Slashdot Mirror
California's Wireless Road Tolls Easily Hackable
An anonymous reader writes "Nate Lawson, a researcher at RootLabs, has found a way to clone the wireless transponders used by the Bay Area FasTrak road toll system. This means you can copy the ID of another driver onto your own device and, as a result, travel for free while others foot the bill. Lawson also raises the interesting point of using the FasTrak system to create false alibis, by overwriting one's own ID onto another driver's device before committing a crime. Luckily, Lawson wasn't sued before he could reveal his research, unlike those pesky MIT students."
I think I read about this in little brother.
You've got it the wrong way around - people won't use this to create alibis before committing a crime, they'll use it to establish evidence of the target being in a certain area at a certain time even though he swears he was elsewhere
At any rate, certain requirements have to be met before something can be introduced as evidence. I'm assuming most things (like this) would, by default, not constitute evidence anyway. Email (at least in this country) needs to be provided along with an audit trail before it's accepted as evidence
I'm a minority race. Save your vitriol for white people.
Between the splash screen redirects and the ads, this article is nearly unreadable. Here's the text for those who don't want to put up with the crap.
----
Drivers using the automated FasTrak toll system on roads and bridges in California's Bay Area could be vulnerable to fraud, according to a computer security firm in Oakland, CA.
Despite previous reassurances about the security of the system, Nate Lawson of Root Labs claims that the unique identity numbers used to identify the FasTrak wireless transponders carried in cars can be copied or overwritten with relative ease.
This means that fraudsters could clone transponders, says Lawson, by copying the ID of another driver onto their device. As a result, they could travel for free while others unwittingly foot the bill. "It's trivial to clone a device," Lawson says. "In fact, I have several clones with my own ID already."
Lawson says that this also raises the possibility of using the FasTrak system to create false alibis, by overwriting one's own ID onto another driver's device before committing a crime. The toll system's logs would appear to show the perpetrator driving at another location when the crime was being committed, he says.
So far, the security flaws have only been verified in the FasTrak system, but other toll systems, like E-Z Pass and I-Pass, need to be looked at too, argues Lawson. "Every modern system requires a public security review to be sure there aren't different but related problems," he says. Indeed, in recent weeks, researchers announced flaws in another wireless identification system: the Mifare Classic chip, which is used by commuters on transport systems in many cities, including Boston and London. However, last week, the Massachusetts Bay Transportation Authority (MBTA) filed a lawsuit to prevent students at MIT from presenting an analysis of Boston's subway system.
The Bay Area Metropolitan Transport Commission (MTC), which oversees the FasTrak toll system, maintains that it is secure but says it is looking into Lawson's claims. "MTC is in contact with vendors who manufacture FasTrak lane equipment and devices to identify potential risks and corrective actions," says MTC spokesman Randy Rentschler. "We are also improving system monitoring in order to detect potentially fraudulent activity."
In the past, authorities have insisted that the FasTrak system uses encryption to secure data and that no personal details are stored on the device--just two unique, randomly assigned ID numbers. One of these is used to register the device when a customer purchases it, while the other acts as a unique identifier to let radio receivers at tolls detect cars as they pass by.
But when Lawson opened up a transponder, he found that there was no security protecting these IDs. The device uses two antennas, one to detect a request signal from the toll reader and another to transmit its ID so that it can be read, he says.
By copying the IDs of the readers, it was possible to activate the transponder to transmit its ID. This trick doesn't have to be carried out on the highway, Lawson notes, but could be achieved by walking through a parking lot and discreetly interrogating transponders.
What's more, despite previous claims that the devices are read only, Lawson found that IDs are actually stored on rewritable flash memory. "FasTrak is probably not aware of this, which is why I tried to get in touch with them," he says. It is possible to send messages to the device to overwrite someone's ID, either wiping it or replacing it with another ID, says Lawson.
"Access to a tag number does not provide the ability to access any other information," says MTC's Rentschler. "We also believe that significant effort would need to be invested in cloning tags." He adds, "If any fraudulent toll activity is detected on a customer's account, the existing toll-enforcement system can be used to identify and track down the perpetrator."
Lawson says that using each stolen ID just once would make it difficult to track
Yep - that was my first thoughts too. Driving with an unreadable license plate, though, is grounds to get you pulled over anyway.
In case you didn't know, most toll booth places have:
Cameras front-mounted to take a picture of YOU or passengers...
Cameras in the back to take a picture of your plate...
Occasional cops sitting at the side of the road that are ready to pull you over.
It's academically interesting (and it should be) but not useful for the criminal. You can always simply drive through a checkpoint without an ez-pass, and most likely nothing will happen for a long time. Is it worth it? Nope.
Slashdotter, ID #101. UIDs are in binary, right?
Old wireless toll systems didn't event use encryption, such as the case of old Amtech 2.4GHz systems, which are limited to store information similar to a typical ISO Track #2 credit card (PAN, and some other info). However, modern system, such as the CESARE european standard (public information, no revealing secrets here, of course), includes modern security (realtime generated derivate key negotiation, etc.).
Any obvious physical means to obscure the license plate would be self-defeating.
Just get some polarizing film and put it over your license plate. Unless the cameras are head-on (which generally they're not) they're going to get a black rectangle where the license plate should be.
A 'clear' film would be much less likely to attract law enforcement attention than some kind of physical change.
I believe this kind of thing is illegal but then again if you're going to be using a cloned transmitter I don't see that breaking another law would cause you to lose any sleep.
I'm guessing that you've never been to Illinois. "Welcome to Illinois! Pay toll."
The only toll roads in the whole state are north of I-80. Of course, you guys up there think Illinois' southern border is I-80 anyway.
Uncyclopedia has a good article about our great state.
mcgrew's razor: Never attribute to stupidity that which can be explained by greedy self-interest
Not only reasonable, sometimes it's the law. Any place where there is a lot of snow will typically have a few people pulled over for not clearing the snow from their bumpers to reveal their plate(s).
For the last time, PIN Number and ATM Machine are redundancies!