Critical flaw could have allowed attackers to control traffic lights
The flaw, tracked as CVE-2020-12493, is an “improper access control” issue that could allow hackers to grant root access to the device without access control via network. The flaw could be exploited by low-skilled attackers, it was rated with a CVSS score of 10 and affects all OS versions starting with G4 SWARCO of CPU LS4000. ProtectEM researchers reported the vulnerability to the vendor in July 2019, which released a patch in April.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Germany’sVDE CERTrecently published advisories for the vulnerability. The good news is that this family of systems is not exposed online and attackers need physical access to the targeted network to exploit the flaw. An attacker that could achieve physical access to vulnerable controllers in a city could cause the caps by deactivating traffic lights simultaneously.
The researchers demonstrated how an attacker could control traffic lights and manipulated them to cause traffic accidents or traffic jams.