After more than two weeks, the Massachusetts’ vehicle inspection system is still offline. People whose cars were due to be inspected in March are driving on expired stickers — the state’s RMV is now giving them until the end of May to get their vehicles checked. It’s all thanks to an attack on the software that the inspection system runs on. Chris Gonsalves is an IT security expert with Channelnomics. Before that, he was with the Institute for Applies Network Security. Gonsalves spoke with GBH All Things Considered host Arun Rath. This transcript has been edited for clarity.
Arun Rath: State inspections are performed at gas stations, garages, places like that all across Massachusetts. They run on software that’s put out by a company called Applus Technologies. Do we know how the software was compromised?
Chris Gonsalves: Well, we can guess. We know that the system was compromised around March 30, and they notified the inspection stations that they should immediately take their stuff offline, unplug it, power it down, move it away from anything flammable. We don’t know exactly what the problem was except that Applus has said that it was malware. Now we can guess that it was probably some form of ransomware. What ransomware does, for folks who may not be familiar with it, is it infects a network, it infects the endpoint devices on that network, and it takes the files and it encrypts them. It scrambles them so that they look like gibberish. The only way to recover them at that point is to use a decryption key, which can only be provided to you by the criminals who broke into your system. They will happily provide that key for one or a few Bitcoin, some sort of untraceable cryptocurrency, and then hopefully you can get your systems back online.
The other way to recover from a ransomware attack, if that’s all this is, would be for you to employ your system backups. Most organizations are at least supposed to be backing up their data regularly so that when you have an event like this, you just shut everything off, wipe it clean, and put the recovered data back into the system. You may have lost 24 hours worth of work, but everything works just fine. We know at this point that that isn’t happening at Applus. We are several weeks into this, and they still don’t really know when the system is going to be recovered. So that tells me a couple of things. One, they didn’t really have robust backups to use. And number two, they may have paid the ransom to start to get their systems back online, which would explain why they’re not being completely forthcoming about what happened. Because boy, the FBI hates it when victims pay the ransom. But in fairness to the victims, there’s often not a better way to do it.
I’ve spoken to some of the folks at garages, mom and pop gas stations, places that do vehicle inspections, so I know a little bit about their experience with this so far. What they’re telling me is, after they were informed that they should take their stuff offline, they have all been visited by three people, and those three people represent the three organizations that do vehicle inspections here in Massachusetts. It’s the RMV, the Department of Environmental Protection and Applus themselves. Each of these representatives have shown up with their own little USB stick in order to redo the software on the endpoint devices. What they’ve also told me is that in every case, the person who comes in from the next organization complains that the person from the previous organization did it wrong. So we know that the system is working exactly as we expect it to work. But what they aren’t telling these folks is when this thing is going to be back online. Again, that tells us a little bit about the state of the disarray of the systems. It also concerns me in that it might be an indication as to what actually got compromised here.
I’ll tell you a little bit about how the sticker system works. Inspection stickers are a for-profit business. When you go to get a sticker at your local gas station, they are buying those stickers from the state at something like $30 apiece, and they’re reselling it to you for $50. It’s a little sideline business for them. In order to facilitate that, what they do is, each of these stations has a separate bank account that’s dedicated to paying for the stickers that they get from the state. It’s an ACH transaction, it’s just a wire transaction. Every month you get your batch of stickers and the state takes a withdrawal from your account. All of these inspection stations have been told to close those accounts. That indicates to me that they are at least afraid of the possibility that the data has been compromised in addition to it being encrypted. Most times, ransomware guys aren’t interested in stealing your data — they just want to mess it up and make you pay to get it back. But more and more, we’re starting to see that ransomware guys are getting in league with other kinds of cyber criminals who are interested in the data. So they’ll compromise your system, they’ll steal some stuff, which they can sell to the other bad guys, and then they’ll make you pay to get the rest of it back. So that’s kind of where we are.
Rath: We’ve heard about, say, private companies that have been attacked and might pay a ransom, and we would never know about it. With the state being involved, though Applus is a private company, are they required to let us know or tell anybody about what has actually happened here?
Gonsalves: Their lack of candor so far indicates that they are at least concerned that they might have to fess up to what happened. But first of all, Applus is required, if they believe that data has been compromised. But in this case, you’re talking about personally identifiable information. You’ve got financial data that belongs to the inspection stations. You’ve also got personal information for every single person that gets a sticker. So these databases have your vehicle identification number, they’ve got your license plate number, they’ve got your name and address, all information that would be valuable to someone. You would be required to report both the loss of that data and what you did to get it back to government agencies, because you are a regulated government public entity, or you’re handling public data. That said, the way a lot of this is working now is they hire a forensics team to come in. These incident responders will take over the job of getting the systems back online. Often the incident response companies will pay the ransom themselves and then just mark that figure up and bill the victim company so that, one, it’s a tax deduction — it’s just part of your incident response. And then, two, it’s really sort of masked in the entire expense of the data breach itself.