Austin, Texas discovered its road signs were tampered with only a couple weeks after their vulnerabilities were disclosed, according to the statesman.com:
Someone reprogrammed two city construction road signs near the University of Texas early Monday morning in an attempt to warn Austin of an imminent zombie attack.
Messages that typically alert Lamar Boulevard drivers to a detour for Martin Luther King Jr. Boulevard splashed several warnings like “Caution! Zombies Ahead!” and “Nazi Zombies! Run!!!”
Amusing, but the facts of the case are not as impressive as I had hoped.
Jones, who has one of only two keys to the locked access panels on the portable signs, said that the hacker broke into the panels on each sign and bypassed the passwords before leaving five different zombie messages and even changing one of the passwords. Jones said he had to wait until 8 a.m. to call the manufacturing company to figure out how to override the hacker’s work. He speculated that the hacker could be a computer genius from UT.
Uh huh, a genius. That’s definitely the profile of a person who applies public instructions on how to reprogram a road sign. Note that anyone can reset the password to the default even if it has been changed.
The hacking occurred within weeks of various articles appearing online with descriptions of how to hack into these road signs — which point out that such an act is illegal.
Dennis Crabill, project manager with the Public Works Department, said the access panels are always locked and are not programmed with the default passwords these sites suggest. Short of having a watchman on duty around the clock, he said there is little more the city can do to prevent such vandalism.
Once that stupid reset function has been properly fixed, perhaps stronger passwords? Patches for known vulnerabilities? Maybe a more sophisticated combo/key lock more resistant to cutting, instead of a weak one that requires only a key? How about an alerting system that uses radio or cell to report attempts to break in, or even that the locked panel has been opened? They also could use timed lockouts to prevent brute forcing the password. I guess I could think of a lot of things other than a watchman.
My favorite example so far, of this kind of trespass (hard for me to call it hacking when it comes with instructions), came from MIT last year: