Hacking an Electronic Highway Sign is Way Too Easy


(Image credit: @ISUN_HACKER)

You know those electric highway signs that often display annoying but important messages about upcoming traffic concerns? They're called dynamic message signs, and a certain brand of them is as easy to hack as changing lanes on the highway. 

According to an alert from the US Department of Homeland Security, the dynamic message signs by Brookings, South Dakota-based company Daktronics Vanguard all come with the same default password, and they can be accessed remotely over a network connection. That's the digital equivalent of locking your front door but leaving the key in the lock.

MORE: Best Antivirus Software 2014

Daktronics Vanguard says these passwords can and should be reset, so at least the signs aren't stuck with their default passwords. So it's on the signs' operators, such as state Departments of Transportation, to change the password.

Prank hacks of these highway signs happen all the time. Last week, three different North Carolina highway signs were hacked and reprogrammed to display the message "Hack by Sun Hacker."

On Twitter, a user who appears to be the same Sun Hacker described the method: "Change the lan of VPN to INTERNET protocol. Scan all the range of the IP on port 23. Bruteforce the password. Add your message."

Basically, this amounts to switching the signs from a virtual private network (VPN), an ostensibly secure connection separate from the general Internet, to a more accessible Internet protocol, then locating the sign's unique IP address. "Bruteforce" refers to a technique hackers use to crack passwords by writing a (fairly simple) program that automatically tries every single combination of letters and numbers, starting with the simplest and escalating in complexity. A password like "1234" can be cracked within seconds by a basic "bruteforce" attack.

In other words, what Sun Hacker and his or her ilk do is pretty basic. "Near as I can tell, Sun Hacker is an unremarkable script kiddie who enjoys defacing Web sites," wrote independent security expert Brian Krebs on his blog.

As evinced by Department of Homeland Security is getting involved, it follows that more malicious hackers could do more damage than a harmless prank with this vulnerability as well.

Email jscharr@tomsguide.com or follow her @JillScharr and Google+.  Follow us @TomsGuide, on Facebook and on Google+.

Jill Scharr is a creative writer and narrative designer in the videogame industry. She's currently Project Lead Writer at the games studio Harebrained Schemes, and has also worked at Bungie. Prior to that she worked as a Staff Writer for Tom's Guide, covering video games, online security, 3D printing and tech innovation among many subjects. 

  • pills161
    Sun Hacker has absolutely no life, he/she needs to go find a real job.
  • JohnnyBloomington
    Sun Hacker brought awareness to poor/lazy state DOT.
  • WyomingKnott
    Imagine "Speed limit 95. Please drive on the left-hand side." Must be terrorists.
  • coolitic
    Sun hackers is an idiot, and so are the guys who make these signs.
    The combination is 1-2-3-4-5. That's the stupidest combination I've ever heard in my life. That's the kind of thing an idiot would have on his luggage!
  • mamasan2000
    The signs need to get a life! Spouting nonsense!
  • Someone Somewhere
    Your honour, I was not speeding. I was perfectly within 200km/h. Look at the speed signs yourself.
  • reactive
    The signs here in the UK are usually so ridiculous that they deserve to be hacked, just to amuse drivers. "FOG" they say when it's mildly foggy; "POOR DRIVING CONDITIONS" when it's raining; or "LOW SUN" when the sun is in your face and you can hardly read the sign anyway. And in Wales (stuck on the left side of England), every other sign on the M4 is in the Welsh language... which about 5% of the local population could actually understand or care to read... so making half the signs *totally* meaningless to about 97% of the road users (including foreign drivers)! How's that for stupid?
  • jhansonxi
    I worked for a different company that made similar signs. Their security wasn't much better. These signs are generally custom-made for government contracts. The requirements often mandate ridiculous things because some bureaucrat though it made themselves look knowledgeable, while ignoring really critical aspects like safety and security. Some requirements are made specifically to fit one vendor's existing product line to help them underbid competitors.