Bluetooth-Sniffing Highway Traffic Monitors Vulnerable to MITM Attack

A system that monitors traffic patterns by pinging Bluetooth devices carried within passing automobiles is vulnerable to man in the middle attacks that could allow a remote attacker to steal data or remotely control or disable systems used to monitor freeways across the U.S., according to an alert from the Department of Homeland Security’s Industrial Control System Computer Emergency Readiness Team (ICS-CERT).

AWAM Bluetooth Reader Traffic System
Roadside AWAM devices could be vulnerable to man-in-the-middle attacks.

ICS-CERT issued an advisory on Friday for customers who use Bluetooth-based traffic systems from the firm Post Oak Traffic Systems. Post Oak’s AWAM Bluetooth Reader Traffic Systems do not properly generate authentication keys used to secure communications. That could allow an attacker to calculate the private key used by the AWAM reader, then use those to impersonate the device, siphoning off administrative credentials that would give them direct access to the traffic monitoring system, DHS warned.

Post Oak’s Anonymous Wireless Address Matching (AWAM) devices are installed at the roadside and detect passing vehicles by pinging Bluetooth-enabled devices being carried inside the vehicles, like mobile phones, mobile GPS systems and in-vehicle navigation systems, according to Post Oak marketing materials. The technology is used by the City of Houston and powers sites like this traffic information portal run by Houston TranStar. The devices are less expensive to deploy than competing technology that doesn’t use Bluetooth, and provide round-the-clock data on traffic patterns. Post Oak claims that the data collected is anonymous and that communications between the roadside monitoring stations and the central management system are secure.

“The sensors collect anonymous data that cannot be used to gather personal information. All data collected by the sensors are encrypted upon receipt before being sent to TranStar for processing. The information can be viewed on Houston TranStar’s website,” said a May, 2011 press release from TranStar on the system.

But researchers from the University of California at San Diego and the University of Michigan found that the Post Oak system isn’t as secure as promised. The AWAM Bluetooth Reader Traffic System doesn’t use sufficient entropy when generating authentication and host keys that are used to secure communications to and from the devices. In other words: the supposedly random keys aren’t really random. That means a knowledgeable attacker could guess the host key of reused or non-unique host keys, then carry out a man-in-the-middle attack against the traffic monitoring system.

Inside a AWAM device

No exploits of the vulnerability in the Post Oak system are known to exist. The Post Oak systems aren’t alone in having faulty . In fact, the discovery of the security hole stems from a global survey of 5.8 million unique TLS certificates from 12.8 million hosts and 6.2 million unique SSH host keys from 10.2 million hosts. In a paper released in July (PDF), the researchers behind that study found that  at least 5.57% of TLS hosts and 9.60% of SSH hosts use the same keys as other hosts in an apparently vulnerable manner.  In many cases, that was the result of manufacturer-default keys that were never changed by the owner. But the researchers also found systems that generated the same keys as one or more other hosts due to malfunctioning random number generators. The researchers said they were able to take advantage of insufficient entropy to compute the private keys for 64,000 (0.50%) of the TLS hosts and 108,000 (1.06%) of the SSH hosts identified in the scan by exploiting known weaknesses of RSA and DSA when used with insufficient randomness. The researchers said that many of the vulnerable systems they detected were embedded devices like the AWAM Bluetooth Readers.

Their paper – Mining Your P’s and Q’s: Detection of Widespread Weak Keys In Network Devices” – was just the latest scholarly publication to poke a hole in the security of PKI and other encryption systems that secure online communications. In February, a team of American and European cryptographers used a similar methodology – surveying a collection of some seven million encryption keys used to secure e-mail and online transactions to find that a small percent of the public keys they studied were not random and, therefore, were vulnerable to compromise.

Post Oak has developed a patch for the AWAM Bluethooth Reader Traffic System that will add the necessary randomness when generating host and authentication keys, according to ICS-CERT. The company said it will offer the patch to customers, who can use remote management systems to update systems deployed in the field. ICS-CERT encouraged Post Oak customers to minimize network exposure for vulnerable systems and to protect devices from remote access using a firewall.

Comments are closed.