recommended reading

DHS: Hackers could manipulate highway sensors

Ryan McVay/Thinkstock

This story was updated to provide additional comment from Post Oak Traffic Systems.

The Homeland Security Department is warning local governments about flaws in a traffic monitoring system that could expose drivers’ travel habits.

Manufacturer Post Oak Traffic Systems used insecure encryption in roadway sensors designed to read data emitted by in-car Bluetooth equipment, such as hands-free cellphone tools, according to federal officials. As a result, hackers potentially could pry into traveler data through a “man-in-the-middle attack.”

The problem is that the roadside reader’s software generates encryption keys with “insufficient entropy,” meaning they are not complex enough to prevent hackers from decoding them. “This could allow the attacker to gain unauthorized access to the system and read information on the device, as well as inject data compromising the integrity of the data,” stated an alert issued by the DHS Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT.

Post Oak Traffic sensors are deployed mainly in the U.S. transportation sector, according to the company. The Virginia and Texas departments of transportation currently use the company’s surveillance systems, the Post Oak Traffic website states. 

On Monday, the company downplayed the risk of an intrusion. Post Oak Traffic officials published a notice on their site announcing “enhancements” to the software that address a glitch “that may have allowed skilled, unauthorized users to eavesdrop” during connections, but typically only when a device is being configured in the factory.

“There were no known instances of breaches that have occurred with any Post Oak Traffic powered system,” company officials added. Going forward, new devices will be shipped with firmware that plugs the vulnerability. Customers can contact the company to determine whether it is necessary to fix existing devices, officials said.

“Per the CERT bulletin, we have developed a patch for the vulnerability,” Mike Vickich, the company’s chief technical officer and a senior analyst at Texas A&M Transportation Institute, said in an email. The system is licensed from patent-pending technology developed by the institute.

The highway sensors detect individual cars by reading the unique ID number -- called a MAC address -- produced by a driver’s Bluetooth gadgets. The technology then transmits to a remote computer the time and location as the car passes the Bluetooth reader. By tracking the ID number as the car travels by multiple readers, the computer learns how fast the vehicle is moving. The system collects this type of information from other nearby cars that also are equipped with Bluetooth gadgets to derive average traffic conditions for a particular roadway.

The Bluetooth reader security issue was discovered by researchers from the University of California at San Diego and the University of Michigan.

Other investigators from UCSD and the University of Washington have demonstrated how a driver’s Bluetooth electronics can be hacked to hijack a car’s critical controls, including the brakes, and to eavesdrop on in-car conversations. There are no federal guidelines on cyber protections for automobiles.

On Tuesday, Vickich provided additional information: "The potential vulnerability discovered by US-CERT involved an issue with a Linux operating system component, SSH, that was only used during configuration of the device in the factory. Because this component is not employed in normal operation of the field units, there was extremely low probability (virtually no possibility) of any man-in-the-middle incursion. This would preclude any exposure of drivers travel habits as the sensors themselves do not use SSH to transmit MAC addresses over a network. In addition, an individual field device has no ability to ascertain traffic conditions or an individual's whereabouts," he said in an email. 

Threatwatch Alert

Network intrusion / Software vulnerability

Hundreds of Thousands of Job Seekers' Information May Have Been Compromised by Hackers

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.


When you download a report, your information may be shared with the underwriters of that document.