The fun police, and also real police (Department of Homeland Security) are fed up with pranksters turning boring, practical information signs into sources of amusementturning boring, practical information signs into sources of amusement. That's right; DHS knows how to change the default password on their signs now. Laughing Time Is Over.
Just about every instance of sign hacking I've ever seen has looked innocuous (/hilarious), but I suppose can imagine such deception being used for a deeper evil.
The DHS's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has issued this warning to government organizations using the Daktronics Vanguard, the portable LED-sign display you see on the side of the road, and a list of recommendations on how to stop unwanted users from messing with it.
In FCW's writeup, it sounds like the signs shipped out with a basic default password that was meant to be changed by the user, but most municipalities running them didn't bother doing so.
Lulz, in the form of "zombie warning" signs, ensued.
"ICS-CERT recommends entities review sign messaging, update access credentials, and harden communication paths to the signs," obviously. The rest of DHS's recommendations to legitimate sign-users are as follows:
- Displays should not be on publicly accessible IP addresses. Placing a display on a private network or VPN helps mitigate the lack of security,
- Disable the telnet, webpage, and web LCD interfaces when not needed, and
- Change the default password to a strong password as soon as possible on all installed devices.
- Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.a
- Locate system networks and devices behind firewalls, and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
I don't know that much about what's under the hood of computers but it seems to me if folks could figure out the default password, they'll be able to figure out another one. And bet it will take some time for every city sign programmer to get this memo.
Is this the end of highway-sign hijinks, or will some jokers be determined enough to take a crack at this new tier of security measures? I also sure hope many of you will take this opportunity to share the best sign hacks you've seen...
Image based on photo from Amy Guth/Flickr Hat tip to Troy!