A system used to monitor traffic patterns on roadways in several states was recently discovered to have a flaw that could allow an attacker to eavesdrop on transmissions. A report from the U.S. Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) noted that all versions of the Anonymous Wireless Address Matching (AWAM) Bluetooth Reader Traffic System from manufacturer Post Oak lacked sufficient encryption entropy, meaning that a skilled hacker could remotely perform a man-in-the-middle (MitM) attack.
The AWAM Bluetooth reader system tracks traffic patterns by detecting the unique MAC address of Bluetooth-enabled devices, such as hands-free cell phone accessories, aboard vehicles. By tracking the time it takes for the device to pass between two checkpoints and averaging the speed with that of other vehicles, the system can determine roadway conditions, Jalopnik explained. Several municipalities, including Houston, use the technology as it provides a much cheaper alternative to traditional systems such as Automatic Vehicle Identification (AVI).
Although the data is transmitted anonymously, weak encryption could allow a skilled hacker to determine the authentication key from reused or nonunique host keys and gain access to system data and settings. An attacker could then inject information to compromise the integrity of the system’s data. No known public exploits target the vulnerability, and Post Oak has since released a patch that will be remotely installed on existing equipment.
“As part of our continuous improvement process, this enhancement addresses a potential vulnerability that may have allowed skilled, unauthorized users to eavesdrop during a remote connection typically used only during the short time period of device configuration in the factory,” Post Oak said on its website, adding that the data an attacker could access was relatively benign.
ICS-CERT noted that asset owners should take the opportunity to examine other potential cybersecurity risks in control system devices. The agency noted that critical devices should not directly face the internet and should be isolated from business networks. It also advises taking a holistic, “defense-in-depth” approach to industrial control system security.
One way vendors can strengthen the security of embedded software in devices such as traffic sensors is by using source code analysis. By catching security errors before their products reach the market, companies can avoid the logistical and public relations burden of needing to issue patches for defective equipment.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.