By admin • January 12, 2015

Major Cyber-Security Flaw in Washington State's Cannabis Tracking System!

bottom_line

Here is our CEO Justin's response to our release:

I am the CEO of Viridian Sciences, a SAP OEM partner with a focus on the global Cannabis and Hemp industries. Our company has been working on integrating with the Washington State cannabis “Seed-to-Sale” traceability software built by BioTrackTHC.

 

Under their contract with the state, BioTrackTHC was given the task of building a state system.   The contract states that the “contractor will at all times maintain network, system, and application security that, at a minimum, conform to the current cyber security Standards set forth and maintained by the Center for Internet Security.”  This contract can be found at:http://www.cisecurity.org” -  Model Contract WSLCB K546. Although this site lists an array of security options and methodologies, the current security vulnerability found in the BioTrackTHC system could be extremely detrimental to businesses and ultimately put peoples’ lives in danger. The type of security breach is exactly the situation that the state obviously intended to be avoided.

 

Viridian Sciences has not only noted a major hole in the security of the Washington state cannabis tracking system and in our opinion BioTrackTHC and/or the state had full knowledge of this fact and has greatly misled the licensed participants. Any reasonable developer, even a beginner, should have spotted this problem.  They have failed to live up to the responsibility owed to the citizens of Washington and this deception is costing the licensed participants both time and money in the process.   BioTrackTHC programmatically tells the users that they are logging into a secure system when they are, in fact, not.  The program forces popup messages that state that the user has logged in to a secure system, when the program that the user has accessed is unsecure and can be exploited.  This security lapse is leaving the data and business vulnerable to cyber-attacks.

 

Please read our attached technical write up for a much more in-depth look at the issue, including a time and cost analysis. In brief, this security breach essentially exposes unencrypted user names and passwords when exploited. With some simple tools such as FireSheep, a hacker could obtain a user name and password and with such gain access to the Licensee’s system. From here the hacker can see all types of sensitive information about the business. Critical business information such as sales can easily be exposed.  More alarming is that detailed delivery routes, vehicle information (Driver’s Name, Make, Mode, License Number, etc), and full cargo manifests are left unprotected. These manifests list all products in transit by date, time, and destination. This opens up opportunities for criminals to track and coordinate their efforts on specific deliveries with high value- either attacking the truck early for the product or later after the cash has been gathered from the retailers. This breach puts people at greater risk of being targeted and opens up the door for industrial espionage.

 

This current issue being so rudimentary in nature begs the question of overall competency of BioTrackTHC to execute on the State contract. It also calls into question the management of this contract by the State of Washington and their contract coordinator.  Viridian Sciences has offered its assistance several times in beta testing the state integration for both the recreational and laboratory integration and have not been provided the opportunity. We are still waiting on the lab integration that was to be delivered in early December but has yet to be delivered.

 

Due to the severity of the risks at hand it is my recommendation that the state’s seed-to-sale system be shut down until the security vulnerability has been resolved in order to protect the producers, processors and retailers delivery routes and drivers as well as business intelligence in general.

 

Please see link below for developer communities’ comments on this issue, at the following link "Establishing a Secure Connection! - Would you believe that a US state paid over $1 million dollars for this software?”  Some of the comments are entertaining- most are in sheer disbelief.

 

http://www.reddit.com/r/shittyprogramming/comments/2p4l2h/establishing_a_secure_connection_would_you/

 

[embed]http://viridiansciences.com/wp-content/uploads/2015/01/WAStateMarijuanaTraceabilitySystem-SecurityFlaw.pdf[/embed]


Adobe_PDF_icon
Click Here to Download the PDF Write Up on the WA State Marijuana Traceability System - Security Flaw

Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. This work is meant for audiences where cannabis is legally produced, processes, distributed, and sold. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that An organization or Website is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Website may provide or recommendations it may make.