Highway Sign Fix: Change Default Password

Monday, June 9, 2014 @ 07:06 PM gHale


A reported vulnerability in sign messaging software can end up mitigated by changing the default password upon installation.

There is a public report of a hardcoded password vulnerability affecting Daktronics Vanguard highway dynamic message sign (DMS) configuration software, according to a report on ICS-CERT.

RELATED STORIES
OpenSSL Security Advisory Released
Highway Sign Software Vulnerability
COPA-DATA Improper Input Validation
Triangle MicroWorks Fixes DoS Hole

According to this report, the vulnerability is a hardcoded password that could allow unauthorized access to the highway sign.

This report came to ICS-CERT from the Federal Highway Administration and ICS-CERT notified the affected vendor of the report and has asked the vendor to confirm the vulnerability and identify mitigations.

The vendor, Daktronics, said the software does not have a hardcoded password, but it does have a default password the user can change upon installation.

Proof of Concept is publicly available. ICS-CERT recommends entities review sign messaging, update access credentials, and harden communication paths to the signs.

Daktronics and the Federal Highway Administration recommend the following:
• Displays should not be on publicly accessible IP addresses. Placing a display on a private network or VPN helps mitigate the lack of security,
• Disable the telnet, webpage, and web LCD interfaces when not needed, and
• Change the default password to a strong password as soon as possible on all installed devices.



Leave a Reply

You must be logged in to post a comment.