Security Flaw Found in Traffic Monitoring System


The U.S Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) recently published an advisory [PDF file] warning of a vulnerability in a Bluetooth traffic monitoring product provided by Post Oak Traffic Systems. The advisory notes that Post Oak has developed a patch for the product that mitigates the vulnerability.

"The highway sensors detect individual cars by reading the unique ID number -- called a MAC address -- produced by a driver’s Bluetooth gadgets," writes Nextgov's Aliya Sternstein. "The technology then transmits to a remote computer the time and location as the car passes the Bluetooth reader. By tracking the ID number as the car travels by multiple readers, the computer learns how fast the vehicle is moving. The system collects this type of information from other nearby cars that also are equipped with Bluetooth gadgets to derive average traffic conditions for a particular roadway."

"An independent research group, said CERT on Nov. 30, identified an insufficient entropy vulnerability in authentication key generation in Post Oak’s AWAM Bluetooth Reader Traffic System," writes Government Security News' Mark Rockwell. "By impersonating the device, said CERT, an attacker could obtain the credentials of the systems administrative users and potentially perform a Man-in-the-Middle (MitM) attack, intercepting communications within the organization."

The company has published a notice on its Web site stating that recent enhancements have increased the security of its Bluetooth software. "As part of our continuous improvement process, this enhancement addresses a potential vulnerability that may have allowed skilled, unauthorized users to eavesdrop during a remote connection typically used only during the short time period of device configuration in the factory," the statement reads. "This vulnerability did not apply during normal operation of the unit or during transmittal of traffic data from field to host. There were no known instances of breach that have occurred with any Post Oak Traffic powered system."