City

It’s still really easy to hack and reprogram road signs

Easily accessed through default passwords that are never changed, road signs can be altered to state anything from video-game jokes to zombie warnings.

By Benjamin Freed

August 27, 2018

A hacked road sign in Chicago in 2009, one of many over the years to be illicitly reprogrammed to warn about a non-existent zombie uprising. (Amy Guth / Flickr)

Instead of being alerted to approaching maintenance work on a busy street, drivers in Arlington, Virginia, last week were greeted by an electronic road sign bearing an unusual, five-letter message: “Ligma.”

The message — a reference to a crass, anatomical joke popular among fans of the battle-royale game Fortnite — was just the latest example of a road sign being reprogrammed by somebody exploiting the device through a factory-default password that’s been widely distributed around the internet. And as the signs are often owned and operated by private contractors doing the road work, there’s often little government transportation officials can do to prevent the hacking.

“This is fairly common,” said John Mueller, the vice president for sales at ADDCO, the Minnesota-based manufacturer of the Arlington road sign that was commandeered for the Fortnite reference. “There is a default password. If it has not been changed, it has been posted on the internet.”

The standard password for ADDCO-made road signs has been easily findable since at least 2009, when the automotive news blog Jalopnik published a post with instructions on how to access and reprogram the equipment. Mueller said instruction manuals that come with signs include language explaining the security settings, but he also told StateScoop this is standard procedure for road-sign manufacturers. Other companies’ default passwords have also been posted online, he said.

Signs can be altered either physically, with a controller kept behind an access panel, or over the internet, if they’re equipped with a modem. In either instance, Mueller said, the factory-default password is the same. The Arlington sign was hacked on-site, according to A&M Concrete, the contractor performing the road-maintenance project where it was placed.

The result is an open-ended streak of road signs reprogrammed to say whatever is on a hacker’s mind, no matter how political, absurd or offensive. Also last week, a sign in Brooklyn — also belonging to a contractor — was altered from its usual message about road work to read “F— Trump.” In May, a sign posted along a triathlon course in North Carolina was made to blare “Expect delays. A–holes on bikes.” Earlier that month, drivers in Greenville, South Carolina, went past a sign warning them that zombies were two miles ahead . (Invasions of the undead are a recurring theme in road-sign hacks.) And in February, an electronic sign on a highway overpass outside Phoenix blasted “Hail Hitler.”

Short-lived, but potentially scary

Although these stunts are often over quickly, they can cause big headaches for officials in the communities where they occur. On Monday, after local-news website ARLNow reported the “Ligma” hack, Arlington County Chief Information Officer Jack Belcher asked his colleagues what would’ve happened if the hacker had left a less innocuous message.

“To some this is a ‘prank’ to me it is an indication of a lack of security on a portion of our SCADA infrastructure,” Belcher wrote in a county-government email chain obtained by StateScoop, referring to supervisory control and data acquisition, a system that uses networked computers to operate remote machinery. “What if the message was ‘Terrorist Attack in Washington, please leave the area'[?]”

Belcher asked his team to investigate the sign-hacking incident. Greg Emanuel and Hui Wang, officials in Arlington’s Department of Environmental Services, which oversees the county’s transportation projects, wrote back that eight permanently installed electronic signs the county government owns are controlled through a central server protected by a firewall. But mobile signs, like the one that presented the Fortnite reference, are often owned by construction contractors.

In an email to county officials Monday afternoon, Matt Grover, an A&M Concrete project manager said his crew had removed the controller from the affected sign. “This should not longer be an issue,” he wrote.

Arlington officials, though, appear to be taking the episode as a lesson about the easy vulnerability of some of the most basic pieces of infrastructure, said county spokeswoman Jessica Baxter.

“One thing our project managers have noted to contractors is that you need to make sure your equipment is secure,” Baxter said.