You know those electric highway signs that often display annoying but important messages about upcoming traffic concerns? They're called dynamic message signs, and a certain brand of them is as easy to hack as changing lanes on the highway.
According to an alert from the US Department of Homeland Security, the dynamic message signs by Brookings, South Dakota-based company Daktronics Vanguard all come with the same default password, and they can be accessed remotely over a network connection. That's the digital equivalent of locking your front door but leaving the key in the lock.
Daktronics Vanguard says these passwords can and should be reset, so at least the signs aren't stuck with their default passwords. So it's on the signs' operators, such as state Departments of Transportation, to change the password.
Prank hacks of these highway signs happen all the time. Last week, three different North Carolina highway signs were hacked and reprogrammed to display the message "Hack by Sun Hacker."
On Twitter, a user who appears to be the same Sun Hacker described the method: "Change the lan of VPN to INTERNET protocol. Scan all the range of the IP on port 23. Bruteforce the password. Add your message."
Basically, this amounts to switching the signs from a virtual private network (VPN), an ostensibly secure connection separate from the general Internet, to a more accessible Internet protocol, then locating the sign's unique IP address. "Bruteforce" refers to a technique hackers use to crack passwords by writing a (fairly simple) program that automatically tries every single combination of letters and numbers, starting with the simplest and escalating in complexity. A password like "1234" can be cracked within seconds by a basic "bruteforce" attack.
In other words, what Sun Hacker and his or her ilk do is pretty basic. "Near as I can tell, Sun Hacker is an unremarkable script kiddie who enjoys defacing Web sites," wrote independent security expert Brian Krebs on his blog.
As evinced by Department of Homeland Security is getting involved, it follows that more malicious hackers could do more damage than a harmless prank with this vulnerability as well.