[cryptography] OT: Traffic sensor flaw that could allow driver tracking fixed

Jeffrey Walton noloader at gmail.com
Thu Dec 6 16:45:58 EST 2012

It's amazing where these defects show up. I think Morris was right
with his three laws.

I also believe this was an direct application of "Mining Your Ps and
Qs: Detection of Widespread Weak Keys in Network Devices." The same
authors are responsible for the paper, the advisory and the proof of
concept against the traffic system.


Mobile security involves more than just keeping one's personal devices
secure from hacks or other exploits. Threats can also come from the
technology government uses to track and manage traffic flow.

The Department of Homeland Security's (DHS) Industrial Control Systems
Cyber Emergency Response Team (ICS-CERT) issued an alert last week
over a vulnerability that it said impacts Post Oak Traffic AWAM
Bluetooth Reader Systems. The system collects data from drivers who
are using Bluetooth equipment, and uses it to calculate their speed
and determine traffic conditions on a particular highway or road.

The alert said "insufficient entropy," or insecure encryption, in
those roadway sensors could allow an attacker to impersonate the
device, "obtain the credentials of administrative users and
potentially perform a Man-in-the-Middle attack."

"This could allow the attacker to gain unauthorized access to the
system and read information on the device, as well as inject data
compromising the integrity of the data," the alert said.

More information about the cryptography mailing list