Traffic sensor flaw that could allow driver tracking fixed

The sensor's maker said there was little risk to the public, but one expert said privacy concerns 'could certainly be valid'

Mobile security involves more than just keeping one's personal devices secure from hacks or other exploits. Threats can also come from the technology government uses to track and manage traffic flow.

The Department of Homeland Security's (DHS) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued an alert last week over a vulnerability that it said impacts Post Oak Traffic AWAM Bluetooth Reader Systems. The system collects data from drivers who are using Bluetooth equipment, and uses it to calculate their speed and determine traffic conditions on a particular highway or road.

The alert said "insufficient entropy," or insecure encryption, in those roadway sensors could allow an attacker to impersonate the device, "obtain the credentials of administrative users and potentially perform a Man-in-the-Middle attack."

"This could allow the attacker to gain unauthorized access to the system and read information on the device, as well as inject data compromising the integrity of the data," the alert said.

It said the vulnerability could be exploited remotely, but that it would take a highly skilled attacker to do so. And both the company, Houston-based Post Oak Traffic Systems, and ICS-CERT said there had been no known breaches resulting from the problem.

Post Oak posted a statement Monday on its website saying it had addressed the "potential" vulnerability and that, "there were no known instances of breach that have occurred with any Post Oak Traffic powered system."

Mike Vickich, the company's chief technical officer and a senior analyst at Texas A&M Transportation Institute, told NextGov that the problem involved an issue with a Linux operating system component, SSH, that was only used during configuration of the device in the factory.

"Because this component is not employed in normal operation of the field units, there was extremely low probability (virtually no possibility) of any man-in-the-middle incursion," Vickich is reported to have said.

[See also: 16 ultimate SSH hacks]

Kevin Finisterre, senior research consultant at Accuvant LABS, is not convinced. "In a generic sense, overestimating the capabilities of one's own equipment when in contact with a determined hacker has often been the downfall of many a great product," he said. "If the functionality is there, often an attacker will find a way to invoke it even in those situations where it should have never been exposed."

Vickich also said there is no risk of drivers' travel habits being monitored or exposed. "The sensors themselves do not use SSH to transmit MAC addresses (Bluetooth ID numbers) over a network" he said. "In addition, an individual field device has no ability to ascertain traffic conditions or an individual's whereabouts."

But Finisterre said he conducted a research project a few years ago in which he used Bluetooth sniffers to derive the same data. The Post Oak, he said, has a better system.

"The privacy concerns could certainly be valid," he said. "Considering my previous, highly successful, amateur level attempts at tracking individuals, I would say a company with funding should be able to go hog wild on the concept."

But he said that does not necessarily mean users of Bluetooth devices should be overly concerned. "All of the places that your signal would be emitted are places where you are in plain view," he said. "Someone could just as easily follow you around with a camera all day to determine your habits."

"I would start being concerned if they stepped this up a notch and began actively scanning for open services on the Bluetooth devices that responded," Finisterre said.

Copyright © 2012 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)