Default passwords on road signs in Austin

I lamented a while back on my personal blog about default passwords.  It was inspired by a client who had us doing a security assessment.  We found a default password on the device that aggregated all of their Internet connections (argh).

And now Austin, TX, is feeling the same pain on default passwords, but it is not on anything like their Internet connection.  No, their problem is with road signs.  Yep, you read that right - road signs.  Here's the story.  Fox News is reporting "that a portable traffic sign at Lamar Boulevard and West 15th Street, near the University of Texas at Austin, was hacked into during the early hours of Jan. 19."  The jokesters changed the sign to read "Zombies Ahead".  The article quotes a post at about how to hack the signs (Computerworld, i-hacked, and I do not condone the illegal hacking of anything, and that includes street signs) and also quotes the sign manufacturing company as saying that the signs are "tamper-resistant and equipped with external locks."  But as the story says, "the signs can be easily altered because their instrument panels are frequently left unlocked and their default passwords are not changed."

Now on the surface, this is pretty funny.  Yes, it can be dangerous, but it is still funny.  But the point is that default passwords are still a problem with even security and network professionals.  What do you expect from people who deploy road signs?  I am not saying road crews are stupid.  I am saying that they are not thinking that someone is going to hack their signs.  That is just not their main focus. 

So will the sign manufacturers do anything to make them more secure?  Probably not.  This is simply a low risk problem.  Not many people are going to jack with the signs, so the incidents are going to be low.  And if they try to complicate the security, they might make things difficult and less efficient for road crews (imagine having to maintain a password list for all the road signs in your city - they would probably end up writing the password in permanant marker on the inside panel anyway).  Of course, if someone gets hurt or killed because of this and families sue, then things will change.  But like always, it takes a serious incident to get anyone to do anything.  Unfortunate, but true.


Copyright © 2009 IDG Communications, Inc.

Shop Tech Products at Amazon