App broke 'every rule in the book', leaving billboards open to the threat of real-life ad-blocking

Delete billboard

OutdoorLink Inc. has patched several vulnerabilities in its SmartLink Systems app that could have allowed an attacker to assume control of outdoor electronic billboards and compromise users' login credentials.

According to its website, OutdoorLink is "a cellular M2M controller system designed to remotely control and monitor billboard lighting applications."

Its mobile app, SmartLink Systems, allows users to assume remote control and monitoring of their OutdoorLink-connected billboard via the use of their phone or tablet. Users can also upload images of a billboard from their camera and tag billboards using their GPS.

Smartlink app on Android

This story goes back to July of this year when Randy Westergren, a software developer and security researcher, first started playing around with the Android version of SmartLink.

Westergren notes in a blog post that he began by decompiling the APK and analyzing the source. After searching around for some traces of API communication, he was unable to find a session state mechanism that would authenticate a user during HTTP requests. He therefore decided to debug the app and see if he could force a request manually.

He did not expect what happened next:

"On my device, I attempted to login in order to trigger the breakpoint. Once execution was paused, I manually invoked the getCustList method with a dummy UserID parameter to check whether the request would be formed and completed. To my surprise, it returned a full dump of the entire customer list."

Smartlink

Westergren's discovery confirmed that the app did not use a session state mechanism, meaning that an attacker could hack their way into assuming control of any billboard in the system.

Things only got worse from there. Upon further investigation, Westergren found that the app was using HTTP, meaning that all users' login information was sent in plaintext. Additionally, files in the "/mobile/" directory were found to contain not only the API's source code but also a log entry of all users' login activity, with plaintext usernames and passwords displayed, for the past six months.

Usernames passwords

"It seemed OutdoorLink had broken every basic rule in the book and left all of their customers carelessly vulnerable to attack," the researcher commented. "[I]t would be simple for an attacker to make his own 'highway adblock' by killing all of the billboard lights in the system."

On July 29, Westergren sent a report to the Director of Engineering at OutdoorLink detailing his findings. Although he received a response soon after, the vulnerabilities were not completely fixed until early November, by which time OutdoorLink had released a new, redesigned app for both Android and iOS.

"There is no evidence in system security and audit logs that any true exploits of this app vulnerability ever occurred," Jim Morris, director of engineering at OutdoorLink, told Motherboard in an email. "And it is important to note that this vulnerability did not extend to the OutdoorLink website, which is the primary user interface to the SmartLink system."

As noted above, these vulnerabilities were not likely to be exploited in the wild. For the extra cautious user who might be worried of getting hacked, a quick and easy password change should assuage all fears moving forward.

However, that doesn't mean that internet-enabled billboards shouldn't be worried about their security. Earlier this year, pranksters hacked their way into electronic billboards in Buckhead, Atlanta to display obscene images.

flickr photo shared by hoggardb under a Creative Commons ( BY-NC-ND ) license.

Tags: , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , , ,

One Response

  1. coyote

    December 2, 2015 at 8:42 pm #

    '"There is no evidence in system security and audit logs that any true exploits of this app vulnerability ever occurred," Jim Morris, director of engineering at OutdoorLink, told Motherboard in an email.'

    Irrelevant to the discussion. And a fallacy. The discussion is about the flaws – not specific exploits that took place. Besides, what would they know about evidence if they were so reckless in the first place?

    ' "And it is important to note that this vulnerability did not extend to the OutdoorLink website, which is the primary user interface to the SmartLink system."'

    Irrelevant. And a fallacy. The fact it isn't vulnerable everywhere doesn't mean it is invulnerable everywhere. The discussion is about what IS vulnerable not what IS NOT.

    'Earlier this year, pranksters …'

    And countless other times.

Leave a Reply