A reported vulnerability in sign messaging software can end up mitigated by changing the default password upon installation.
There is a public report of a hardcoded password vulnerability affecting Daktronics Vanguard highway dynamic message sign (DMS) configuration software, according to a report on ICS-CERT.
According to this report, the vulnerability is a hardcoded password that could allow unauthorized access to the highway sign.
This report came to ICS-CERT from the Federal Highway Administration and ICS-CERT notified the affected vendor of the report and has asked the vendor to confirm the vulnerability and identify mitigations.
The vendor, Daktronics, said the software does not have a hardcoded password, but it does have a default password the user can change upon installation.
Proof of Concept is publicly available. ICS-CERT recommends entities review sign messaging, update access credentials, and harden communication paths to the signs.
Daktronics and the Federal Highway Administration recommend the following:
• Displays should not be on publicly accessible IP addresses. Placing a display on a private network or VPN helps mitigate the lack of security,
• Disable the telnet, webpage, and web LCD interfaces when not needed, and
• Change the default password to a strong password as soon as possible on all installed devices.