Does E-ZPass have security vulnerability?

New Hampshire officials who claimed last Thursday that there is no vulnerability in the E-ZPass system were scrambling on Friday to address the concerns brought to their attention by Gerry Kennedy of Alton, a risk analyst with Observatory Strategic Management.

On Sept. 15, Kennedy initially reported problems with the architecture of the E-ZPass platform that handles toll collection for 19 states after he had trouble replenishing his own account. He noticed that the application defaults to “Remember Me,” which Kennedy called “a very bad idea.” It means that personal credentials are stored on the platform. If the system is hacked, those credentials are compromised.

The U.S. Treasury Department’s Federal Insurance Office has asked Kennedy to serve on a cyber team overseeing insurance programs. As part of his work in determining risks for insurers, Kennedy has a team of cybersecurity experts who test systems for weaknesses.

In the case of E-ZPass, the team found that, by simply searching the term “ezpass,” they were able to obtain usernames and passwords that led to the credentials of every government official in New Hampshire, all the way to Gov. Chris Sununu.

Kennedy said he contacted the head of the state’s internet technology team, Michael Balboni, who asked Kennedy to send him everything he had in an email.

“I said a hard ‘no,’” Kennedy said. “Would I send open-source credentials through your unsecure network? Then I’m part of your problem.”

Instead, he drove to Concord to deliver the information, but, according to Kennedy, he was not allowed to see Balboni and instead was referred from one department to another without ever having a chance to present his evidence.

Kennedy then turned to his LinkedIn account to expose the problem.

“The first person’s credentials that was discovered was a NH State Employee with access to all the other Employees in the state! I am sure some under cover police officer would love his or her credentials given up by going through a toll!” Kennedy posted.

He recounted his experience being sent to the Department of Transportation, then to the E-ZPass office, then back to the DOT, then the Turnpike Bureau, and back to the DOT.

After learning of Kennedy’s complaint and attempting without success to reach Balboni by phone and email, a request for information was sent to the governor’s communications director, Benjamin Vihstadt resulted in the message: “The New Hampshire Department of Transportation has stated there is no EZ Pass system vulnerability. Our office would refer you to NH DOT on these questions.”

Richard Arcand, an administrator with DOT, said last week that Kennedy’s concern “is the only recent issue that has been brought to our attention. The issue was evaluated thoroughly and we are confident this does not present a vulnerability, nor does this issue expose the credentials or personal information of any users of NH’s system.”

There have been no complaints from other states either, he said.

Addressing the complaint about the default setting, Arcand said, “The password however is never saved and always needs to be reentered. … We are currently taking steps to implement an update to give users the option to remember the username, rather than that being the default, but this is really a user preference and is certainly not a vulnerability.”

Asked about the credentials that Kennedy’s team was able to obtain, Arcand said, “Mr. Kennedy has not brought any other issues or vulnerabilities to our attention.”

Arcand pointed out that the E-ZPass system is audited annually for compliance.

“A System and Organization Controls report is produced annually and the NH EZ Pass vendor has submitted attestations that the system is compliant with the latest Payment Card Industry Data Security Standard,” Arcand said.

New Hampshire has a contract with Cubic Corporation to manage New Hampshire E-ZPass accounts and process transactions on the state turnpike system. Arcand said the NHDOT, and specifically the Bureau of Turnpikes, is responsible for all turnpike revenue collection, and the Cubic contract is managed by that bureau. The Cubic contract is in the first of three three-year contract extensions that expire June 30, 2024.

Cubic was selected through a competitive bid process, and other vendors that could provide the service also bid, but choosing another company would require migration to a new EZ Pass solution, Arcand said.

Kennedy’s response to those comments was that “compliance is not security.”

“You clearly have the evidentiary side of the fail,” Kennedy said, noting that his obligation is: “If you see it, say it.” He was not making a complaint, Kennedy explained, only bringing a problem to the state’s attention. Yet, “They said everything’s all right.”

He reiterated that failures exist, allowing his team to access the credentials, and said they will now be looking at the whole system, including the state’s vendors.

A call to Turnpike Bureau Administrator John Corcoran Jr. revealed a change in attitude on the part of the state. Rebecca Pacheco, his administrative assistant, said, “The issue is being dealt with at a higher level; it’s beyond this office, and they’re looking into fixing it.”

This article is being shared by partners in the Granite State News Collaborative. For more information, visit collaborativenh.org.