DHS: Hackers could manipulate highway sensors

This story was updated to provide additional comment from Post Oak Traffic Systems.

The Homeland Security Department is warning local governments about flaws in a traffic monitoring system that could expose drivers’ travel habits.

Manufacturer Post Oak Traffic Systems used insecure encryption in roadway sensors designed to read data emitted by in-car Bluetooth equipment, such as hands-free cellphone tools, according to federal officials. As a result, hackers potentially could pry into traveler data through a “man-in-the-middle attack.”

The problem is that the roadside reader’s software generates encryption keys with “insufficient entropy,” meaning they are not complex enough to prevent hackers from decoding them. “This could allow the attacker to gain unauthorized access to the system and read information on the device, as well as inject data compromising the integrity of the data,” stated an alert issued by the DHS Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT.

Post Oak Traffic sensors are deployed mainly in the U.S. transportation sector, according to the company. The Virginia and Texas departments of transportation currently use the company’s surveillance systems, the Post Oak Traffic website states. 

On Monday, the company downplayed the risk of an intrusion. Post Oak Traffic officials published a notice on their site announcing “enhancements” to the software that address a glitch “that may have allowed skilled, unauthorized users to eavesdrop” during connections, but typically only when a device is being configured in the factory.

“There were no known instances of breaches that have occurred with any Post Oak Traffic powered system,” company officials added. Going forward, new devices will be shipped with firmware that plugs the vulnerability. Customers can contact the company to determine whether it is necessary to fix existing devices, officials said.

“Per the CERT bulletin, we have developed a patch for the vulnerability,” Mike Vickich, the company’s chief technical officer and a senior analyst at Texas A&M Transportation Institute, said in an email. The system is licensed from patent-pending technology developed by the institute.

The highway sensors detect individual cars by reading the unique ID number -- called a MAC address -- produced by a driver’s Bluetooth gadgets. The technology then transmits to a remote computer the time and location as the car passes the Bluetooth reader. By tracking the ID number as the car travels by multiple readers, the computer learns how fast the vehicle is moving. The system collects this type of information from other nearby cars that also are equipped with Bluetooth gadgets to derive average traffic conditions for a particular roadway.

The Bluetooth reader security issue was discovered by researchers from the University of California at San Diego and the University of Michigan.

Other investigators from UCSD and the University of Washington have demonstrated how a driver’s Bluetooth electronics can be hacked to hijack a car’s critical controls, including the brakes, and to eavesdrop on in-car conversations. There are no federal guidelines on cyber protections for automobiles.

On Tuesday, Vickich provided additional information: "The potential vulnerability discovered by US-CERT involved an issue with a Linux operating system component, SSH, that was only used during configuration of the device in the factory. Because this component is not employed in normal operation of the field units, there was extremely low probability (virtually no possibility) of any man-in-the-middle incursion. This would preclude any exposure of drivers travel habits as the sensors themselves do not use SSH to transmit MAC addresses over a network. In addition, an individual field device has no ability to ascertain traffic conditions or an individual's whereabouts," he said in an email.