When I first read the article Hackers could create traffic jams thanks to flaw in traffic light controller, researcher says I thought it sounded interesting until I read that a researcher was actually sent legal paperwork about their research.
Andrew Lemon, a researcher at cybersecurity firm Red Threat, published two blog posts on Thursday detailing his findings of a wider research project investigating the security of traffic controllers.
A later paragraph says:
Lemon said he tried to see if it was possible to trigger a scenario like the one shown in movies like The Italian Job, where hackers switch all lights in an intersection to green. But Lemon said he found another device called the Malfunction Management Unit prevents that scenario from happening.
“You can still make changes to the lights and the timing. So if you wanted to set the timing to be three minutes one way and three seconds the other way. Basically it’s a denial of service in the physical world, so you could clog up traffic,” said Lemon.
The company who sent paperwork says:
“We only accept vulnerability reports that relate to Q-Free products that are currently offered for sale. We do not have the resources necessary to consider analyses of outdated items,” read the copy of the letter, which appears to be signed by Steven D. Tibbets, Q-Free’s general counsel.
If that’s the case, than just tell them! This company should not be sending a legal letter, but should be up front to the researcher. They are out there to perform testing and responsibly report this to the company.
It is of course up to the company to do nothing and say that it is not valid because they don’t sell it and that customers should upgrade. That’s their right.
The copy of the letter said that the device Lemon analyzed is not for sale, and that the way he and Red Threat researched it may have been a violation of the anti-hacking law, the Computer Fraud and Abuse Act. The company did not specify how Lemon’s research could have violated the law. The letter then asked Lemon and Red Threat to commit that they would not publish details of the vulnerability because it could hurt national security.
This is the paragraph that gets me upset. As I said above, being up front would have been better than sending this.
They continue:
“We also urge Red Threat to consider the impact of publication on the security of critical infrastructure in which Q-Free devices are used. Contrary to your stated aims of improving cybersecurity, publication of vulnerabilities may encourage attacks on infrastructure and generate associated liability for Red Threat,” the letter read.
They also told Tech Crunch:
Q-Free’s spokesperson Trisha Tunilla told TechCrunch that “it is important to note that the controller in question has not been in production for nearly a decade.”
They really had no further comment on the legal letter except that it was customary.
If I were the researcher, I wouldn’t send them anything else, this is irresponsible.
They also continue:
“Our records cannot confirm that all these controllers have since been updated. However, if any of these legacy controllers are still in use, we strongly encourage customers to contact us immediately so we can provide guidance and a path forward,” Tunilla wrote in an email.
They have no fucking idea whether their controlers are upgraded? What kind of company is this! Inbventory of your assets. Have you heard of that or do you really not give a fucking shit? The researcher was trying to help your sorry asses out and this is what you right to a publication? Really?
Here is what the spokesperson wrote about the legal letter.
Regarding the letter sent by Q-Free’s general counsel, Tunilla said that “it is our standard procedure to have our legal department respond to inquiries like this.”
So get legal counsel involved and make the researcher feel bad for doing their fucking job. Great public relations.
Lemon said that during his research he also found some traffic controller devices made by Econolite exposed to the internet, and run a protocol that is potentially vulnerable.
The protocol is called NTCIP and it’s an industry standard for traffic light controllers. Lemon said that for the devices that are exposed on the internet, it is possible to change the values in the system without being logged in. Those values, he said, could control how long the lights flash, or set all the lights in an intersection to flash at the same time.
Lemon said he hasn’t reached out to Econolite as the NTCIP issues are previously known.
Sunny Chakravarty, the vice president of engineering at Econolite, confirmed this when reached for comment. Chakravarty told TechCrunch that the Econolite devices tested by Lemon have been end-of-life “for many years, and all users should replace these older controllers by appropriate newer product models.”
“Econolite strongly recommends that customers follow best practices for network security and access control for all safety-critical equipment and restrict access to such equipment on the open public internet,” said Chakravarty. “The actions on the controller performed by the author would not have been possible if the device was not exposed to the open internet.”
I wouldn’t blame the guy not to contact the company since vulns are already out there.
Read the full article, this is absolutely fucking crazy.
We have selected this as this week’s topic. Have fun with it! Just read the full article and not wjhat I quoted. There’s more.