recommended reading

DHS: Hackers could manipulate highway sensors

Ryan McVay/Thinkstock

This story was updated to provide additional comment from Post Oak Traffic Systems.

The Homeland Security Department is warning local governments about flaws in a traffic monitoring system that could expose drivers’ travel habits.

Manufacturer Post Oak Traffic Systems used insecure encryption in roadway sensors designed to read data emitted by in-car Bluetooth equipment, such as hands-free cellphone tools, according to federal officials. As a result, hackers potentially could pry into traveler data through a “man-in-the-middle attack.”

The problem is that the roadside reader’s software generates encryption keys with “insufficient entropy,” meaning they are not complex enough to prevent hackers from decoding them. “This could allow the attacker to gain unauthorized access to the system and read information on the device, as well as inject data compromising the integrity of the data,” stated an alert issued by the DHS Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT.

Post Oak Traffic sensors are deployed mainly in the U.S. transportation sector, according to the company. The Virginia and Texas departments of transportation currently use the company’s surveillance systems, the Post Oak Traffic website states. 

On Monday, the company downplayed the risk of an intrusion. Post Oak Traffic officials published a notice on their site announcing “enhancements” to the software that address a glitch “that may have allowed skilled, unauthorized users to eavesdrop” during connections, but typically only when a device is being configured in the factory.

“There were no known instances of breaches that have occurred with any Post Oak Traffic powered system,” company officials added. Going forward, new devices will be shipped with firmware that plugs the vulnerability. Customers can contact the company to determine whether it is necessary to fix existing devices, officials said.

“Per the CERT bulletin, we have developed a patch for the vulnerability,” Mike Vickich, the company’s chief technical officer and a senior analyst at Texas A&M Transportation Institute, said in an email. The system is licensed from patent-pending technology developed by the institute.

The highway sensors detect individual cars by reading the unique ID number -- called a MAC address -- produced by a driver’s Bluetooth gadgets. The technology then transmits to a remote computer the time and location as the car passes the Bluetooth reader. By tracking the ID number as the car travels by multiple readers, the computer learns how fast the vehicle is moving. The system collects this type of information from other nearby cars that also are equipped with Bluetooth gadgets to derive average traffic conditions for a particular roadway.

The Bluetooth reader security issue was discovered by researchers from the University of California at San Diego and the University of Michigan.

Other investigators from UCSD and the University of Washington have demonstrated how a driver’s Bluetooth electronics can be hacked to hijack a car’s critical controls, including the brakes, and to eavesdrop on in-car conversations. There are no federal guidelines on cyber protections for automobiles.

On Tuesday, Vickich provided additional information: "The potential vulnerability discovered by US-CERT involved an issue with a Linux operating system component, SSH, that was only used during configuration of the device in the factory. Because this component is not employed in normal operation of the field units, there was extremely low probability (virtually no possibility) of any man-in-the-middle incursion. This would preclude any exposure of drivers travel habits as the sensors themselves do not use SSH to transmit MAC addresses over a network. In addition, an individual field device has no ability to ascertain traffic conditions or an individual's whereabouts," he said in an email. 

Threatwatch Alert

Software vulnerability

Malware Has a New Hiding Place: Subtitles

See threatwatch report

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

    Download
  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

    Download
  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

    Download
  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

    Download
  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.

    Download

When you download a report, your information may be shared with the underwriters of that document.