Traffic sensor flaw that could allow driver tracking fixed

Mobile security involves more than just keeping one's personal devices secure from hacks or other exploits. Threats can also come from the technology government uses to track and manage traffic flow.

The Department of Homeland Security's (DHS) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued an alert last week over a vulnerability that it said impacts Post Oak Traffic AWAM Bluetooth Reader Systems. The system collects data from drivers who are using Bluetooth equipment, and uses it to calculate their speed and determine traffic conditions on a particular highway or road.

The alert said "insufficient entropy," or insecure encryption, in those roadway sensors could allow an attacker to impersonate the device, "obtain the credentials of administrative users and potentially perform a Man-in-the-Middle attack."

"This could allow the attacker to gain unauthorized access to the system and read information on the device, as well as inject data compromising the integrity of the data," the alert said.

It said the vulnerability could be exploited remotely, but that it would take a highly skilled attacker to do so. And both the company, Houston-based Post Oak Traffic Systems, and ICS-CERT said there had been no known breaches resulting from the problem.

Post Oak posted a statement Monday on its website saying it had addressed the "potential" vulnerability and that, "there were no known instances of breach that have occurred with any Post Oak Traffic powered system."

Mike Vickich, the company's chief technical officer and a senior analyst at Texas A&M Transportation Institute, told NextGov that the problem involved an issue with a Linux operating system component, SSH, that was only used during configuration of the device in the factory.

"Because this component is not employed in normal operation of the field units, there was extremely low probability (virtually no possibility) of any man-in-the-middle incursion," Vickich is reported to have said.

[See also: 16 ultimate SSH hacks]

Kevin Finisterre, senior research consultant at Accuvant LABS, is not convinced. "In a generic sense, overestimating the capabilities of one's own equipment when in contact with a determined hacker has often been the downfall of many a great product," he said. "If the functionality is there, often an attacker will find a way to invoke it even in those situations where it should have never been exposed."

Vickich also said there is no risk of drivers' travel habits being monitored or exposed. "The sensors themselves do not use SSH to transmit MAC addresses (Bluetooth ID numbers) over a network" he said. "In addition, an individual field device has no ability to ascertain traffic conditions or an individual's whereabouts."

But Finisterre said he conducted a research project a few years ago in which he used Bluetooth sniffers to derive the same data. The Post Oak, he said, has a better system.

"The privacy concerns could certainly be valid," he said. "Considering my previous, highly successful, amateur level attempts at tracking individuals, I would say a company with funding should be able to go hog wild on the concept."

But he said that does not necessarily mean users of Bluetooth devices should be overly concerned. "All of the places that your signal would be emitted are places where you are in plain view," he said. "Someone could just as easily follow you around with a camera all day to determine your habits."

"I would start being concerned if they stepped this up a notch and began actively scanning for open services on the Bluetooth devices that responded," Finisterre said.

Read more about network security in CSOonline's Network Security section.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsPost OaksoftwareData Protection | Network SecuritySSHdata protectionprivacyICS-CERTIndustrial Control Systems Cyber Emergency Response TeamDepartment of Homeland SecurityDHSsecurity

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts