Security News > 2020 > June > Critical Vulnerability Could Have Allowed Hackers to Disrupt Traffic Lights

A critical vulnerability affecting traffic light controllers made by SWARCO could have been exploited by hackers to disrupt a city's traffic lights.
Peter Fröhlich, managing director at ProtectEM, told SecurityWeek that the vulnerability was discovered during a security audit conducted for a city in Germany that hired his company to analyze networked traffic systems.
The affected SWARCO controller runs BlackBerry's QNX real-time operating system and it's designed to control traffic lights in one intersection.
"In the unpatched system, an attacker gets unlimited root access to any traffic light controller without requiring any credentials through a well documented and known feature of the underlying operating system. The access is meant for debugging, so it is not a bug or software defect that can be exploited. Rather the system was deployed in a configuration not meant for a production system with no security in place for this access port. As documented for the operating system, for a production system this debug option needs to be turned off," Fröhlich explained.
"As we move to smart cities the industry faces new challenges with respect to hardening their system against intentional and untargeted security threats. Embedded controllers not only run traffic lights but also lighting systems, heating and cooling, elevators, doors and many other automated systems which affect a large number of people. Manipulation of the the behavior of such systems or mere denial of service can create significant impact," Fröhlich concluded.
News URL
Related news
- Critical FortiSwitch flaw lets hackers change admin passwords remotely (source)
- Gladinet’s Triofox and CentreStack Under Active Exploitation via Critical RCE Vulnerability (source)
- Critical Apache Roller Vulnerability (CVSS 10.0) Enables Unauthorized Session Persistence (source)
- Critical Erlang/OTP SSH Vulnerability (CVSS 10.0) Allows Unauthenticated Code Execution (source)
- Critical Commvault RCE vulnerability fixed, PoC available (CVE-2025-34028) (source)
- Hackers Exploit Critical Craft CMS Flaws; Hundreds of Servers Likely Compromised (source)
- CISA warns of hackers targeting critical oil infrastructure (source)
- Critical Windows Server 2025 dMSA Vulnerability Enables Active Directory Compromise (source)