Give Me the Green Light Part 2: Dirty Little Secrets

Written By Andrew Lemon

In this blog post we’re going to peek behind the curtain and find out what makes a traffic controller work. What I found surprised me and I can’t believe this exists in any technology and honestly has no place in Critical National Infrastructure.

Recon and Port Scanning

I started by running nmap against the controllers IP addresses. I identified FTP, Telnet, SSH, and HTTP later on Ifigured out SNMP is enabled just not showing up on the port scans (don’t forget to scan for udp).

Since the version of Econolite controller we have didn’t have a web interface I can enable I started by taking a look at the telnet interface. The default credentials of Econolite and Admin appear to have been changed so our next step was to brute force it.

Since I know the username is likely econolite I created a file with just that username and because it’s readily available I used rockyou for the password.

I fired up hydra and run it against the FTP service. It’s common on older hardware for the telnet password to be the same as the FTP password and after 15 minutes of bruteforcing I had our password thompson1.

With this information I was able to gain access to the controller via Telnet but I was presented with a vxworks console that keeps spitting out the same network test over and over.

Help displays the help message but then the console begins cycling the network test again. After several attempts at exiting, disconnecting/reconnecting and rebooting I finally saw there was an option to disable the debug using Q <CR>

Despite having admin level shell access the limits of the VxWorks shell were basically a dead end. Had it not been for the discovery of NTCIP I would have revisited.

At this point I moved onto the Intelight controller. Brute forcing SSH returned no early success like it did on the econolite and the default password had been changed. I began poking at the webapp and discovered the initial authentication bypass.

My Big Mistake

I knew if I could get ssh access on the version of Linux Kernel I’d be able to escalate myself to root. There wasn’t a real good reason for this other than my need to MAKE this system run Doom. I decided to perform a factory reset. When the controller came back online I found that the Maxtime Software had been wiped from the system and I still couldn’t access SSH. So back to eBay I went to buy another controller

Intelight Part Deux

After the new controller came in I began the process of wiring it up for AC power (side note I’m beginning to run out of spare computer power cable to cannibalize). I plugged it in and configured the network interface and when I logged into the MaxTime database editor I found it to be version 1.8.x. I tested my previous bypass and found it didn’t work, I guess someone didn’t retroactively apply all fixes to the 1.9.x firmware . I attempted to register my email on the  Q-Free support portal but received no update on the status. I called support and despite the temptation to flex my social engineering muscles I decided to be upfront and honest and tell them I was working on testing for a customer and support responded with their typical “Go kick rocks”.

Back to WebApp

Being stuck at a dead end with no option for upgrade I decided to fall back to what I know WebApp pentesting. I fired up my Burp proxy and began exploring the website. The request looked normal except for one detail at the end.

I’ve seen that format before, that’s an OID from SNMP.

NTCIP the Traffic Industries Dirty Little Secret

My initial thought was there is NO WAY the web interface is just a front end to configuring the controller via SNMP. Some google searches led me learning about the NTCIP protocol. So what’s the difference between SNMP and NTCIP? SNMP was developed by the Internet Engineering Task Force in 1988. In 1996 a bunch of alphabet soup AASHTO, ITE, and NEMA got together to develop the NTCIP protocol. I’ll simplify the story with this meme.

Free the MIBs… or not

Now that we know controllers are just using SNMP we just need to download the MIBs to be able to query them and get the correct results. Easy enough we go to https://www.freethemibs.org/ and just download required MIBS for our controllers. Freethemibs has a great mission statement but falls flat if the vendors aren’t making the mibs available.

I requested MIBs from Q-Free but didn’t receive any follow-up after the request and I never received access to the MIBS, so it was back to square one.

Enumerating SNMP

I knew from my experience with SNMP I could use SNMPwalk but would need the mibs. In my search for another way to enumerate SNMP I found MIB Browser from IReasoning this tool ended up being the silver bullet for our research. I was able to load the up the default mibs and immediately start gathering data from the controllers.

90% of the data we need can be queried using the SNMPV2-MIB located in the MIBS folder of Ireasoning. Even more interesting is after I completed a mib walk of our Econolite controller I notice the majority of values are writable without the need for authentication. With that I could change values like sysLocation to anything I wanted.

Lets see what we return when we query our Intelight controller given the OID from earlier. Based on our findings earlier I know that when we enable security it sets the value of the OID to 2, so if we have a controller that has NTCIP enabled we can use MIB browser to set that writable value to 1 and disable Web Security. Alternatively we can query the OIDs for username .1.3.6.1.4.1.1206.3.36.1.6.10.2.0 or password .1.3.6.1.4.1.1206.3.36.1.6.10.3.0 and the controller will return them in clear text. At this point we can choose to login with credentials we know work or use MIB Browser to set them to something else.

Final thoughts

NTCIP isn’t just limited to traffic controllers but all things in the transportation world. A complete list of field standards can be found on the Wikipedia page https://en.wikipedia.org/wiki/National_Transportation_Communications_for_Intelligent_Transportation_System_Protocol

Individual MIBs exist for each of these technology types which leads me to believe that Digital Signs could be hacked using the same method of setting the OID value. At this time I’m unable to confirm this until a customer brings digital signage into the scope of an engagement or one of them goes up for sale on eBay.

There was an incident in 2014 where Highway Digital Signs were “hacked” because default credentials were left after install and telnet was exposed to the internet.

https://www.securityweek.com/default-password-exposes-digital-highway-signs-hacker-attacks/

That concludes part 2 of the series, the next parts will dive into how to build your own lab and how traffic control systems work.

Andrew Lemon
Next

Give Me the Green Light Part 1: Hacking Traffic Control Systems