New Controller Flaws Expose Highway Signs and Billboards to Remote Hacking

A Critical Vulnerability Affects Highway Signs and Billboards, Exposing Them to Remote Hacking Attacks

Highway signs and billboards around the world are potentially vulnerable to hacking attacks due to critical vulnerabilities in some Daktronics controllers. The cybersecurity researcher who discovered these flaws has warned that hackers could exploit them to tamper with what is displayed on these electronic displays, potentially leading to malicious or false information being shown to drivers.

Daktronics designs and manufactures large-scale LED video displays, electronic scoreboards, digital billboards, and dynamic audio systems that can be seen in high school gymnasiums, professional sports arenas, highways, international airports, and metropolitan areas. The company’s VFC-DMP-5000, DMP-5000, and DMP-8000 controllers are affected by three vulnerabilities: a path traversal issue that allows hackers to enumerate arbitrary file system paths without authentication, an authenticated arbitrary file upload issue, and default admin credentials that provide full system access.

If exploited, these vulnerabilities could give an attacker complete root-level access and control of the system. According to CISA’s advisory, successful exploitation could range from simple reconnaissance to full control of the device. In practical terms, this means hackers could tamper with what is displayed on billboards and roadway signage, potentially loading false or malicious messages.

The cybersecurity researcher who discovered these vulnerabilities, Thomas Jou, noted that it’s up to Daktronics customers rather than the vendor to ensure their installations are not exposed to the internet. Jou, an undergraduate at Princeton University, has identified multiple internet-exposed controllers, enabling hackers to exploit them remotely. He also praised Daktronics for its responsiveness in patching the vulnerabilities and coordinating customer notification.

Daktronics has released patches and advised users to change default passwords. However, the company has not responded to requests for comment on this issue. The vulnerability disclosure process was handled through CISA’s VINCE platform, which Jou credited with facilitating a smooth and collaborative process between himself, the vendor, and the agency.

For those responsible for managing electronic displays in public spaces, this is a timely reminder of the importance of regular security audits and patch management. These vulnerabilities may have been exploited to display false or malicious information on billboards and highway signs, potentially putting drivers at risk. To mitigate these risks, it’s essential to ensure that all internet-exposed controllers are properly secured with up-to-date firmware and default passwords changed regularly.


Source: SecurityWeek — 2026-06-30