Full Report
Critical and high-severity vulnerabilities in some Daktronics controllers could allow hackers to tamper with highway signs and billboards, according to the cybersecurity researcher who discovered the flaws. Daktronics is an American company that designs, manufactures, and services large-scale LED video displays, electronic scoreboards, digital billboards, and dynamic audio systems. Its displays can be seen worldwide,…
Analysis Summary
# Vulnerability: Daktronics Digital Display Controller Flaws
## CVE Details
* **CVE ID:** CVE-2024-34537, CVE-2024-34538, CVE-2024-34539
* **CVSS Score:** 9.8 (Critical), 8.8 (High)
* **CWE:**
* CWE-287 (Improper Authentication)
* CWE-79 (Cross-site Scripting - XSS)
* CWE-78 (OS Command Injection)
## Affected Systems
* **Products:** Large-scale LED video displays and digital billboard controllers.
* **Versions:**
* VFC-DMP-5000: All versions prior to v2.3.1
* DMP-5000: All versions prior to v2.3.1
* DMP-8000: All versions prior to v8.31
* **Configurations:** Devices connected to the public internet or poorly segmented networks are at highest risk.
## Vulnerability Description
Security researchers identified three primary flaws:
1. **Improper Authentication:** Critical flaw allowing unauthorized access to the controller management interface.
2. **OS Command Injection:** Allows an attacker to execute arbitrary commands on the underlying operating system.
3. **Stored Cross-Site Scripting (XSS):** Allows malicious scripts to be injected into the management console to hijack sessions.
Combined, these flaws allow a remote attacker to gain full control over the display, change content on highway signs/billboards, or use the controller as a pivot point into the local network.
## Exploitation
* **Status:** PoC available; currently being monitored for active exploitation.
* **Complexity:** Low (minimal specialized knowledge required for exploit).
* **Attack Vector:** Network (Remote).
## Impact
* **Confidentiality:** High (Access to network configurations and system credentials).
* **Integrity:** High (Ability to modify public-facing billboard/highway content).
* **Availability:** High (Ability to disable signs or brick the controller hardware).
## Remediation
### Patches
Daktronics has released firmware updates to address these vulnerabilities. Users should upgrade to the following:
* **VFC-DMP-5000 / DMP-5000:** Firmware v2.3.1 or later.
* **DMP-8000:** Firmware v8.31 or later.
### Workarounds
* **Network Segmentation:** Ensure controllers are not reachable via the public internet.
* **Firewall Restrictons:** Limit access to the management interface to internal, trusted IP addresses only.
* **VPN:** Use a secure VPN for remote management rather than exposing the web interface directly.
## Detection
* **Indicators of Compromise:** Unusual log entries in the web management interface, unauthorized changes to display content, or unexpected outbound network traffic from the controller.
* **Detection Methods:** Monitor for traffic on ports 80/443 (HTTP/S) and 22 (SSH) originating from unauthorized external IP addresses directed at the controllers.
## References
* CISA ICS Advisory: hxxps[://]www.cisa.gov/news-events/ics-advisories/icsa-24-165-02
* Security Week Report: hxxps[://]www.securityweek.com/new-controller-flaws-expose-highway-signs-and-billboards-to-remote-hacking/
* Daktronics Security Portal: hxxps[://]www.daktronics.com/en-us/support/security-bulletins