An online portal developed by the SA National Roads Agency (Sanral) to allow unregistered road users to check outstanding e-toll fees allows would-be snoops to track motorists' movements with just a vehicle licence number in hand.
ITWeb has established that any vehicle using Gauteng's toll roads can be tracked in real-time by anyone with access to the Sanral Web site - regardless of whether they are registered.
This follows a previous investigation by ITWeb into the e-tolls Web site, which revealed a security flaw that could allow attackers to capture personal information such as identity numbers, car registration details, physical and e-mail addresses, as well as cellphone numbers.
Sanral says the online portal - available under the "Not registered and wish to pay for your e-toll costs?" - was created in order to give untagged highway users an easy way to pay e-tolls.
However, experts argue that the unrestricted nature of the service boils down to an infringement of citizens' constitutional right to privacy.
Industry professionals point out that - even if the majority of road users are unlikely to be victims of violations resulting from the open access to their outstanding e-toll fees - the unguarded nature of the portal does open up the door to stalkers, suspicious spouses and even mischief-makers.
The Sanral Web site was intended to provide the facility for anyone to pay for an unregistered vehicle's outstanding tolls. Given the licence number of a vehicle, any other user can monitor its e-toll balance. (The site, although intended to disclose only the amount owed by unregistered users, also reveals the outstanding balance of users with e-tags, ITWeb has confirmed.)
The amount is updated at the moment the driver passes a toll gantry, and since gantries are priced uniquely, depending on the length of each road segment, the incremental changes in the total balance can be correlated to deduce the specific gantries the driver has passed.
A trivial script can automatically retrieve the Web page at regular intervals, writing changes to a log and recording a vehicle's every move.
In addition, even though a visit to the said URL will prompt users to register or log in, a simple copy and paste of the same URL back into the browser will allow those without login credentials to use the service as well.
Sanral has downplayed the probing potential of its unregistered users portal, saying: "Sanral is of the view that the current system provided on [the agency's] Web site, which allows users to access outstanding amounts owed for a seven-day period by entering their vehicle licence plate number, does not constitute a violation of privacy in terms of legislation relating to privacy and protection of data."
However, Novation Consulting director Elizabeth de Stadler says the flaw is "quite ridiculous", as it creates a privacy issue. The information Sanral's portal lays bare will be an infringement of the Protection of Personal Information (PPI) Act when it comes into effect, she notes, adding it also seems to be a contravention of the constitutional right to privacy.
On top of the privacy issue, says De Stadler, there is also a security issue, because information is not being kept reasonably secure. "It's incredibly easy to link a person's number plate to them... It's not rocket science."
There is no conceivable reason why people's movements should be publicly accessible, she adds. Only the registered owner of the vehicle should have access to their information, De Stadler notes.
SensePost CTO Dominic White says while at face value the portal merely reveals how much a motorist owes and not personal information - depending on how much can be garnered from this, it could be a breach of citizens' privacy rights.
Ideally, he says, the information should only be tied to and accessible to each individual motorist. "Ideally, you would want to be in control of your own information. There is potential for shenanigans in this."
White says mass data gathering is another possibility the portal opens up. "You could, for example, write a script for hundreds of thousands of number plates and run it. This could tell you how many vehicles Sanral knows about, or how many number plates they are tracking. It is a hypothesis, but it is possible."
Independent security consultant Paul Cammidge adds creating the script and obtaining a licence plate number so that someone can be tracked is not difficult. "From that perspective, I'd be quite worried."
White notes all vehicles' number plates - including those of police officials and politicians - are open to the public. While White says the usefulness of information any Internet user can glean from the portal is debatable, but data mining, bribery and stalking are some of the uses that could exist.
He says another possibility the portal may open up is users researching ways of cheating or bypassing the system. "If you want to probe [Sanral's] system this would be a useful implementation point. You could perhaps establish how the system reacts to a painted number plate, for example."
Swift Consulting CEO Liron Segev says "the whole thing boils down to trust". He notes motorists are already wary of Sanral because they do not trust the debt collection system, or its statements about what e-tolls are funding.
Segev says the fact that the system has access to live data begs the question of whether a public-facing portal should have access to unencrypted real-time information. "There's so much you can do with this."
The information could be used by syndicates to virtually track people's movements for burglary purposes, or for people to track cheating partners, says Segev. He adds once coupled with other data that can be gleaned through social engineering or unofficial databases, it could also lead to scams being perpetrated.
Segev explains the information is sufficiently legitimate to act as a hook for a 419 e-mail. He says the issue may not be deliberate on the part of Sanral, but the site has not been sufficiently thought through.
Cammidge says, while the site does not provide any other personal information, the number plate and movement information still constitutes too much data.