CONCORD — New Hampshire officials who claimed on Thursday that there is no vulnerability in the EZ Pass system were scrambling on Friday to address the concerns brought to their attention by Gerry Kennedy of Alton, a risk analyst with Observatory Strategic Management.
Kennedy initially reported problems with the architecture of the EZ Pass platform that handles toll collection for 19 states on September 15 when he had trouble replenishing his own account. He noticed that the application defaults to “Remember Me” which Kennedy called “a very bad idea.” It means that personal credentials are stored on the platform. If the system is hacked, those credentials are compromised.
Kennedy, whom the United States Treasury Department’s Federal Insurance Office has asked to advise on cyber insurance, has a team of experts who test systems for weaknesses.
In the case of EZ Pass, the team found that, by simply searching the term “ezpass,” they were able to obtain usernames and passwords that led to the credentials of every government official in New Hampshire, all the way to Governor Chris Sununu.
Kennedy said he contacted the head of the state’s internet technology team, Michael Balboni, who asked Kennedy to send him everything he had in an email.
“I said a hard ‘no,’” Kennedy said. “Would I send open-source credentials through your unsecure network? Then I’m part of your problem.”
Instead, he drove to Concord to deliver the information, but, according to Kennedy, he was not allowed to see Balboni and instead was referred from one department to another without ever having a chance to present his evidence.
Kennedy then turned to his LinkedIn account to expose the problem.
“The first person’s credentials that was discovered was a NH State Employee with access to all the other Employees in the state! I am sure some under cover police officer would love his or her credentials given up by going through a toll!” Kennedy posted.
He recounted his experience being sent to the Department of Transportation, then to the EZ Pass office, then back to the DOT, then the Turnpike Bureau, and back to the DOT.
After learning of Kennedy’s complaint and attempting without success to reach Balboni by phone and email, a request for information from the governor’s communications director, Benjamin Vihstadt, on Wednesday resulted in the message: “The New Hampshire Department of Transportation has stated there is no EZ Pass system vulnerability. Our office would refer you to NH DOT on these questions.”
Richard Arcand, an administrator with the Department of Transportation, said on Thursday that Kennedy’s concern “is the only recent issue that has been brought to our attention. The issue was evaluated thoroughly and we are confident this does not present a vulnerability, nor does this issue expose the credentials or personal information of any users of NH’s system.”
There have been no complaints from other states, either, he said.
Addressing the complaint about the default setting, Arcand said, “The password however is never saved and always needs to be reentered. … We are currently taking steps to implement an update to give users the option to remember the username, rather than that being the default, but this is really a user preference and is certainly not a vulnerability.”
Asked about the credentials that Kennedy’s team was able to obtain through EZ Pass, Arcand said, “Mr. Kennedy has not brought any other issues or vulnerabilities to our attention.”
Arcand pointed out that the EZ Pass system is audited annually for compliance. “A System and Organization Controls (SOC) report is produced annually and the NH E-Z Pass vendor has submitted attestations that the system is compliant with the latest Payment Card Industry Data Security Standard (PCI DSS),” Arcand said.
New Hampshire has a contract with Cubic Corporation to manage NH E-ZPass accounts and process transactions on the state turnpike system. Arcand said the NHDOT and specifically the Bureau of Turnpikes is responsible for all turnpike revenue collection, and the Cubic contract is managed by the Bureau of Turnpikes. The Cubic contract is in the first of three three-year contract extensions which will end on June 30, 2024.
“With G&C approval we have contract authority to extend their contract two additional three-year periods ending on June 30, 2030,” Arcand said.
Cubic was selected through a competitive bid process, and other vendors that could provide the service also bid, but choosing another company would require migration to a new E-Z Pass solution, Arcand said.
Kennedy’s response to those comments was that “compliance is not security.”
“You clearly have the evidentiary side of the fail,” Kennedy said, noting that his obligation is: “If you see it, say it.” He was not making a complaint, Kennedy explained, only bringing a problem to the state’s attention. Yet, “They said everything’s all right.”
He reiterated that failures exist, allowing his team to access the credentials, and said they will now be looking at the whole system, including the state’s vendors.
A call to Turnpike Bureau Administrator John Corcoran Jr. on Friday revealed a change in attitude on the part of the state. Rebecca Pacheco, his administrative assistant, said, “The issue is being dealt with at a higher level; it’s beyond this office, and they’re looking into fixing it.”
This story originally appeared in the Laconia Daily Sun.