This Little Light of Mine,
I'm Going to Get it Pwned.

GRRCON 2022 CVE PENDING
GrrCon 2022 Talk Logo - This Little Light of Mine

GRRCON 2022 // TALK ARTWORK

Joint research with Nick Schroeder examining critical security gaps in industrial lighting control systems deployed at high-profile landmarks, stadiums, and entertainment venues worldwide.

Video

Live demonstration of remotely controlling bridge lighting infrastructure. This demonstration was conducted legally with proper authorization.

DEMONSTRATION // AUTHORIZED BRIDGE LIGHTING CONTROL TEST

Affected Systems

ETC Mosaic Controllers

MTPC, MSC VARIANTS

Architectural lighting control systems widely deployed in entertainment venues, museums, and architectural installations for DMX-based lighting automation.

Pharos LPC / TPC / MSC Controllers

LANDMARK & FACADE LIGHTING

Industrial controllers managing large-scale lighting installations on buildings, bridges, and public landmarks.

Vulnerability Details

Unauthenticated Information Disclosure

Mosaic and Pharos controllers display the controller type, software version, firmware version, and other identifying information without the requirement to login.

EXPOSED INFORMATION INCLUDES:

  • > Log files
  • > Controller configuration
  • > Network information
  • > Project details
  • > Locale information
Exposed controller information

EVIDENCE // EXPOSED CONTROLLER INFO

Network configuration exposed

EVIDENCE // NETWORK CONFIGURATION

Log file exposure

EVIDENCE // LOG FILE EXPOSURE

Project details exposed

EVIDENCE // PROJECT DETAILS

Discovery Methods

// SHODAN QUERIES

http.favicon.hash:"990106254" ssl.cert.fingerprint:b517a7fac46335b3fbbd4e10fba6c809f471f6e8 http.html:"Next 3rd Quarter Moon"

// GOOGLE DORKS

"index.lsp" intext:"Next 3rd Quarter Moon"
Google search results showing exposed controllers

EVIDENCE // GOOGLE SEARCH RESULTS

Geographic Distribution

Approximately 50% of discovered devices were located in the United States. Belgium represented the second-highest concentration of exposed controllers.

Geographic distribution map

SHODAN // GEOGRAPHIC DISTRIBUTION

Device statistics

SHODAN // DEVICE STATISTICS

Additional Evidence

Controller web interface

EVIDENCE // CONTROLLER INTERFACE

Configuration panel

EVIDENCE // CONFIGURATION PANEL

Real-world installation example

CONTEXT // REAL-WORLD INSTALLATION

Recommendations

  • Stop deploying internet-connected hardware lacking authentication
  • Implement vendor configuration best practices
  • Place ICS/lighting controllers behind VPN or firewall
  • Enable authentication on all web interfaces
  • Conduct regular external exposure audits
  • Monitor for unauthorized access attempts

// RESEARCHERS

NICK SCHROEDER

Security Researcher

CODY KRETSINGER

Principal Security Advisor

made with ❤️ & 🍻

// PRESENTED AT

// ATTACK VECTOR

// DISCLOSURE STATUS

CVE PENDING

// RELATED TALK

VIEW TALK →