SANRAL may be breathing a sigh of relief over news that the DA’s proposal to have e-tolls declared unconstitutional was thrown out by the High Court today, but that moment of respite won’t last long. ITWeb journalist Jon Tullett, a man with a terrifyingly comprehensive knowledge of IT security processes and issues, says that the e-toll system has a flaw so severe that anyone can spy on registered road users movements, pretty much in real-time.

Tullett doesn’t go in to specifics as to how to access that information, but says that it involves altering the details of a web form before it is submitted and is considered “trivial”. It appears to involve grabbing the source code from an e-toll login page and making simple text changes.

Retrieving a motorist’s balance is very simple. The site’s billing page embeds the licence number as a hidden field, which can be trivially modified before the form is submitted. The site then fails to validate that the licence number is correct, instead offering up the other vehicle’s outstanding balance.

Tullett goes on to say that by cross-referencing changes in the balance with the various charges at e-toll gantries you can build up a profile of a vehicles movements. Not only is this a potential breach of the right to privacy, it’s also useful for “employers, spouses, or potential criminals” who want to know where you are and where you’ve been.

According to Tullett, SANRAL’s response is the one now familiar to anyone who’s reported security issues to the firm: an accusation that you’ve ‘hacked’ the system and an abrupt slamming down of the phone.

The full piece is over here, and makes for mesmerising reading.

 

Adam is the Editorial Director at htxt media. He has been writing about technology for almost two full decades now. In a previous life, he was the editor of PC Format and Digital Camera Shopper in the UK, before going on to work as a freelance journalist for seven years. His work has appeared in or on Stuff, The Guardian, Linux Format, TechRadar, Wired.co.uk, PC Gamer, Green Futures, The Journalist, The Ecologist and The Review. Adam moved to South Africa in 2012 and loves 3D printers, MakerFairs and tech hubs. He hates seafood. None of his friends remember this when cooking.