Kapsch TrafficCom RIS-9160, RIS-9260, and RIS-9360 Roadside Units Weak Password Vulnerability in BIOS Supervisor and User Accounts

A vulnerability exists in Kapsch TrafficCom RIS-9160, RIS-9260, and RIS-9360 Roadside Units, all running versions 3.2.0.829.23, 3.8.0.1119.42, and 4.6.0.1211.28. These units lack secure password requirements for the BIOS Supervisor and User accounts, which can be exploited by attackers to bypass authentication through brute force attacks. This weakness is particularly concerning given the critical role these units play in managing V2X communications for autonomous vehicles and traffic systems.

Impact

Exploitation of this vulnerability allows unauthorized access to the BIOS, where attackers can manipulate firmware settings or modify the operating system, potentially leading to persistent control over the device.

Reproduction

The vulnerability can be reproduced by accessing the BIOS setup of the affected RSUs. The default Supervisor and User passwords are cleared, and the BIOS allows passwords to be set. However, the default policy requires only a single character, creating an opportunity for weak passwords. Once the passwords are set, an attacker can use physical access to the unit to connect via UART, bypassing authentication and gaining access to the BIOS and firmware.