Skip Links

Traffic sensor flaw that could allow driver tracking fixed

By Taylor Armerding, CSO
December 07, 2012 07:50 AM ET

CSO - Mobile security involves more than just keeping one's personal devices secure from hacks or other exploits. Threats can also come from the technology government uses to track and manage traffic flow.

Government needs cybersecurity doctrine

The Department of Homeland Security's (DHS) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued an alert last week over a vulnerability that it said impacts Post Oak Traffic AWAM Bluetooth Reader Systems. The system collects data from drivers who are using Bluetooth equipment, and uses it to calculate their speed and determine traffic conditions on a particular highway or road.

The alert said "insufficient entropy," or insecure encryption, in those roadway sensors could allow an attacker to impersonate the device, "obtain the credentials of administrative users and potentially perform a Man-in-the-Middle attack."

"This could allow the attacker to gain unauthorized access to the system and read information on the device, as well as inject data compromising the integrity of the data," the alert said.

It said the vulnerability could be exploited remotely, but that it would take a highly skilled attacker to do so. And both the company, Houston-based Post Oak Traffic Systems, and ICS-CERT said there had been no known breaches resulting from the problem.

Post Oak posted a statement Monday on its website saying it had addressed the "potential" vulnerability and that, "there were no known instances of breach that have occurred with any Post Oak Traffic powered system."

Mike Vickich, the company's chief technical officer and a senior analyst at Texas A&M Transportation Institute, told NextGov that the problem involved an issue with a Linux operating system component, SSH, that was only used during configuration of the device in the factory.

"Because this component is not employed in normal operation of the field units, there was extremely low probability (virtually no possibility) of any man-in-the-middle incursion," Vickich is reported to have said.

[See also: 16 ultimate SSH hacks]

Kevin Finisterre, senior research consultant at Accuvant LABS, is not convinced. "In a generic sense, overestimating the capabilities of one's own equipment when in contact with a determined hacker has often been the downfall of many a great product," he said. "If the functionality is there, often an attacker will find a way to invoke it even in those situations where it should have never been exposed."

Vickich also said there is no risk of drivers' travel habits being monitored or exposed. "The sensors themselves do not use SSH to transmit MAC addresses (Bluetooth ID numbers) over a network" he said. "In addition, an individual field device has no ability to ascertain traffic conditions or an individual's whereabouts."

But Finisterre said he conducted a research project a few years ago in which he used Bluetooth sniffers to derive the same data. The Post Oak, he said, has a better system.

"The privacy concerns could certainly be valid," he said. "Considering my previous, highly successful, amateur level attempts at tracking individuals, I would say a company with funding should be able to go hog wild on the concept."

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News