This flaw allows hackers to control traffic lights, just like in movies

A team of data security course specialists has revealed the finding of a number of vulnerabilities in transit control systems developed by SWARCO. If successfully exploited, these flaws would allow threat actors to access affected systems and disrupt the operation of linked transit devices (traffic lights and other traffic signals), similar to the one we have seen multiple times in film and television.

The most severe of these flaws exists because an open port used for system debugging grants root user access to the device. There are no access controls over the network, so the chances of exploitation are considerable. The vulnerability is remotely exploitable and requires minimal interaction from vulnerable system administrators. In addition, the attack could be carried out even by malicious hackers without advanced knowledge.

According to data security course experts, the most critical vulnerability was tracked as CVE-2020-12493 and received a score of 10/10 according to the Common Vulnerability Scoring System (CVSS), making it a critical issue.

The German-based company provides services for transport control, an area considered critical infrastructure, in multiple countries in Europe, so potential attacks could lead to catastrophic scenarios. The vulnerabilities were reported by Martin Aman of ProtectEM.

SWARCO TRAFFIC SYSTEMS’ data security course teams acknowledged the flaw and began developing a security patch immediately after receiving the report. Company customers can contact their support area for additional information about security patches.

While updates are ready, the cybersecurity community recommends that affected deployment administrators take the following steps to mitigate the risk of exploitation:

  • Minimize network exposure for all vulnerable control system systems
  • Identify the control system networks and remote devices behind the firewalls and isolate them from the enterprise network
  • Rely to the use of virtual private networks (VPNs) in case of requiring remote access to vulnerable systems for regular activities

The company could issue a complete report on the vulnerability once they consider the exploitation risk is completely mitigated.

For further reports on vulnerabilities, exploits, malware variants and computer security risks, it is recommended to enter the website of the International Institute of Cyber Security (IICS), as well as the official platforms of technology companies.