As a process chemist I tend to think of ‘control systems’ as those systems used in a chemical plant to control operations; the latest advisory published by ICS-CERT reminds us that there are all sorts of systems controlled by software. Yesterday ICS-CERT published an advisory on a traffic control system from Post Oak. Independent researchers
Nadia Heninger, J. Alex Haldermanb, Zakir Durumeric, and Eric Wustrow identified an insufficient entropy vulnerability in the Bluetooth Reader Traffic System.
It would take a highly skilled attacker to exploit this vulnerability, according to the advisory, but it would allow a man-in-the-middle attack that could provide unauthorized access to the system. There is no known publicly-available exploit for this vulnerability.
Another Remote Fix
Post Oak has developed a patch for the system that will mitigate this vulnerability, though the advisory does not explicitly say that anyone has independently verified the efficacy of the patch. That notification is frequently provided (either positively or negatively) in these ICS-CERT advisories, the lack of a notice one way or another is confusing. There is, however, another potentially disturbing statement about this patch in the advisory (page 3):
“The patch will be installed on all new devices when initially configured. Existing equipment will be patched by remote access [emphasis added] and upgraded to the latest firmware.”
This certainly sounds to me like Post Oak is going to link to installed devices and upgrade the firmware pretty much without owner intervention. In some ways that will certainly be a boon to some owners; they won’t have to get involved in something they don’t really understand. Now traffic control systems engineers may be different from the chemical control systems engineers that I’ve known, but I’m not sure that I would like having someone mess with my system (no matter how beneficially) without my specific authorization.