Slashdot Mirror
California's Wireless Road Tolls Easily Hackable
An anonymous reader writes "Nate Lawson, a researcher at RootLabs, has found a way to clone the wireless transponders used by the Bay Area FasTrak road toll system. This means you can copy the ID of another driver onto your own device and, as a result, travel for free while others foot the bill. Lawson also raises the interesting point of using the FasTrak system to create false alibis, by overwriting one's own ID onto another driver's device before committing a crime. Luckily, Lawson wasn't sued before he could reveal his research, unlike those pesky MIT students."
I think I read about this in little brother.
And they can record license plates. I think this hack has little criminal viability. Anyone who used it extensively would be caught in short order. Though authorities might be willing to let the criminal conduct continue on until the criminal passed the felony threshold.
You've got it the wrong way around - people won't use this to create alibis before committing a crime, they'll use it to establish evidence of the target being in a certain area at a certain time even though he swears he was elsewhere
At any rate, certain requirements have to be met before something can be introduced as evidence. I'm assuming most things (like this) would, by default, not constitute evidence anyway. Email (at least in this country) needs to be provided along with an audit trail before it's accepted as evidence
I'm a minority race. Save your vitriol for white people.
Between the splash screen redirects and the ads, this article is nearly unreadable. Here's the text for those who don't want to put up with the crap.
----
Drivers using the automated FasTrak toll system on roads and bridges in California's Bay Area could be vulnerable to fraud, according to a computer security firm in Oakland, CA.
Despite previous reassurances about the security of the system, Nate Lawson of Root Labs claims that the unique identity numbers used to identify the FasTrak wireless transponders carried in cars can be copied or overwritten with relative ease.
This means that fraudsters could clone transponders, says Lawson, by copying the ID of another driver onto their device. As a result, they could travel for free while others unwittingly foot the bill. "It's trivial to clone a device," Lawson says. "In fact, I have several clones with my own ID already."
Lawson says that this also raises the possibility of using the FasTrak system to create false alibis, by overwriting one's own ID onto another driver's device before committing a crime. The toll system's logs would appear to show the perpetrator driving at another location when the crime was being committed, he says.
So far, the security flaws have only been verified in the FasTrak system, but other toll systems, like E-Z Pass and I-Pass, need to be looked at too, argues Lawson. "Every modern system requires a public security review to be sure there aren't different but related problems," he says. Indeed, in recent weeks, researchers announced flaws in another wireless identification system: the Mifare Classic chip, which is used by commuters on transport systems in many cities, including Boston and London. However, last week, the Massachusetts Bay Transportation Authority (MBTA) filed a lawsuit to prevent students at MIT from presenting an analysis of Boston's subway system.
The Bay Area Metropolitan Transport Commission (MTC), which oversees the FasTrak toll system, maintains that it is secure but says it is looking into Lawson's claims. "MTC is in contact with vendors who manufacture FasTrak lane equipment and devices to identify potential risks and corrective actions," says MTC spokesman Randy Rentschler. "We are also improving system monitoring in order to detect potentially fraudulent activity."
In the past, authorities have insisted that the FasTrak system uses encryption to secure data and that no personal details are stored on the device--just two unique, randomly assigned ID numbers. One of these is used to register the device when a customer purchases it, while the other acts as a unique identifier to let radio receivers at tolls detect cars as they pass by.
But when Lawson opened up a transponder, he found that there was no security protecting these IDs. The device uses two antennas, one to detect a request signal from the toll reader and another to transmit its ID so that it can be read, he says.
By copying the IDs of the readers, it was possible to activate the transponder to transmit its ID. This trick doesn't have to be carried out on the highway, Lawson notes, but could be achieved by walking through a parking lot and discreetly interrogating transponders.
What's more, despite previous claims that the devices are read only, Lawson found that IDs are actually stored on rewritable flash memory. "FasTrak is probably not aware of this, which is why I tried to get in touch with them," he says. It is possible to send messages to the device to overwrite someone's ID, either wiping it or replacing it with another ID, says Lawson.
"Access to a tag number does not provide the ability to access any other information," says MTC's Rentschler. "We also believe that significant effort would need to be invested in cloning tags." He adds, "If any fraudulent toll activity is detected on a customer's account, the existing toll-enforcement system can be used to identify and track down the perpetrator."
Lawson says that using each stolen ID just once would make it difficult to track
I don't know about California, but in New England they have cameras that can match up a vehicle with a FASTLANE transmitter. It would not be very hard to also hook up license plate scanners. This seems like a crime with very little payoff, and huge chance of getting caught.
In Massachusetts, the similar "Fast Lane" RFID transponder id is linked to your license plate. If you drive through a toll gate with an id that does not match your license plate (high speed cameras read the plate and use OCR to record it), your account gets flagged and you get a nastygram in your snail mail box along with a fine.
People victims to this type of clone would then obviously appeal and the stored license plate number of the cloner would then be easily used to find them.
When I was a teenager (late 90s) there were a few people selling a device about the size of two bricks that could fool ez-pass by using another person's id. This is why when you sign up for ez-pass you have to give them the make and model of your car as well as your license plate number. They have two cameras on either side of your car pointing at you and numerous overhead cameras when you pass through so I believe any sort of fraud would be pretty difficult to pull off. I'm sure California has a similar setup and if they don't then they better get working on it.
I think the invisible hand of the market has its middle finger extended
--A wise old fart named SC0RN
The transponder doesn't do challenge response, it just spews out an ID number when polled?
When you have the ability to send the same data over and over again without any form of authentication or obfuscation - yes, it can be copied and used by anyone else.
There are ways to prevent this:
Use a rolling code, like my garage door, key fob, and online banking fob uses.
Use another form of authentication, like color of vehicle, plate number, or something else easily identifiable on the car.
These are about as secure as my Speedpass fob that I can use to purchase fuel and snacks at Mobil stations. If its stolen, anyone can use it.
Unfortunately, pretending to be someone else may save you some tolls, but eventually someone will figure out who is posing as a different driver. The Bay Area bridge, airport parking lots, and many other places have cameras that photograph both the driver and the license plate of the vehicles that pass. Maybe some good will come out of all this surveillance.....but probably not.
Old wireless toll systems didn't event use encryption, such as the case of old Amtech 2.4GHz systems, which are limited to store information similar to a typical ISO Track #2 credit card (PAN, and some other info). However, modern system, such as the CESARE european standard (public information, no revealing secrets here, of course), includes modern security (realtime generated derivate key negotiation, etc.).
Not yet. But he will be. We are seeing an irresistable force meeting an immovable obstacle. Society is creating a scenario where as technology moves forward the gap between truth, progress, science - and security, stability, state widens. They are not naturally in conflict, but we have chosen to make them so. The law and research are increasingly at odds. Corporations and governments have begun to build presumed ignorance into business and administration models, backing up security through obscurity with sanctions of threats, imprisonment and violence. The way it looks to me over the next 10 years research is not going stop, and neither is the landgrab for power and easy exloitation. Sooner or later these worlds are going to clash in a big way (many would say they already have as the economy collapses). Basic activities like the teaching and practice of chemistry, physics and computer science are being attacked to maintain a fragile status quo. Yet, economic development is not possible without research and education. It seems society has painted itself into a corner. It cannot progress without science and yet it is so threatened it will not tolerate it amongst its people. It's killing off the nutrients that feed it.
Damn it! Will someone arrest this guy? I've been doing this for years. How can he go out an publicly disclose something like this? This is criminal! How much longer will this trick work? Another month or two? This is going to cost me. CA gas prices are already too high. I pay plenty of taxes on the gas, I really don't want to have to pay this also.
all the streets are free
and the highway's no pay
I've been for a drive
on a self-made freeway
My hacks will do the charm
Cuz I'm in L.A
California Schemin'
on a self-made freeway
Kwisatz Haderach
Sell the spice to CHOAM
This Mahdi took Shaddam's Throne
leaving the new car plates on your car even after you get your real license plates?
The solution to all of the comments that your license plate will still identify you: as you drive around simply start saving and replacing the ID in devices as you pass other drivers. After a week you could replace your own ID with any of the values you swapped around during the week (hundreds? thousands?). Voila! Plausible deniability.
I'd hate to be working for whoever has to sort out the mess in the end, though. That's a lot of work to create for others just to avoid some tolls.
...given that almost all of the toll transponder systems in the US have cameras, and plate recognition is done. I once got a ticket from another state (NY), claiming a plate I had years ago had gone through one of their upstate tollbooths. Also, my father would get notices in the mail from our state's system when he moved the transponder to a vehicle that wasn't registered to use it. So. Useless hack, sensationalist article, film at 11.
Please help metamoderate.
Sounds exactly like something out of Cory Doctorow's recent novel, "Little Brother."
"Politicians always tell the truth, when they're calling each other liars."
Transponders are useful for cars without local plates or cars with dirty plates, but otherwise, why bother?
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
"First time?" We are lucky to get it right the 800th time.
Palm trees and 8
About 10% of the toll road rides are infrequent-users who dont have transponders. Colorado decided to terminate the booths and use cameras to mail bills to users. Its cheaper than people.
I wish I could "raise the interesting" like that ... hmmm, the more I look at that sentence the more wrong it gets.
The idea of hacking the FasTrak system (or, more specifically, cloning FasTrak units) for false alibis and other social mayhem was explicitly brought up in Cory Doctorow's Little Brother. I think it is way more interesting in the fiction book, because they rapidly re-cloned random other cars, essentially switching IDs around.
E-Z pass users get the same rate and I-pass users get E-Z pass rates as well. Also alot of People in WI and IN have I-pass / E-Z pass.
Now E-Z pass is the system to hack as many states use it.
1. How many tolls will be stolen? Too few for anyone in the project to care. They will treat this like "ID theft" and the burden is on you.
2. How many people are going to want or actually *do* anything TFA suggests. It's a number very close to zero.
The same kind of thinking applies to most automated transit toll collecting system. No one that could do anything about these issues cares or would be foolish enough to waste budget on corner cases like this. It would be a huge political/professional liability if they did.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
I wonder if Nate Lawson had read Cory Doctorow's "Little Brother" before his work on the Fastrak transponders?
It just so happens that Doctorow's fictional 'Little Brother' work describes just such an exploit being used on a Bay Area transit card system.
Having said that, Doctorow mentions in his preface that most of the technologies in the work are either current reality or the possibilities of the near future.
Nowadays, it seems it's more about which transit card/xpndr system hasn't been done yet.
Ripping an new rectum in the fabric of spacetime.
I don't know about cloning an E-Z Pass but if you use the E-Z Pass tag on a car that it is not registered to you, you get a ticket from them with the offending license plate number. At least this is the case in the NY Metro area. My wife got a ticket when I used her pass while waiting for a replacement for my non-functioning pass. I have had several friends who used to swap the passes between cars start to get tickets for the same reason. Are they scanning all of the license plates and matching them with the E-Z Pass tag or only some? This would seem to make cloning less effective unless you were maybe driving a stolen car/swapped plates since they would know the plate number of the cloned tag.
Sometimes corporate policy limits what one may do with their computer... yeah, I know, I should get back to work.
We mustn't assume that these vehicle transponder only use is for for toll collection. They work anywhere they want to place a Transponder reporting unit.and they they can even read transponder from other states
I don't know about California,
but many other states use similar transponder units in vehicles. In our state there are readers all over the place. they are used for example to track vehicle movements, this information is used here in the North east to track unsuspecting Criminal suspects and to enforce traffic camera violations , some police vehicle have a reader in them to track suspects on the move .
And since there is a time stamp and unique serial number, they can be used by the police to get you a speeding ticket.
Example a reader sees you moved from point A - B too quickly and Bingo ! your average speed over that distance is know They can be used for many purposes beyond toll collection
Hacked transponder units may throw a monkey wrench into potential criminal investigations , traffic violation support and vehicle road use tracking statistics , and many things not know to the public , for example If I wanted to clobber only out of state drivers or those who can better pay fines, the police can just read these things and statistically more out of state drivers or those who travel and use hem have more money. What better way to target them for traffic violations and increasing revenue
In our state You must have good credit to get one of these things , so they know you can pay their big fines , and this is just but one nefarious use by crooked lawmakers
While it's true that passive RFID devices are notably short on power and computing capacity (and can be vulnerable to tricks like power-consumption analysis and direct physical probing to attack their encryption), the central reason most of these systems are poorly encrypted if at all is...
Cheapness, intellectual laziness, and garden-variety stupidity.
One CAN make these systems much more secure, but it requires cryptographic competence and the determination to do the job right. As Schneier says, crypto is hard to do properly, so it costs time, money, and thought. And the end user can rarely distinguish a secure system from a crappy one, so the economic incentive do do it right is minimal.
Methinks we could use a good set of standards and an accepted certification process for rating the attack-resistance of systems like this. Won't happen, of course...
"My strength is as the strength of ten men, for I am wired to the eyeballs on espresso."
Don't let private companies run these things.
As a Dutchie, I'm completely stunned at the thought that any government will let privately owned companies run the traffic...
Free beer is never free as in speech. Free speech is always free as in beer.
I am in fact disappointed that we as Americans appear never to ever get it right first time! ...
We invented the modern computer and all that goes with it...
Right - Good thing that didn't need any revision after our first implementation.
He's getting rather old, but he's a good mouse.
I wouldn't be worried about people using that system to make false alibis. Most people who have the technical knowledge even for a small hack would be paying someone else to do their dirty work for them anyway.
If you know a hack, DON'T TELL anybody! Fool... Really. What's the point of holding a press conference to point out a way for techies to save money? If you have studied for years for skills to design, program, and build a device that can defeat the automatic removal of money from your bank account, then for goodness sake's, don't tell anybody. Use this knowledge discretely for the benefit for your family and your people.
Spend the money that you save on your children. Or have some children if you don't have any. Or give it to your favorite charity. Or help someone that you know that is hurting in these bad times. Or put the money that you save under the mattress to support your own bad times that may come in the future.
No one in a giant corporation is going to give you anything for pointing out security flaws that allow people in the tech community to save money. They are going to take the money that you save them and bribe politicians to give them massive tax breaks! Don't you pay attention to the news? All giant corporations are corrupt to their very core. If you find a way to keep them from taking your money, well don't tell them.
There wouldn't be the need for toll roads if the state highway administrations had not been ripping off the funds for the past fifty years. Illinois is the third most corrupt state in the USA (after Rhode Island and Louisiana). Toll highways is only the latest and greatest scam.
Be real. The country is falling apart after forty years of absolute corruption. Take care of yourself and your family first. Then give your money to giant corporations and the super-rich tax-avoiders that control them.
Perhaps this can be used to create privacy clubs, where they all travel on cloned cards and all share the bill. Their movements couldn't be tracked via this system as long as multiple people were using it.
I hope this wasn't posted already... I searched the thread for "Anonymous" and then felt kind of silly.
Those who have read Cory Doctorow's 'Little Brother' would know that this is not at all something that would be a surprise. Though the method maybe different but Doctorow did visualise that such misuse of electronic identities would be way too easy. In his book, it was done through arphid cloners, where just brushing the device near a person who had his private data in a magnetic card in his pocket would suck all the info from it, and could then be transferred to another card. Teens used this to have fun, they went around exchanging people's data causing chaos, traffic jams, and huge shame to the people who originally introduced the system - the DHS.
Somehow, I get the feeling that Lawson'sidea isn't so original.
RutSum.com
When this story first broke a couple of weeks ago, they suggested a far more serious abuse than just taking someone's transponder ID as your own.
It was suggested that the reading and reprogramming could be accomplished so quickly that one could set up an antenna near a busy highway and read IDs from vehicles while assigning them the ID of the previous vehicle.
This would result in a huge shuffling of IDs that would be a bureaucratic nightmare for the state and a huge pain for FastTrac's customers. The state is trying to get as many people as possible to adopt this system, and a major hack like that could possibly reverse their momentum.
That's all that the Boston MTA has done with their stupid suit, and the stupid judge that initially went along with it. Now if you've done research that you feel deserves presentation, the target of your research gets no warning and no time to find a clueless judge. If you don't feel this is an improvement, let that Boston judge know about it.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Unfortunately, a lot of these systems have been based on the premise that end users either didn't have the technology or weren't sufficiently interested in hacking them. Most subway fare collection systems are the same way -- the manufacturer puts in some safeguards by storing data in a different way but it's all eventually hackable.
Security by obscurity only works until you can buy the technology your system is based on at Best Buy. Back in the '80s, when New York established EZPass, your garden variety hacker didn't have access to the proto-RFID technology that those tags are based on.
The bad thing is that once devices like toll passes are issued to drivers, it's expensive and really difficult to do an across the board replacement. If you make the device expensive enough to be field-upgradable, you risk making it too expensive to provide universally. Worse yet, you give hackers all sorts of fun possibilities when you include a flash device.
I guess the only fix is to store very little on the device and do all the processing server-side. This is especially important with stored-value cards like transit passes. The question then becomes how little data you can actually store and make the system work and identify only you.
McDonald's uses that very same system to allow you to pay for your meals in the drive through. Just make sure you clone someone who is insanely rich and you might not ever have to pay for another McDonald's meal again.
Well, eventually you'll pay with your life, but that's a different matter altogether.
I will just use my car cloaking device/ holographic projector to clone the image of the car ahead of me onto my own car. I could use a car I saw yesterday or a pickup I saw three weeks ago. Just plug in the pre-set and I am good. If the cops are chasing me, I just get ahead of them and switch the image and pull over like a concerned motorist. The cops then just drive on past me with their sirens on.
Just need to make sure to switch images while I am under a tree or somethign of they have a eye in sky helicopter following the chase.
Tsukasa: All I really want, is to be left alone...
This means you can copy the ID of another driver onto your own device and, as a result, travel for free while others foot the bill.
Interpretation:
This means that one can steal services electronically, committing a felony punishable by jail time, while at the same time greatly annoying fellow citizens whose id has been stolen.
Even without going all the way to cloning the RFID or transponder apparatus, as long as an invalid code or handshake sequence causes the toll boot to fail you just have to rig a bad copy with a small activation delay to attack a toll boot with a DOS. Go through the toll boot as usual and throw your decoy tag on the roadside and every car going through will fail to activate the receiver. And if you feel particularly devious you just need the device to turn on and off randomly...
Is this guy a fool?
You Hack Big, and tell the public and hold a news conference, so you can Get hired to a High paying Job in law Enforcemnt and that's the fact ,
If your real good , A 20 year sentence is over in 2 months and a million dollar starting salary awaits you .
Need an example ?
His name is Kevin.
The transponder doesn't do challenge response, it just spews out an ID number when polled?
Yes, that is the case. This is just like the real world though... The other day I was walking down a street in downtown Philadelphia with a notebook in my hand and I asked everyone I passed, "Hello, what is your social security number?". Each person was more than happy to give me theirs. My little experiment even found a flaw in the SS system. Would you believe that the stupid SS office accidentally gave hundreds of people the number "123456789"? Idiots!
So, you see - there's no security risk to this design whatsoever.
I'm a big tall mofo.
Pardon me, but wouldn't it be a heck of a lot easy just to have a friend drive your car while you're off somewhere else committing a crime? To say nothing of the fact that if you wrote your ID into somebody else's transceiver, you'd be expected to pay all of their tolls -- something most criminals wouldn't be too keen to do.
No the _real_ fun with this will be when they start using this system to fine speeders. Then you can clone the ID, drive through a toll booth, drive the cloned ID through a toll both 100 miles away a minute later, then laugh as they fine you for traveling 600mph in your old AMC Gremlin...
I've abandoned my search for truth; now I'm just looking for some useful delusions.
Aren't all alibis, by default, false? Only a guilty person needs an alibi. Innocent people never need one.
Seems like toll roads are just a waste of time, resources, and money. I hope more people continue to hack these systems and it becomes such a pain in the ass to keep them running that they start shutting them down and the companies that lobby the local governments go out of business. They could accomplish the same infrastructure with a gas tax and it would be less intrusive and more effective. Nobody wants more taxes, but it is really the best way to pay for these projects.
With dirty plates and a stolen transponder code from a look-alike car, you now have a way not just to skip paying but to stiff an innocent victim.
With dirty/unreadable plates, the camera can alert the cop down the road to be on the lookout for you and ticket you for having unreadable plates.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Shhhh!
If you're looking for more technical details on the attack, slides, etc., they can be found on his blog.
Yeah,everyone knows rfid is hackable.
Don't worry they ar working on rfid paint and even a way to attach it to your dna.Pretty creepy stuff if you think of the implications.
As long as people are stupid enough to buy into the toll roads will help ease traffic BS crap like this is gonna come up.Instead of making laws that force states to spend highway funds on highways we end up selling them to privately
Our toll roads are backed up by pictures of your car & license number.
And they do audits-- if the wrong car has the tag, you get a $5 ticket. And that's without the real person complaining you are ripping them off.
She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
Did anyone notice this little tidbit in TFA:
In other words, no need for any fancy high-tech clone. Just swap plates with a valid user and drive on through. How long would it take you to notice someone had swapped plates on your vehicle?
They now have these cameras that apparently time you going from A to B. That could be fun with cloned licenses - especially if you yourself are somewhere with a good alibi..
The likelihood of this happening already must be high given that plate cloning is rife since they put this congestion charge in London..
Insert
We mustn't assume that these vehicle transponder only use is for for toll collection. They work anywhere they want to place a Transponder reporting unit.and they they can even read transponder from other states.
But it won't do you any good to not have one, at least if you have a new car.
The federal government has mandated remote tire pressure sensor systems in all new cars. These involve a device that replaces the old rubber tire valve stem and has a pressure sensor, multi-year battery, and transmitter inside the wheel. It periodically transmits the tire pressure, along with its unique serial number (so the car's dashboard computer can sort out the tires and ignore those on other cars.)
These transmitters (except maybe the one in the spare, which might be shielded too well) can all be read using a buried coil antenna in the road.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Actually FastTrak sends you a anti-static bag so you if you don't want to participate in the driving times between signs and cities which uses your FastTrak to see how fast you can drive between two points. This is same as stopping these thieves stealing your ID from your FastTrak when you are not at the toll plazas. The problem is the thieves all be around the toll plazas in the San Francisco Bay Area trolling for IDs. However there are alot of CHP units at the toll plazas also so it would be interesting to see what happens.
From TFA:
There is another way, he says. "It's probably in the user's best interest to just leave it at home." This is because FasTrak uses license-plate recognition as a backup.
I don't know about the other FasTrak systems in the state, but the TCA in Orange County will actually penalize you if your vehicle accumulates too many 'pay-by-plates.'
Charles Babbage and Konrad Zuse disagree with you. Please avoid making asinine blanket statements without the facts to back it up in future.
http://en.wikipedia.org/wiki/Computer
Calling someone a "hater" only means you can not rationally rebut their argument.
Bullshit, there's a nice pdf available on wikileaks that details all of their work, gives nice instructions on how to ride for free and all the other stuff they did, and even shows you how to build a warkart!
This is no surprise to me. Hackers have found a way to do just about anything. There are a lot of people already protecting themselves from these type of crimes by installing a gps tracking device in their own vehicle. Obviously, there are other reasons for this too, such as, theft protection and recording mileage for tax purposes. However, for the point of this article, an innocent victim can prove their vehicle was no where near a toll, contrary to any overwriting of a FastTrack device.
Work smarter, not harder, with gps tracking