few years, and all customers ought to change these older controllers by acceptable newer product fashions.”

“Econolite strongly recommends that clients comply with finest practices for community safety and entry management for all safety-critical tools and limit entry to such tools on the open public Web,” stated Chakravarty. “The actions on the controller carried out by the creator wouldn’t have been attainable if the system was not uncovered to the open Web.”