Used Gear Installed For South Bay BART Extension Exposed System To Hackers
SAN JOSE (KPIX) -- KPIX has learned that used communications and computer equipment installed by contractors on the South Bay BART extension could have left the transit system vulnerable to hackers and other cyber-security threats.
That revelation is the latest fallout from KPIX 5's exclusive report last week about a serious construction issue that could add months and millions of dollars to the beleaguered project.
"The concern is security," said Valley Transportation Authority board member Johnny Khamis. "If someone has already used a router then they might have access to it. We don't want our systems to be shut down by someone else. That's why we wanted a brand-new system."
The VTA discovered in June that 1,100 used digital routers and switches had been installed in the rail line's communications, computer and security systems.
Security expert Jeff Harp put it this way: "It's just like buying a used car versus a new car. You just don't know what that used car has been exposed to. If you buy a used router, you don't know what it's been exposed to. You don't know what security upgrades or changes have been made to it."
The VTA says three companies, Illinois-based Aldridge Construction, San Jose's Rosendin Electric and subcontractor HSQ Technology were responsible for buying and installing the used gear.
The companies say they're working closely with VTA to correct the problem, a problem which -- had it gone undetected -- could have left the system exposed to attack.
"Cyber security evolves not daily but hourly," Harp said. "There are malicious actors looking to penetrate these systems every single day."
VTA board member Johnny Khamis said that, not only does he want the 1,100 routers and switches removed and replaced, he wants answers and accountability for an error that could delay train service until the very end of 2019.
"I was extremely angry. I couldn't believe a contractor would take advantage of us in that manner. Either someone didn't read the contract or there was some corner cutting involved," Khamis said. "People may think that they can get away with something like that," he added.
The contractors released a joint statement Friday saying they're working closely with VTA on a "remediation plan" but they failed to take responsibility for creating the problem in the first place.
San Jose mayor Sam Liccardo, who chairs the VTA, said he wants a complete and thorough investigation.
"This contract was unequivocal. It had to be new equipment. Clearly, they violated the contract," Liccardo said. "And ultimately, they really cheated the public."
Liccardo and board member Khamis said they want the agency's investigation to be thorough and dogged, following the evidence wherever it leads.
"If the DA's office decides that there's a criminal prosecution to be had, we'll get them all the information they need to insure folks are brought to justice," the mayor said.
for more features.