In the age of the internet of things, where all kinds of old-fashioned devices and technologies are now connecting to the net, everything can be hacked, including cars, cities, parking garages, and wind turbines. Now, a security researcher has proven this adage once more, finding a way to turn off the lights on tens of thousands of billboards by taking advantage of some flaws in an Android app designed to control the billboards' lighting system.
Over the summer, Randy Westergren, an independent security researcher, found that the Android app for SmartLink, a system to remotely control billboards' night lighting, had a series of bugs in its API. These bugs allowed any malicious hacker to easily shut off the lights on any billboard in the SmartLink system, which is provided by a company called OutdoorLink, as Westergren explained in a blog post published on Sunday.
Earlier this year, someone hacked a video billboard to display one of the internet's most shocking and disgusting memes. But the flaws revealed by Westergren show that even old-fashioned analog billboards can be hacked, although indirectly.
"An attacker could exploit the vulnerability to shut off the lighting units for all of the billboards in the system."
"An attacker could exploit the vulnerability to shut off the lighting units for all of the billboards in the system," Westergren told Motherboard in an email. "I jokingly refer to this as a physical world's analogy to browser ad blocking extensions, since drivers at night would pass by dark SmartLink billboards, effectively 'blocking' the ads."
The system is used in more than 60,000 billboards in the United States, according to OutdoorLink.
Westergren reached out to OutdoorLink at the end of July to report the bugs. The company mitigated the issues "within a matter of days," forcing the use of SSL web encryption between the apps and the servers, according to Jim Morris, the director of engineering at OutdoorLink.
Then, the company released a new, redesigned, Android app "within one month" and released an updated iOS app "a little over two months" after the initial bug report, according to Morris.
"There is no evidence in system security and audit logs that any true exploits of this app vulnerability ever occurred," Morris told Motherboard in an email. "And it is important to note that this vulnerability did not extend to the OutdoorLink website, which is the primary user interface to the SmartLink system."
So all in all, no billboards went dark thanks to these bugs, which is good news. The bad news is that there will likely be more bugs like this in other internet of things devices, or worse, in some industrial control systems. And the next bugs might be in things that can actually have a real effect and damage on people's lives.
"The industry is still somewhat young," Westergren said. "And a lot of companies who are experienced, for instance, with designing billboard lighting systems, don't seem to be very experienced with software development—a misunderstanding that can be costly for both the company and its customers."