Schneier on Security
A blog covering security and security technology.
« Hard Drive Encryption Specification |
| List of NSA Video Courses from 1991 »
February 5, 2009
Hacking an Electronic Road Sign
It's easy: cheap lock, and default password. And fun.
EDITED TO ADD (2/13): Some more hacks.
Posted on February 5, 2009 at 2:42 PM
• 42 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Thanks for this post! I've been hunting around the interweb's here for some user manuals. Great little how-to.
Oh no! Bruce! Think of the Children!
This shows a common problem with password reminder/reset systems: The reset password is easy to find, and can be reset by an unauthorized user.
Hmm, so tempted to change a sign to "That black car has been following you for 30 minutes now"...
Yeah, the Austin press reported the default password had been changed but they did not bother to point out that the password can be reset easily by anyone with fingers.
I guess the only reason to change the password from the default would be to know when someone has used the reset sequence. On the other hand a giant scrolling "Zombie" message seems to serve that function better.
"And so they had to break in and hack into the computer to do it, so they were pretty determined," said Hartley.
I would hardly call this "hacking"; more like "reading manual". I hate it when the news sensationalizes these sorts of things as "hacking". It's not hacking if it's included in the instructions.
Not seen those kind of signs in the UK but we do have massive electronic signs on our motorways which are controlled remotely.
I'm surprised no one has figured out how to change those yet.
"It's not hacking if it's included in the instructions."
Changing the text to "NAZI ZOMBIES AHEAD" was not covered in the manual, and it fits with the "classic" jargon-file description of a hack. ;)
"Changing the text to "NAZI ZOMBIES AHEAD" was not covered in the manual"
While that particular phrase is not in the manual, changing the text to be displayed is. I doubt the manual has a page that tells you how to make the sign say "Sharp Turn Ahead", but if a construction worker set the sign to say that, it wouldn't be hacking either.
I have to disagree with Sara Hartley; a road sign warning of Zombies is far more likely to get me to slow down than one warning of construction. I think that the person doing that did a public service.
A few days after the zombies sign, there was another sign, in Indianapolis, that was changed to warn about Raptors: http://www.theindychannel.com/news/18620871/...
best quote: "It's kind of crazy. I'm totally confused," said one motorist. "I'm kind of expecting … dinosaurs to run down the road, or something."
Luckily, zombies and raptors are unrealistic enough that most motorists will recognize them as pranks and simply be alert for whatever unknown obstacle the sign must have been supposed to warn about.
But imagine if some genius prankster reprogrammed a sign next to a busy divided highway to say NUCLEAR FALLOUT AHEAD. How long till the first panicked U-turn attempt and subsequent massive pileup?
@Anonymous: "Not seen those kind of signs in the UK but we do have massive electronic signs on our motorways which are controlled remotely.
I'm surprised no one has figured out how to change those yet."
Not sure about the UK, but at least in my city the communication lines to the message signs are long, easily tapped, and unencrypted.
Further, many of the portable signs (such as those described in the story) have a wireless modem. If you have the sign's phone number and the manufacturer password, you can tamper with it from miles away.
I agree, Bruce is definitely guilty of manslaughter for posting this. Unfortunately, you'll probably have trouble convincing the US government to extradite him to Klaus's Magical Fantasyland for prosecution.
"Do you believe in zombies? Do you have a zombie escape plan? Let us know what you think about zombies by participating in our message board ."
I think the world would be a more entertaining place if more news articles ended with that paragraph.
>NAZI ZOMBIES AHEAD
Lordy, the prosecutors would have stiffies trying to decide whether to charge you having done an act of terrorism or a hate crime.
@tim. It is hacking because the use goes beyond the intended use and exposes a weakness in the design.
@Matt from CT
> Lordy, the prosecutors would have stiffies trying to decide whether to charge you having done an act of terrorism or a hate crime.
In some parts of the Euro zone you have to be careful of the "N word" as it's a crime to glorify etc them.
Now I wonder if the TV station's web site has been hacked too. The sidebar for this story is "Your Guide to the Undead" and it says things like "Zombie Pin-Ups: Where beauty eats brains" and "New book: Jane Austen meets the Undead." Not to mention "Bush finds a new threat in zombies."
Either that or someone at KXAN actually has a sense of humor.
@Trevor - come to the UK. BBC News is fond of soliciting viewers opinions, regardless of the potential merits of the viewing publics thinking. "Will the Large Hadron Collider destroy the earth?" You might not have a clue about these things, but we'll read out your misguided ramblings anyway, *sigh*. They wouldn't blink at enquiring after our feelings about zombie attacks.
Who reads signs any more? There are just sooooo many of them...
"Speculation among the tech-savvy on the Internet is that the signs were inspired by the video game Call of Duty 5, World at War [...]"
Ah, yes. Obviously, because zombie jokes where unknown before...
Ps. Thanks for posting this Bruce, I laughed out loud.
The gem I'd like to see is a sign on the north bound side of I-95, around Ft Lauderdale, saying "DEA Checkpoint - 2 Miles" and the sign is placed about 1 mile before an exit.
That would be great...
>Oh no! Think of the Children!
Thanks Rich, that's a nice idea for the next signhack. It sure beats my idea of "this sign is not hacked."
perhaps someday we will stop using the term hacking for something which comes with instructions and lacks difficult prevention controls. a padlock and universal password reset? please. every trespass is now a hack?
perhaps the meaning will continue to dillute, as in i just hacked into the toaster this morning as i drank from my hacked coffee maker and waited for my hacked dryer to finish the laundry so i could hack into my car...
I think there's a legitimate difference between "hack" and "hack into".
I have hacked toasters and other non-electronic items before. I use "hack" simply to mean an unexpected use or reuse. I have never hacked into a toaster, though.
The verb "hack" has several shades of meaning, most of which are lost in common usage. Sort of like the word "security", especially when prefaced by "Department of Heimat".
They should have reset the sign to "Change my password!"
At a small airport near me, there's an actual road sign that says, "Warning: Low-flying aircraft." What exactly you're supposed to do about that is not explained.
re: the word "hack"
Whatever "hack" meant when it was first coined, Phil Agre is in error: it doesn't have only one meaning anymore. Some of the newer meanings are pejorative.
Get over it, already. It's not a technical term. It's a colloquialism.
Considering they put in a link to a company that makes Zombie boardgames, I'm betting on a sense of humor. Something that more news outlets should have.
A *REAL* hack would make the sign say "Road closed ahead, turn around now" or something like that. You know, to cause massive amounts of off-highway traffic, buckets of driver frustration, and probably even a highway patrol call to disable the misleading sign.
This is a handy skill to have for correcting typos committed by the construction crew, such as this one that was displayed last year on New York City's West Street: "NEW TRAFFIC PETTERN".
@Anonomous, Feb 6, 2009 12:39
The purpose of the "Low-flying Aircraft" sign is to keep people from calling 911 every time a plane flies 30 feet over their car. (Also, having a small plane appear to be right in front of your car can be disconcerting to some drivers)
New version coming to Arizona:
ID Check Ahead.
Wonder how many screaming brakes and tires that would cause?
Whats the charge for manipulating a sign like that? Sounds like hella fun!
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.