Highway traffic systems deployed across the United States could be open exploit via what a group of researchers has deemed an “insufficient entropy vulnerability” in the systems’ software.
According to an advisory (.PDF) issued late last week by the U.S. Industrial Control System Computer Emergency Readiness Team (ICS-CERT), systems built by the Houston, Tex. based company Post Oak Traffic Systems could allow unauthorized access. In particular, the company’s traffic monitoring systems that rely on Anonymous Wireless Address Matching (AWAM) Bluetooth readers that appear to be in danger.
These readers generally gather information about traffic patterns and other highway data via cars with Bluetooth technology enabled.
The problem lies in the way the system handles authentication key generation. It’s possible that an attacker could get into the system and read information on the device in addition to accessing its data and settings if they correctly determined keys from “reused or nonunique” host keys.
The insufficient entropy vulnerability could allow a skilled attacker to trick the device into thinking it was being accessed by an administrative user and open it up to a man-in-the-middle attack.
The vulnerability was initially detailed in a paper, “Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices,” (.PDF) over the summer by researchers at the University of California, San Diego and the University of Michigan.
While ICS-CERT asserts there aren’t any known public exploits against the systems, the advisory notes the systems could be exploited remotely.
Meanwhile, Post Oak claims it has fixed the problem and “released an updated firmware version that mitigates the vulnerability.” Once the patch is applied, the firmware update ensures sufficient entropy exists before host and authentication keys are generated.