SANRAL may be breathing a sigh of relief over news that the DA’s proposal to have e-tolls declared unconstitutional was thrown out by the High Court today, but that moment of respite won’t last long. ITWeb journalist Jon Tullett, a man with a terrifyingly comprehensive knowledge of IT security processes and issues, says that the e-toll system has a flaw so severe that anyone can spy on registered road users movements, pretty much in real-time.
Tullett doesn’t go in to specifics as to how to access that information, but says that it involves altering the details of a web form before it is submitted and is considered “trivial”. It appears to involve grabbing the source code from an e-toll login page and making simple text changes.
Retrieving a motorist’s balance is very simple. The site’s billing page embeds the licence number as a hidden field, which can be trivially modified before the form is submitted. The site then fails to validate that the licence number is correct, instead offering up the other vehicle’s outstanding balance.
Tullett goes on to say that by cross-referencing changes in the balance with the various charges at e-toll gantries you can build up a profile of a vehicles movements. Not only is this a potential breach of the right to privacy, it’s also useful for “employers, spouses, or potential criminals” who want to know where you are and where you’ve been.
According to Tullett, SANRAL’s response is the one now familiar to anyone who’s reported security issues to the firm: an accusation that you’ve ‘hacked’ the system and an abrupt slamming down of the phone.
The full piece is over here, and makes for mesmerising reading.