Search This Blog

Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Showing posts with label Highway Sign Hacking. Show all posts

Remote Exploits Target Controller Flaws in Highway Signs and Digital Billboards


 

With the increasing integration of digital display infrastructure within transportation networks and public information systems, vulnerabilities within controllers that operate these assets present an increasing threat to cybersecurity. 

A number of Daktronics display controllers have been reported to contain critical and high-severity vulnerabilities that could allow unauthorized remote access to the content appearing on the highway message boards, roadside signs, and digital billboards. 

According to an independent cybersecurity researcher who identified the security flaws and subsequently published an advisory, widespread deployment of controller models for the management of large-scale LED display systems within highways, airports, sports stadiums, and urban advertising networks are affected by the flaws. 

A variety of vulnerabilities within operating display technologies are identified in this study, which illustrate how they can affect more than just the security of the system, resulting in tangible risk to public communications, infrastructure integrity, and reliability of information delivered via connected electronic signage. 

According to the latest advisory issued by CISA under ICSA-26-176-04, the Daktronics VFC-DMP-5000, DMP-5000, and DMP-8000 display controllers are affected. A total of nine vulnerabilities have been disclosed which expose weaknesses across directory access, file management, and administrative authentication. One of the vulnerabilities, CVE-2026-28701, allows both authenticated and unauthenticated remote users to enumerate arbitrary paths on the file system irrespective of their identity. Secondly, CVE-2026-33560 pertains to the DMP-5000 file service, where authenticated users can upload files of any type without being validated, enabling the deployment of unauthorized content. CVE-2026-31928 relates to a default administrative web account that is configured with weak authentication controls and does not require password modification during deployment, which allows attackers to gain full control of the system if left unchanged. 

Security researcher Thomas Jou, an undergraduate at Princeton University, discovered the vulnerabilities after discovering a number of internet-facing controllers with the potential to be remotely targeted. It has been reported that Jou submitted his findings via CISA's VINCE vulnerability reporting platform in early January 2026, which enabled Daktronics to prepare patched firmware by early March, prior to the release of a public advisory.

Despite the availability of updated firmware, the researcher stressed that organizations must ensure affected controllers are not exposed directly to the public internet, as patching alone does not eliminate unnecessary attack surfaces. In addition to the mitigation guidance provided by Daktronics, customers are encouraged to change default administrative credentials. 

In June, a security incident involving a FIFA World Cup API authorization flaw exposed live television broadcasts to an account takeover, following several instances of security incidents involving publicly accessible infrastructure and digital platforms. A cPanel vulnerability affecting over 550,000 servers was exploited last month, as was the compromise of airport public address systems across Canada and the United States last year, during which unauthorized political and anti-Israel messages were broadcast. 

These incidents provide an example of how overlooked vulnerabilities in internet-connected communication and operational systems can rapidly develop into high-impact disruptions with public consequences if not addressed. The underlying controllers of connected display technologies require the same level of security oversight as any other internet-accessible operational system as they become an integral component of public infrastructure. 

The timely management of patches, removal of unnecessary external exposures, and strong authentication practices are all necessary to prevent vulnerabilities from becoming potential avenues for real-world disruption. As operators are reminded by these findings, the resilience of public-facing digital infrastructure depends on both its deployment and its design in equal measure.