Current Event: Zombies Ahead
According to a story on NBC Dallas-Fort Worth, someone hacked into an electronic roadsign system designed to notify motorists of upcoming hazards. The system was altered to read “Caution! Zombies! Ahead!!!” It also instructed motorists to run for cold climates and warned that “the end is near.” The story can be found here: http://www.nbcdfw.com/traffic_autos/transit/Zombies-Run-TxDOT-is-Not-Amused.html
The event arose as a prank. The article states that a padlock was cut in order to gain access to relevant computers for the digital sign system, but no further details are provided on what security measures the digital system had in place. Without these details one could only speculate what could have been done prior to the event to prevent the breach from occurring. If weak or default passwords were used on any roadside equipment then that would be one area that could be easily changed to increase security. The article also states that the signs were displaying the message for “a few hours.” Some type of reporting system or monitoring system would have been able to detect/report the change such that the incorrect message could have been corrected much faster.
While this particular breach was simply a humorous prank, there are certainly more significant implications to consider. There are many such systems that the public relies on to convey accurate information. If these systems are not secure, they could be used maliciously to convey information that is not as obviously false. For example, if one hacked the digital signs on I5 to report “Explosion on 520 bridge, bridge out, take alternate route,” one could both cause havoc during a rush hour commute by rerouting a massive number of commuters as well as cause potential social panic regarding both the cause of the explosion and concern to anyone travelling that knew individuals that usually took the bridge around that time. This is but one example, there are surely many other types of malicious and harmful information that could take advantage of the trust the public has in official information displays.
As such, this seems like an incident that while relatively harmless because of being humorous and obviously false, should prompt a review of any type of information display system that the public generally trusts to be accurate. These systems should be secure, and a method of quickly detecting any changes to such systems and ensuring that all changes are accurate should be in place so that any possible future breaches could be realized immediately, not “after a few hours.”
Comment by erielt
February 3, 2009 @ 1:35 pm
I saw this story about a week or so ago and found some more details about the actual hack (unfortunately, I can’t post the link because my comment keeps getting marked as spam). This is definitely an issue of weak passwords and password security. The default password is “DOTS” and, if the default password isn’t used, the password can be reset to the default by a simple key combination.
With the trust issues that you mention, it definitely is worrisome that these systems aren’t more secure. Although this is just a juvenile prank that didn’t cause any damage, necessary information could be lost or false information listed that caused actual damage to property or even people.
I think the solution in this case is, going forward, to have a more secure system where you must change the password away from the default and there is a more secure way to reset the password (perhaps requiring a cryptographic dongle or some other sort of physical cryptographic system). Although this may not stop all problems (weak passwords almost always seem to arise or strong passwords are subverted by people doing things like writing them down near the password protected system), it would definitely be a step in the right direction.
Comment by alexmeng
February 3, 2009 @ 8:24 pm
I agree with Eriel above, stating that the solution should be a review of the security system in place. Hopefully, DOT will look at this prank as a manifestation of its weak security system, and not just change its password but review how they secure the integrity of the message they are trying to convey to people in transit. As the poster illustrated, manipulating these signs can lead to public chaos. While we all hope no one has a chaotic motive, we have to prepare and assume the worst.
Hopefully, they will make steps toward improving the overall system and not just changing the password. Since, as Eriel has shown, passwords are easy to surface.
Comment by vincez
February 4, 2009 @ 10:08 am
I heard about this story a little while back and found it a bit amusing. I was driving home last night, and on I-405 Southbound I looked to my left and saw a construction sign flashing “ZOMBIES DROOL, ZABORSKI RULES!”. The name may have been something slightly different. I tried but couldn’t get a picture since I was going 65mph. It looks like the problem is widespread.
Comment by Danny
February 5, 2009 @ 5:14 pm
I would like to consider which possible malicious goals could be reached by changing what a road sign says.
1) Reroute traffic
2) Cause confusion
3) Send messages to an understanding third party
4) Anti-political messages
5) “Speed zone: 5 MPH”
6) “Speed zone: 100 MPH”
I assume that this sort of exploit could be used against regular traffic lights. This could be used for other purposes.
1) Set up some sort of wireless communication that will turn a light green in a certain direction when sent a certain signal. This could be set up at multiple lights and you could turn every light in front of you green (useless in a traffic jam).
2) Turn lights red when you would like to delay cops or a third party.
3) Turn light red from all angles so that you would be the only person traveling. Everyone else is confused.
I just hope that there is NEVER a push to put these systems on a network, because someday someone would exploit the network to control multiple traffic lights and signs.