{"id":684,"date":"2009-02-05T23:35:20","date_gmt":"2009-02-06T07:35:20","guid":{"rendered":"http:\/\/cubist.cs.washington.edu\/Security\/?p=684"},"modified":"2009-02-05T23:35:20","modified_gmt":"2009-02-06T07:35:20","slug":"security-review-automated-traffic-enforcement","status":"publish","type":"post","link":"https:\/\/secblog.cs.washington.edu\/Security\/2009\/02\/05\/security-review-automated-traffic-enforcement\/","title":{"rendered":"Security Review: Automated Traffic Enforcement"},"content":{"rendered":"<p>Security Review: Automated Traffic Enforcement<br \/>\n<strong>Summary<\/strong>:<\/p>\n<p>This security review was motivated on a family member of mine receiving a ticket from this technology: the automated traffic enforcement. This is a fairly new system cities are using to enforce traffic laws. They are using systems that detect when drivers run red lights and speed in certain zones. The purpose of these systems is to reduce traffic infractions in area and overall improve traffic safety. The Stop Red Light Running systems work by taking two photos, a front and back picture, of the vehicle running the red light. The sensors are synchronized with the traffic lights and are able to detect vehicles driving through intersections on red lights. The sensors trigger the cameras that record the day, time and place of the violation. As for the speeding systems, they use photo radar, which measures the speed of the vehicle, and snaps two pictures of the front and back of the vehicle. Once a vehicle is detected as violated, it is sent to traffic enforcement and the traffic infringement is mailed to the owner of the vehicle.\u00a0 The traffic enforcement expects the delivery of the letter to be reliable such that if you do not submit a payment within the time frame, the vehicle owner will receive a late notice and the ticket fee increases.\u00a0 Unfortunately, this is what happened to my family member.<br \/>\nAlthough I agree that this is step in the right direction to improve traffic safety. One question that poses in my mind is how accurate are the infractions? In the case of a vehicle running a red light, it is apparent if the car in the middle of the intersection and the light is red. But for a speeding infraction, how accurate is the system in correctly identifying infractions, meaning does it generate false positives? Also, is it possible for someone to access the traffic enforcement network and speeding systems to generate false speeding infractions?<\/p>\n<p><strong>Assets &amp; Security Goals<\/strong><\/p>\n<ul>\n<li> Drivers\u2019 Info, we do not want the driver\u2019s information stored in the DMV to read by parties other than the person who made the infraction. If this is not secure, privacy can become an issue.<\/li>\n<li> Tickets, we do not want the system to distribute false tickets based on false information.\u00a0 If this is not accurate, the system can be recognized as not usable.<\/li>\n<li> Streets, we want to drivers to abide to traffic laws in all areas such that it does not endanger the safety of other drivers and pedestrians. We want to ensure traffic safety overall.<\/li>\n<\/ul>\n<p>Potential Adversaries &amp; Threats<\/p>\n<ul>\n<li> Malicious users \u2013 A user can obtain unauthorized access to the system and begin printing out false tickets, having information from the DMV sent out to vehicle\u2019s owner and intercept that parcel to read information about the vehicle\u2019s owner.<\/li>\n<li> Unauthorized car users \u2013 A person who has unauthorized access to another person\u2019s car can force tickets upon the vehicle\u2019s owner by break the law at known automatic traffic enforcement sites. This is because there isn\u2019t a form of verification from this system. It only uses the infraction and vehicle, not driver.<\/li>\n<\/ul>\n<p><strong>Potential Weaknesses<\/strong><\/p>\n<ul>\n<li> Weak passwords or mis configuration of the automatic traffic enforcement may exist such that they are known and malicious users are able to obtain this information to gain unauthorized access.<\/li>\n<li> Eavesdroppers can intercept the ticket notification through the mail to read sensitive information in the parcel.<\/li>\n<li> A hijacker\/malicious driver can obtain unauthorized access to a car and perform these infractions. However, the system will always send tickets to the vehicle\u2019s owner address. Therefore, a malicious user can \u201crack up\u201d many tickets for a vehicle\u2019s owner despite the vehicle\u2019s owner not performing the infraction<\/li>\n<\/ul>\n<p><strong>Potential Defenses<\/strong><\/p>\n<ul>\n<li> Strengthen aspects of the system to prevent unauthorized access to the ticketing system.<\/li>\n<li> Determine a new method to notify a vehicle owner of the infraction they have made.<\/li>\n<li> Redesigned the system to include verification of the driver performing the infraction such that it does not default to the vehicle owner.<\/li>\n<\/ul>\n<p><strong>Conclusions<\/strong><br \/>\nDespite some of this system\u2019s weaknesses, there has been a noticeable improvement on traffic infractions and traffic collisions due to running red lights and speeding. It was stated that in New York City, crashes that were caused by running red lights were reduced by 70%. As a result of this, it improved traffic safety. Before this system was created, traffic infractions were cited only if an officer on duty was able to spot it, either with their own vision if it was someone running a red light or with their radar gun. With this new system, this allows officers to improve their public safety coverage and focus on things other than traffic enforcement.\u00a0 Furthermore, the system acts as a deterrent as well because drivers are well aware that if they do speed or run red light they will be caught. Prior to the system, many people are aware of the laws and aware of the consequences but weight it against the notion if they are caught performing the act. Most of the time, drivers believe they won\u2019t be caught because they bank on the fact cops are not at specific areas for 24 hours a day, 7 days a week. With this automatic system, it allows this 24\/7 coverage. The next steps for this system would to be reducing false positives and ensuring delivery of tickets. This is because delivery is never guarantee to be reliable.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Security Review: Automated Traffic Enforcement Summary: This security review was motivated on a family member of mine receiving a ticket from this technology: the automated traffic enforcement. This is a fairly new system cities are using to enforce traffic laws. &hellip; <a href=\"https:\/\/secblog.cs.washington.edu\/Security\/2009\/02\/05\/security-review-automated-traffic-enforcement\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":101,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"class_list":["post-684","post","type-post","status-publish","format-standard","hentry","category-security-reviews"],"_links":{"self":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/684","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/users\/101"}],"replies":[{"embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/comments?post=684"}],"version-history":[{"count":2,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/684\/revisions"}],"predecessor-version":[{"id":686,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/684\/revisions\/686"}],"wp:attachment":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/media?parent=684"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/categories?post=684"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/tags?post=684"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}