Kapsch TrafficCom RIS-9160 and RIS-9260 Roadside Units SPI Flash Access Control Vulnerability

A vulnerability exists in the Kapsch TrafficCom RIS-9160 and RIS-9260 Roadside Units, specifically in versions 3.2.0.829.23, 3.8.0.1119.42, and 4.6.0.1211.28. The issue stems from incorrect access control in the SPI Flash Chip, which allows physically proximate attackers to arbitrarily modify SPI flash regions. This unauthorized modification can degrade the security posture of the device by enabling persistent backdoors through the manipulation of firmware or critical system data.

Impact

Exploitation of this vulnerability allows for unauthorized modifications to the SPI flash memory, where critical firmware and system data are stored. Such changes can persist across reboots and potentially bypass security mechanisms like Secure Boot, if it were enabled.

Reproduction

The vulnerability can be reproduced by accessing the SPI flash regions through the Chipsec utility, which confirms the lack of proper write protection. After verifying the vulnerability, malicious firmware can be written to the flash memory, where it will remain even after the device is rebooted.