Minister of Transport Dipuo Peters has said that “some media houses” were responsible for “cyber attacks” on the E-toll website, BDlive reported on Wednesday, 23 July 2014.
According to the report, the Minister was answering a parliamentary question put to her by Democratic Alliance MP Chris Hunsinger in a written reply.
Teething problems on the E-toll website, including billing problems, were partly due to the slowness of the website, Peters was quoted as saying.
She blamed the website’s slowness on communications links and cyber attacks, adding that “some media houses” were responsible for the cyber attacks.
“It is unfortunate that some of the cyber attacks were deliberately perpetrated by unknown persons and some media houses,” Peters was quoted as saying.
“These incidents have been reported to the law enforcement authorities,” she said.
E-toll website security woes
While the Minister did not mention specific cyber attacks or media houses, filling in the blanks is not hard.
One of the first E-toll website security concerns to make headlines was the ability to check the outstanding grace-period E-toll bill for any vehicle, provided you had the license plate number.
When US President Barack Obama visited South Africa to pay tribute to our former President Nelson Madela, the feature was used to see what Obama’s outstanding E-toll bill was.
Despite statements from the South African National Roads Agency Limited (Sanral) that there were no adverse privacy implications and that its site was operating within the law, the feature was disabled a few days later.
In a statement sent to MyBroadband in response to questions about the removal of the feature, Sanral’s head of communications Vusi Mona said the feature was removed from the site “due to the misinformation and concerns raised”.
The real “hacks” begin
The online bill check security concerns were soon followed be an informal security advisory from one “Moe1” about a serious vulnerability in the E-toll website.
Moe1 demonstrated in a YouTube video that it was possible to get a registered E-toll user’s PIN if you knew their username.
Sanral only notified its users about a “possible security breach” some two months after the media reports of Moe1’s research surfaced, instructing registered users to change their PINs.
The agency decried Moe1’s disclosure as a “cyber attack” at the time, saying that its technicians worked flat out to resolve the security issue within a day of Moe1’s disclosure making the news.
“Some people may not like e-tolls but launching an attack on law abiding citizens, just because they registered an e-toll account, is appalling,” Mona said at the time.
ITWeb reported at the time that in the course of covering the story, after numerous unanswered requests for comment, it eventually received the following response from Sanral:
In light of your publication admitting to hacking into our system, Sanral will no longer cooperate with ITWeb as you are dealing with us in bad faith.
In its report, ITWeb indicated that it had informed Sanral (and the users concerned) that it had taken steps to verify the web site flaws, but wanted to ensure that the agency and the users involved were properly notified.
More security flaws
The flaw discovered by Moe1 was by no measure the last E-toll website security issue discovered.
In March 2014 two more flaws were reported, both of which let attackers see the outstanding balances of any vehicle.
While Sanral did not respond to queries about the flaws at the time, it appeared as though the agency worked to patch issues as the media asked about them.