E-toll registrations leave info vulnerable

Johannesburg, 16 Oct 2013
Sanral's e-toll portal allows someone else on the same network to access others' accounts.
Sanral's e-toll portal allows someone else on the same network to access others' accounts.

A reader has alerted ITWeb to a security flaw in the e-tolls Web site that could allow attackers to capture personal information such as identity numbers, car registration details, physical and e-mail addresses, as well as cellphone numbers.

News of this flaw, which was allegedly disclosed to the South African Roads Agency (Sanral) more than a year ago, comes as government ramps up its charm offensive to persuade Gauteng commuters to register and get e-tags. Some 600 000 motorists are believed to have purchased e-tags to date.

Fortunately, the attack is not simple and is greatly limited in scope. While the episode reflects poorly on Sanral, the risk to e-toll customers is small. An attacker would have to be present on the same physical network as the e-toll user and conduct a comprehensive man-in-the-middle attack, in which case far more than e-toll data would be at risk.

The reader tells ITWeb that he alerted Sanral to the security flaw last May, but that nothing has been done about it. The reader, who operates in the IT security sector, says it took him 30 minutes to exploit vulnerabilities in the site. The reader's identity is known to ITWeb, but he requested to remain anonymous.

After a City of Johannesburg resident pointed out that its electronic billing site made users' details available to anyone with an Internet connection, the city reacted by handing the matter over to the police and threatened to sue the alleged hacker.

The Sanral attack, using a technique known as "session fixation", works by intercepting the user's communication with the Sanral Web site and injecting a cookie with a session ID known to the attacker, who can then access the user's e-toll page without logging in. The site trusts what appears to be a valid pre-existing cookie, instead of resetting it each time the user logs in.

Sanral claims it was not aware of the problem, adding that it takes the security of the information it receives "very seriously. We carry out regular penetration testing on our system components and have state-of-the-art firewall and intrusion prevention systems in place."

Sanral says it is not aware of a problem being logged with its helpdesk, although the reader has shown ITWeb a log indicating the agency was notified on 17 May last year.

Low levels of concern

Dominic White, CTO of SensePost, says the attack is not a critical vulnerability due to its limited real-world risk, and cannot be done remotely as someone would have to be on the same network segment as the person logging in, even in an Internet caf'e or WiFi connection. The flaw could easily be fixed by Sanral, he adds.

The flaw in Sanral's e-toll portal is known as session fixation and is not considered critical, says Sensepost CTO Dominic White.
The flaw in Sanral's e-toll portal is known as session fixation and is not considered critical, says Sensepost CTO Dominic White.

Swift Consulting CEO Liron Segev says the attack is not currently something a layman could do as it would require knowledge and persistence. Yet, says Segev, third-parties should not have access to that sort of information and the flaw is a valid security concern as it exposes data that should not be exposed.

However, Gavin Heatherington, group MD of Neworder Industries, says this sort of attack is "very easy" although it takes a bit of time. He adds the flaw is a "massive issue" as the Protection of Personal Information Bill is "knocking on the door".

The pending law, which has to be inked by the president, is SA's first piece of comprehensive legislation dealing with how people's information must be stored and protected. Any breaches will have to be made public, and failing to abide by the law's stipulations could see companies or entities fined.

Hacking e-toll sessions

The attack in question is accomplished by establishing a man-in-the-middle attack against a target, such as ARP poisoning on a wired network, or SSID hijacking on a wireless network. With the victim's traffic now flowing through the attacker's PC, Web data can be modified without the user's knowledge.

Although the e-toll login process is secured with https, making an attack much more difficult and easy to spot, the Sanral homepage is not secured, allowing the attacker to tamper with it.

When the user first browses to Sanral's homepage, the attack redirects that request through a transparent Web proxy operated by the attacker. The proxy fetches a valid session cookie from Sanral, as well as the page's correct content. It then provides that to the client's browser, which shows the Sanral homepage and sets the attacker's session cookie.

When the user then clicks through to the e-toll interface, the connection switches to encrypted https, but the session (denoted by the cookie) is maintained, and is apparently used by the site to remember whether the user has logged in yet.

Once log-in is complete, the attacker can then open the e-toll Web site using the cookie, and will not be prompted to log in again. It is trivial then to automate the attack, scraping the e-toll Web site for the desired data.

The attacker has to know in advance that the target user will browse to the Sanral Web site, or operate a continuous transparent proxy. If the attacker observes a potential victim managing their e-toll account, he could initiate interception then disrupt the target's current session to prompt re-login, and attack that new session.