Cyber security gaffes plague Sanral

Read time 4min 30sec
The latest security hole follows two previous Sanral cyber vulnerabilities exposed by ITWeb.
The latest security hole follows two previous Sanral cyber vulnerabilities exposed by ITWeb.

Sanral has made a quick fix to a huge security hole on its new site, which allows users to check how much they owe in e-tolls.

The ITWeb tech team this week discovered the new site did not have secure sockets layer (SSL), meaning users' ID and vehicle licence numbers were being sent to the site in plain text, allowing hackers easy access.

SSL is the standard security technology for establishing an encrypted link between a Web server and a browser. This link ensures all data passed between the Web server and browsers remains private and integral.

After ITWeb probed the road agency concerning the security gaffe, it made a quick turnaround, with Jamie Surkont, CEO of Electronic Toll Collection, a service provider to Sanral, saying SSL has now been implemented as an additional security measure.

Sanral recently introduced a 60% discount on historical e-toll debt in arrears. To qualify for the 60% discount, users must settle their bills within six months - giving them until the end of April 2016 to pay up.

The portal asks users to fill in their ID number, vehicle licence number, and agree to the terms and conditions. Once motorists have done so, their total outstanding amount and new discounted outstanding amount are shown. After that, the system asks them to pay using their preferred method.

In addition to the Web portal, Sanral offers a toll-free call centre (087 353 1490), and an SMS service that lets users check their outstanding e-toll balance.

The latest security gaffe is despite earlier reports by ITWeb that an online portal previously developed by Sanral to allow unregistered road users to check outstanding e-toll fees allowed would-be snoops to track motorists' movements with just a vehicle licence number in hand.

ITWeb also uncovered another flaw which allowed road users to be tracked as they travel under e-toll gantries.

Security solutions vendor Symantec says SSL certificates are an integral part of Web site security. When users visit a Web site with SSL, the site's SSL certificate enables them to encrypt the data they send, such as credit card information, names or addresses, so it can't be accessed by hackers.

Symantec explains that when a browser attempts to connect to a Web site secured with SSL, the browser requests the Web server identify itself. The server then sends the browser a copy of its SSL certificate and the browser checks whether it trusts the SSL certificate. If so, it sends a message to the server and the server sends back a digitally signed acknowledgement to start an SSL encrypted session. Encrypted data is then shared between the browser and the server and https appears.

However, ITWeb found is just a "middleman" - it has very limited functionality and so relatively limited surface area for attack. It passes the user details to the e-toll billing system, gets an account balance back, then links to a third-party payment site to process payment of that specific amount. That way payment credentials are almost certainly not at risk as that is handled by the payment provider.

Surkont says the site is "not transactional, apart from allowing users to pay. So in this regard, access to information pertaining to ID or vehicle licence numbers is not of value, although an SSL has been implemented as an additional measure."

Surkont said should users not wish to use the site, they can use the dedicated call centre on toll-free number 087 353 1490, or send an SMS with their ID and vehicle licence number details to 43360.

Missing certification

Meanwhile, Sanral has transgressed the Metrology Act by failing to obtain certification of its electronic systems.

In a parliamentary question lodged by Anton Alberts of the Freedom Front Plus this week, the transport minister was asked: "Whether Sanral, at any stage, had applied for the certification or exemption from certification of the e-toll system, in terms of the Trade Metrology Act, Act 77 of 1973, and/or the later Legal Metrology Act, Act 9 of 2014, and other supporting legislation applicable to certification."

According to the Opposition for Urban Tolling Alliance (Outa), the minister's reply clearly showed Sanral had not.

"Outa finds this response unacceptable, as in effect it is an admission that Sanral has transgressed the Metrology Act, and continues to behave as a law unto themselves. Outa maintains its position that Sanral has flouted constitutional provisions that oblige state-owned enterprises to be transparent, accountable and above all, lawful," the organisation says in a statement.

"Outa believes that to spare herself further exasperation and embarrassment, [transport] minister [Dipuo] Peters needs to take stringent corrective action to ensure Sanral's executive board commits itself to a display of discipline at the highest levels or face the consequences of the harshest disciplinary action."

See also