
Cutting the Lights: Vulnerabilities in a Billboard Lighting System - rwestergren
http://randywestergren.com/cutting-the-lights-vulnerabilities-in-a-billboard-lighting-system/
======
culturestate
Mind-boggling design choices aside, I was pleasantly surprised to see that
this company took the disclosure seriously. Too often small firms don't really
know how to address these situations and just fire off a "how dare you hack
us, we'll sue you!" response instead.

------
jacquesm
Nice response from the company, pity they made that many mistakes. Please note
that this is not exceptional at all. APIs and underwater calls from web pages
and apps to access some functionality are _rife_ with bugs and security holes,
the stuff you find makes you hair stand on end. Also, the SCADA world (which
this product is a part of) is not exactly known for great focus on security,
if there is security at all it's surprising, more likely it is just obscurity.
These systems are used to remotely control building facilities such as
heating, lighting, air-conditioning and all kinds of alarms.

One system I'm familiar with (I won't name any brands because this is a legacy
system and imo impossible to fix without a total replacement) is based on the
BASIC stamp and will accept UDP packets where every bit in the payload is the
status of an output and will respond with a UDP packet detailing the inputs.
Guess what happens if you start hitting those ports with payloads of 'all 1'
and 'all 0' alternating every second or so...

~~~
ashmud
When I worked in HMI/PLC land, the only real security I remember being done
was network isolation. Web apps were still pretty new at the time. I can only
recall one project we did where a web app actually had any input to control
(recipe scheduling). One client in particular required separation of PLCs that
HMIs talked to vs PLCs that controlled the actual manuf equipment (robots et
cetera). IIRC, only a select list of contractors were used to write code for
the robots, whereas the HMI contractor list was less strict (group we were
in).

------
spydum
nice to see them respond and even address some of the issues. i know security
is a big craze right now, so it seems insane people would put systems online
without any real meaningful controls, but the reality is until recently, most
went untested and were viewed as unnecessary (https everywhere? n are you
crazy? https is expensive!).

i think its only in the wake of these big public disclosures, and the
reduction in cost for controls that people are taking notice. the problem is,
we have decades upon decades of very immature software out there, and very
little economic incentive to pre-emptively secure them. depending on the
information they host, it may simply never be fiscally sound to properly
secure them.

------
jdsnape
Good find, and pretty shocking! What's the legal status of something like
this? I think in the UK it would be counted as bypassing authentication and
_technically_ you could be prosecuted under the CMA (happy to be corrected on
that...)

