Topics
Latest
AI
Amazon
Image Credits:Richard Newstead / Getty Images
Apps
Biotech & Health
mood
Image Credits:Richard Newstead / Getty Images
Cloud Computing
Commerce
Crypto
endeavor
EVs
Fintech
fund-raise
contraption
Gaming
Government & Policy
Hardware
layoff
Media & Entertainment
Meta
Microsoft
Privacy
Robotics
protection
Social
outer space
Startups
TikTok
Transportation
Venture
More from TechCrunch
Events
Startup Battlefield
StrictlyVC
Podcasts
Videos
Partner Content
TechCrunch Brand Studio
Crunchboard
Contact Us
A security department research worker says he found a flaw in a traffic light controller that would potentially permit malicious hackers to change the lights and create dealings jams .
Andrew Lemon , a research worker at cybersecurity firm Red Threat , published twoblogpostson Thursday detailing his findings of a blanket research project investigating the security department of dealings controllers .
One of the gadget Lemon look at is the Intelight X-1 , wherehe state he found a bugthat allows anyone to take full control of the traffic light . harmonize to Lemon , the bug is very childlike and basic : There is no hallmark on the internet - exposed connection interface of the equipment .
“ I was just in disbelief , ” Lemon recount TechCrunch . “ I was just shock that something so dazzling could have been miss . ”
Lemon said he tried to see if it was potential to activate a scenario like the one shown in movies likeThe Italian Job , where hackers switch all light in an intersection to green . But Lemon said he found another machine called the Malfunction Management Unit prevents that scenario from happening .
“ you’re able to still make changes to the lights and the timing . So if you wanted to set the timing to be three minutes one way and three second the other way . Basically it ’s a denial of service in the physical world , so you could clog up dealings , ” say Lemon .
It ’s unreadable how many vulnerable Intelight devices are approachable from the internet . Lemon said he and his team found about 30 unwrap devices .
Join us at TechCrunch Sessions: AI
Exhibit at TechCrunch Sessions: AI
Lemon enjoin he reached out to Q - Free , the company that have Intelight , to account the hemipteran . alternatively of responding and engage with him to fix the fault , Q - Free sent him a legal letter , fit in to Lemon , who published a copy of it in his web log post .
“ We only accept vulnerability reports that relate to Q - gratuitous product that are currently offered for sale . We do not have the resources necessary to deliberate analyses of outdated items , ” understand the copy of the letter , which is likely signed by Steven D. Tibbets , Q - Free ’s general guidance .
The transcript of the alphabetic character said that the gadget Lemon analyzed is not for sale , and that the way he and Red Threat researched it may have been a usurpation of the anti - hacking jurisprudence , the Computer Fraud and Abuse Act . The company did not specify how Lemon ’s research could have violated the law . The letter of the alphabet then asked Lemon and Red Threat to commit that they would not publish point of the exposure because it could hurt home security .
“ We also cheer Red Threat to look at the impingement of publication on the security of critical base in which Q - Free devices are used . Contrary to your say aims of improving cybersecurity , publication of exposure may encourage attacks on substructure and return associated indebtedness for Red Threat , ” the letter show .
Lemon said he was surprise by the letter of the alphabet , and that “ it really felt like they were just examine to silence me with sound threats and everything . ”
Q - Free ’s spokesperson Trisha Tunilla assure TechCrunch that “ it is important to note that the comptroller in question has not been in output for nearly a decade . ”
“ Our records can not substantiate that all these controllers have since been update . However , if any of these bequest restrainer are still in usage , we strongly encourage customers to contact us immediately so we can cater direction and a path forward , ” Tunilla write in an electronic mail .
Regarding the letter get off by Q - Free ’s general counsel , Tunilla suppose that “ it is our standard procedure to have our legal department respond to inquiries like this . ”
Lemon said that during his research he also discover some dealings controller equipment made by Econolite exposed to the internet , and lead a protocol that is potentially vulnerable .
The protocol is calledNTCIPand it ’s an industry standard for traffic light controllers . Lemon say that for the machine that are divulge on the internet , it is potential to change the values in the system of rules without being sign in . Those values , he say , could verify how long the lights flash , or set all the lights in an point of intersection to twinkle at the same time .
Lemon said he has n’t reached out to Econolite as the NTCIP issues are previously bang .
cheery Chakravarty , the frailty chair of technology at Econolite , confirmed this when give for comment . Chakravarty told TechCrunch that the Econolite devices tested by Lemon have been end - of - life “ for many age , and all users should replace these older control by appropriate newer Cartesian product models . ”
“ Econolite strongly urge that customers follow good practices for web security department and access control for all safety - critical equipment and bound access to such equipment on the open public internet , ” say Chakravarty . “ The actions on the accountant perform by the author would not have been possible if the gadget was not reveal to the open internet . ”
This history has been update to include Q - Free ’s remark .
