Kapsch TrafficCom RIS-9260 RSU ADB Root Access Vulnerability

A vulnerability in the Kapsch TrafficCom RIS-9260 roadside unit (RSU) allows unauthorized root access to the cellular modem via the Android Debug Bridge (ADB). This issue is present in versions 3.2.0.829.23, 3.8.0.1119.42, and 4.6.0.1211.28. The ADB access is pre-installed, enabled by default, and can be exploited through the default 'kapsch' user.

Impact

Exploitation of this vulnerability provides root access to the cellular modem, which could be used to manipulate V2X communications and applications, potentially leading to safety risks.

Reproduction

The vulnerability can be reproduced by connecting to the RSU's micro-USB port with an ADB-enabled device. If physical access is not possible, the ADB root access can be obtained by installing a specific .deb package that includes platform-tools, which is available on the RSU's persistent storage.