chicksdaddy writes "As cities everywhere trying to use technology to solve chronic traffic congestion problems, Bluetooth sniffing highway traffic monitors are all the rage (http://yro.slashdot.org/story/12/11/28/2318245/bluetooth-used-to-track-traffic-times). Inexpensive and easy to deploy, these roadside devices monitor traffic congestion in real time by detecting the signal from bluetooth devices like smart phones and dash-mounted GPS devices as the vehicles they're carried in pass the sensors. By tracking the time it takes for the device to move between sensors, cities can detect how fast traffic is flowing.
The sensors are a boon to transportation departments: providing almost realtime data on traffic flows and road congestion. But what about the *ahem* privacy issues?
The device makers have assured the public that there's nothing to worry about. Bluetooth data is anonymous and, besides, any data that is collected is encrypted before being transmitted to the central traffic management system.
Except that...this is software, right? Right. No surprise then, that ICS-CERT issued an advisory on Friday for customers who use Bluetooth-based traffic systems from the firm Post Oak Traffic Systems. According to CERT, Post Oak’s Anonymous Wireless Address Matching (AWAM) Bluetooth Reader Traffic Systems do not properly generate authentication keys used to secure communications, Security Ledger reports.
Researchers from the University of California at San Diego and the University of Michigan found that the AWAM Bluetooth Reader Traffic System doesn’t use sufficient entropy when generating authentication and host keys that are used to secure communications to and from the devices. In other words: the supposedly random keys aren’t really random. A knowledgeable and motivated attacker could guess the host key of reused or non-unique host keys, then carry out a man-in-the-middle attack against the traffic monitoring system. That could allow an attacker to calculate the private key used by the AWAM readers, which are used in Houston, Texas and other cities, then use those to impersonate the device, siphoning off administrative credentials that would give them direct access to the traffic monitoring system."
Link to Original Source