A recent report from the MS-ISAC (Multi-State Information Sharing Analysis Center) and written by CIS (Center for Internet Security, a private nonprofit) publicized by security journalist Brian Krebs addresses a series of concerns regarding an infrastructure hacker who calls himself “Sun Hacker” and has made a name for himself by changing the displays of road information signs remotely.
Sun Hacker encourages people who see his real world defacements to “TWITT WTH ME”, and maintains an active twitter account where he recounts his website and sign defacements. His hacks have not been overly complex, apparently targeting insecure applications of the SNMP protocol and in at least one case breaking in through the telnet port 23 protocol—a protocol entirely disabled years ago in most any security implementation, and typically blocked by most firewalls for its notoriously bad security. Using telnet to provide access to systems for road sign information is a very short-sighted security choice, akin not only to assigning the fox to guard the hen-house, but then also advertising the hen-sitting party on craigslist.
The CIS report notes that Sun Hacker is operating from Saudi Arabia and is not known to be associated with any other major “hacktivist” groups. He has conducted SQL injection attacks on a number of websites, and documents hacking other web connected devices such as LED light bulbs and car radios.
Then the CIS report goes (deeper?) into the rabbit hole, beyond simply characterizing Sun Hacker as a “Hacktivist” (a term now so diluted as to include playful defacements in addition to political statements) and as a “Malicious Actor”.
This activity likely coincides with the May 27, 2014, release of the video game “Watch Dogs,” in which game play revolves around “hacking,” with a focus on hacking critical infrastructure-based electronic devices in particular. Watch Dogs allows players to hack electronic road signs, closed circuit television cameras (CCTVs), street lights, cell phones, and other systems. On May 27, 2014, the malicious actor posted an image of the game on his Twitter feed, demonstrating his interest in the game, and the compromise of road signs occurs during game play. CIS believes it is likely that a small percentage of Watch Dog players will experiment with compromising computers and electronic systems outside of game play, and this activity will likely affect SLTT government systems and Department of Transportation (DOT) systems in particular.
This is where the peril of puffing up minor actors and conflating minor events begins to show as a major analysis flaw. Especially in cyber security where there are real actors who can present real dangers, a sense of balance is necessary. Inflating fears about things that are on their face innocuous leads to misallocation of resources, especially on a national level. It could even lead to a nationwide alert insinuating that a major video game is training the youth of America to become infrastructure hackers. The “Hacking” showcased in the game is just a series of in-game events, with limited to no applicability outside of a fictional game universe.
Certainly there are risks involved with the hacking of road signs, but a distinction should be made when those hacks are minor and only possible due to a choice by the service provider (in this case state Departments of Transportation) to abandon even the most basic conceptions of security. Most of the other incidents of road sign hacking are so simplistic as to be entirely ignored, as seen in the “Zombies Ahead” hacking of towable roadside signs. These “hacks” are possible because of the use of default passwords on the towable signs in addition to poor physical security measures. That said, pranks on this level being treated as some sort of infrastructure security threat that requires national attention shows a serious flaw in the perspectives of our national cyber security organs and analysts. The know-how necessary for “hacking” towable road signs has been widely distributed on the internet for some time, especially in forums devoted to pranksterism.
The lesson of this type of “infrastructure attack” should be taken from “The Field of Dreams.” On Security, “If you break it, they will come.” Weak security on this class of devices is the real issue here, not the existence of Sun Hacker or the release of a video game.
-Dan Gifford
MCySec Media Manager