Cesar Cerrudo, CTO of IOActive Labs, demonstrated how traffic control systems are vulnerable to hacking at DefCon 22 in Las Vegas.
Cesar Cerrudo, CTO of IOActive Labs, demonstrated how traffic control systems are vulnerable to hacking at DefCon 22 in Las Vegas.

Sensys Networks, a supplier of wireless traffic detection and integrated traffic data systems, has issued updates to address vulnerabilities in its VSN240-F and VSN240-T vehicle traffic sensors operating software versions prior to VDS 2.10.1 and prior to TrafficDOT 2.10.3.

Vulnerability CVE-2014-2378 involves traffic sensors accepting software modifications without properly checking the integrity of the new code, meaning the sensors could be damaged if improperly modified, an ICS-CERT advisory indicates.

Vulnerability CVE-2014-2379 involves the potential for unencrypted wireless traffic between a traffic sensor and access point being intercepted and “replayed to influence traffic data,” meaning traffic control could be impacted at an intersection, according to the advisory.

The advisory credits Cesar Cerrudo, CTO of IOActive Labs, with discovering the vulnerabilities. In August, at DefCon 22 conference in Las Vegas, Cerrudo demonstrated how traffic control systems are vulnerable to hacking and explained that the devices can be “bricked” to cause millions of dollars in damages to infrastructure.

“I really don't know what [Sensys Networks is] fixing and how since they haven't published any details and also the updates are private to customers and not publicly available,” Cerrudo told SCMagazine.com in a Tuesday email correspondence, adding that it is important to ensure that fixing one problem does not create another issue.

Cerrudo said the lack of collaboration with vendors of hardware and embedded devices is common when dealing with security issues, and went on to call the behavior “irresponsible.” He added that vendors also downplay issues, possibly because they do not have the correct knowledge and understanding.

“Basically these devices feed traffic detection data to traffic control systems; if the data can be faked by attackers, then traffic control systems will [make a] bad decision [that] could cause traffic chaos and/or accidents,” Cerrudo said, going on to add that “nowadays we are surrounded by insecure devices used on critical infrastructure, home automation, smart things in general, [and more] that are exposed to attacks that can have [a] big impact on our lives.”

Cerrudo said that someone recently pointed out that a Sensys Networks repeater – a device that he noted is vulnerable – is available for sale on eBay. “This means that now the bad guys have it easy to get a vulnerable device and hack it to later perform attacks,” Cerrudo said.

Sensys Networks did not respond to a SCMagazine.com request for comment.