Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Bluetooth Sniffing Traffic Sensors Vulnerable to Man in the Middle Attacks

chicksdaddy (814965) writes | about 2 years ago

Government 0

chicksdaddy writes "As cities everywhere trying to use technology to solve chronic traffic congestion problems, Bluetooth sniffing highway traffic monitors are all the rage (http://yro.slashdot.org/story/12/11/28/2318245/bluetooth-used-to-track-traffic-times). Inexpensive and easy to deploy, these roadside devices monitor traffic congestion in real time by detecting the signal from bluetooth devices like smart phones and dash-mounted GPS devices as the vehicles they're carried in pass the sensors. By tracking the time it takes for the device to move between sensors, cities can detect how fast traffic is flowing.

The sensors are a boon to transportation departments: providing almost realtime data on traffic flows and road congestion. But what about the *ahem* privacy issues?

The device makers have assured the public that there's nothing to worry about. Bluetooth data is anonymous and, besides, any data that is collected is encrypted before being transmitted to the central traffic management system.

Except that...this is software, right? Right. No surprise then, that ICS-CERT issued an advisory on Friday for customers who use Bluetooth-based traffic systems from the firm Post Oak Traffic Systems. According to CERT, Post Oak’s Anonymous Wireless Address Matching (AWAM) Bluetooth Reader Traffic Systems do not properly generate authentication keys used to secure communications, Security Ledger reports.

Researchers from the University of California at San Diego and the University of Michigan found that the AWAM Bluetooth Reader Traffic System doesn’t use sufficient entropy when generating authentication and host keys that are used to secure communications to and from the devices. In other words: the supposedly random keys aren’t really random. A knowledgeable and motivated attacker could guess the host key of reused or non-unique host keys, then carry out a man-in-the-middle attack against the traffic monitoring system. That could allow an attacker to calculate the private key used by the AWAM readers, which are used in Houston, Texas and other cities, then use those to impersonate the device, siphoning off administrative credentials that would give them direct access to the traffic monitoring system."

Link to Original Source

Sorry! There are no comments related to the filter you selected.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?