Slashdot Mirror

← Back to Stories (view on slashdot.org)

California's Wireless Road Tolls Easily Hackable

Posted by timothy on from the no-sir-I-was-in-seattle-at-the-time dept.

An anonymous reader writes "Nate Lawson, a researcher at RootLabs, has found a way to clone the wireless transponders used by the Bay Area FasTrak road toll system. This means you can copy the ID of another driver onto your own device and, as a result, travel for free while others foot the bill. Lawson also raises the interesting point of using the FasTrak system to create false alibis, by overwriting one's own ID onto another driver's device before committing a crime. Luckily, Lawson wasn't sued before he could reveal his research, unlike those pesky MIT students."

17 of 354 comments (clear)

  1. sounds familiar by gentooligan · · Score: 5, Informative

    I think I read about this in little brother.

    1. Re:sounds familiar by HungryHobo · · Score: 4, Interesting

      I'm waiting for anyone out there who doesn't like these systems to cause a little chaos.

      Imagine grabbing the ID of the mayor as he drives by(pretty damn easy) then it's just a matter of wandering through a carpark programming every tag with a matching code.

  2. Cameras at every toll booth by maynard · · Score: 5, Insightful

    And they can record license plates. I think this hack has little criminal viability. Anyone who used it extensively would be caught in short order. Though authorities might be willing to let the criminal conduct continue on until the criminal passed the felony threshold.

    1. Re:Cameras at every toll booth by neapolitan · · Score: 5, Informative

      Yep - that was my first thoughts too. Driving with an unreadable license plate, though, is grounds to get you pulled over anyway.

      In case you didn't know, most toll booth places have:

          Cameras front-mounted to take a picture of YOU or passengers...

          Cameras in the back to take a picture of your plate...

          Occasional cops sitting at the side of the road that are ready to pull you over.

      It's academically interesting (and it should be) but not useful for the criminal. You can always simply drive through a checkpoint without an ez-pass, and most likely nothing will happen for a long time. Is it worth it? Nope.

      --
      Slashdotter, ID #101. UIDs are in binary, right?
    2. Re:Cameras at every toll booth by cayenne8 · · Score: 4, Funny
      "We have a law against dirty license plates. "

      Well, just rig up some sort of James Bond plate changing mechanism....where you can flip the plate, or just obscure it when going through the booth, then hit the switch, and set it to normal again.

      I've been thinking of something like this for the stupid red light cameras they've been putting in down here in NOLA.

      Back on the ez-pass system. For awhile I was having to cross the bridge across lake pontchartrain, and it was a toll bridge. I just don't like the idea of having a system track my movements, so I just paid cash...no toll tag for me. Sure, it costs a dollar more, but, worth it to me.

      --
      Light travels faster than sound. This is why some people appear bright until you hear them speak.........
    3. Re:Cameras at every toll booth by Chainsaw76 · · Score: 5, Insightful

      "pretty foolproof"
      Your kidding right? There have been many cases of the Red Light Companies moving sensors around to catch people who Hadn't run the red light. And the one time I got a ticket from this system, the plate was unreadable, the Dark 4 door sedan pictured didn't look anything like my white 2 seat convertible, and we (my car and I) were 800 miles away at the time on the time stamp.

      -J

    4. Re:Cameras at every toll booth by cayenne8 · · Score: 4, Interesting
      "I mean, come on - I am against taking pictures of everything all the time, but the red light cameras are one where they are pretty foolproof at only taking pictures of scofflaws who are endangering everyone else. That seems to be a good thing."

      As the other poster said, there have been cases where the private company running these cameras weren't making enough money, and shortened the yellow light, or even rigged the cameras to take pics while light was yellow, but, showing red on the ticket. Studies have shown that in a VERY high percentage of cases, if they extended the length of the yellow light at troublesome intersections, that the number of people running red lights almost dropped to near zero.

      One of my other problems with the system here...was that the cameras aren't only taking pictures of light runners. They have still and full motion cameras...they showed a case of cars sitting there at a red, and a car going around the front one and running the light, all in full motion. That means the cameras are running all the time...I don't like that.

      I'd heard that someone was bringing suit against them in that they are unconstitutional in the state of LA...in that they aren't on every intersection, and the law states something like there has to be equal enforcement on all LA roads,etc.

      --
      Light travels faster than sound. This is why some people appear bright until you hear them speak.........
    5. Re:Cameras at every toll booth by EMeta · · Score: 4, Insightful

      Um, no. Better no one doing it. Running reds isn't like going 10 mph over the speed limit. People die from that. A lot. It really shouldn't be about the income.

    6. Re:Cameras at every toll booth by repvik · · Score: 4, Insightful

      I consider using the state-provided roads as a privilege, not a right, that requires your car to be identifiable by a valid licence plate.
      If the plates are obscured, either by dirt or by purpose, isn't it reasonable to give a ticket to deter this?

    7. Re:Cameras at every toll booth by Bob-taro · · Score: 4, Insightful

      Um, no. Better no one doing it. Running reds isn't like going 10 mph over the speed limit. People die from that. A lot. It really shouldn't be about the income.

      I'd say that depends on how long it's been red. If you mis-time a short yellow and are in the intersection when it turns red, that's not too dangerous. No more than driving 10mph over (which may be why the yellow light seemed so "short"). That's one problem with automatic ticketing systems - they can't put the incident in context very well.

      --
      Prov 9:8 Do not rebuke mockers or they will hate you; rebuke the wise and they will love you.
    8. Re:Cameras at every toll booth by garett_spencley · · Score: 5, Insightful

      "I sort of agree with your sentiment, except that I percieve using a car on the road is a privilege"

      I don't. We paid to put the roads there and everyone should be able to use them however the hell they want so long as they don't harm anyone.

      I prefer to punish people AFTER they have done harm. Not before.

      License plates, laws against drunk driving[1], justifying drug criminalization by claiming that drug use increases rates of crime, placing curfews on public parks etc. is all preemptive and it places a burden on an innocent society. There's no reason not to throw the book at someone who breaks the law but asking society to give up their freedom for the sake of reducing crime statistics is unfair. It costs tax dollars, gives the government a way to profit off of criminal behaviour (traffic fines) and regulation (licenses, vehicle registration etc.) and I don't think it actually does much in the way of achieving it's goal of preventing crime anyway.

      [1] - I realize that's borderline trollish so I'll justify that: killing someone and violating traffic laws is already illegal. Why do we have to make it more illegal? Has all of this money spent - and made - by cracking down on drunk drivers actually reduced the number of dangerous drivers on the road ? What about sober drivers who are just as dangerous as people who are drunk ? In Ontario it's now illegal to drive with ANY ALCOHOL WHAT-SO-EVER in your system. You can not transport any alcohol that has been opened and any alcohol you do transport needs to be out of reach of the driver (ie: in the trunk). During peak holidays such as new years etc. they put up road blocks on every major road and stop every single car to smell the driver's breath. It punishes everyone for the mistakes of a few. It's getting extremely out of hand.

    9. Re:Cameras at every toll booth by garett_spencley · · Score: 4, Insightful

      Ok, to turn this around a bit. Can you tell me exactly which pieces of asphalt/concrete you have paid for?

      As far as I'm concerned, all of it. We have tax on gas sale, income tax, sales tax, taxes on all vehicle purchases (new or used), driver's licenses, license plates, road tolls, traffic fines (which I'm against but we still pay them), parking fees (for publicly owned parking garages and meters etc.). All ways of giving money to the government for things like road upkeep. How they use it very much my business but I haven't personally investigated how my money was put to use.

      Point being We ALL pay for public infrastructure in one way or another so we should all be able to use it to heart's content so long as we don't harm anyone. I don't see why it should be any more complicated than that.

  3. Alibis? by goose-incarnated · · Score: 4, Informative

    You've got it the wrong way around - people won't use this to create alibis before committing a crime, they'll use it to establish evidence of the target being in a certain area at a certain time even though he swears he was elsewhere

    At any rate, certain requirements have to be met before something can be introduced as evidence. I'm assuming most things (like this) would, by default, not constitute evidence anyway. Email (at least in this country) needs to be provided along with an audit trail before it's accepted as evidence

    --
    I'm a minority race. Save your vitriol for white people.
  4. Article Text by dfm3 · · Score: 4, Informative

    Between the splash screen redirects and the ads, this article is nearly unreadable. Here's the text for those who don't want to put up with the crap.

    ----
    Drivers using the automated FasTrak toll system on roads and bridges in California's Bay Area could be vulnerable to fraud, according to a computer security firm in Oakland, CA.

    Despite previous reassurances about the security of the system, Nate Lawson of Root Labs claims that the unique identity numbers used to identify the FasTrak wireless transponders carried in cars can be copied or overwritten with relative ease.

    This means that fraudsters could clone transponders, says Lawson, by copying the ID of another driver onto their device. As a result, they could travel for free while others unwittingly foot the bill. "It's trivial to clone a device," Lawson says. "In fact, I have several clones with my own ID already."

    Lawson says that this also raises the possibility of using the FasTrak system to create false alibis, by overwriting one's own ID onto another driver's device before committing a crime. The toll system's logs would appear to show the perpetrator driving at another location when the crime was being committed, he says.

    So far, the security flaws have only been verified in the FasTrak system, but other toll systems, like E-Z Pass and I-Pass, need to be looked at too, argues Lawson. "Every modern system requires a public security review to be sure there aren't different but related problems," he says. Indeed, in recent weeks, researchers announced flaws in another wireless identification system: the Mifare Classic chip, which is used by commuters on transport systems in many cities, including Boston and London. However, last week, the Massachusetts Bay Transportation Authority (MBTA) filed a lawsuit to prevent students at MIT from presenting an analysis of Boston's subway system.

    The Bay Area Metropolitan Transport Commission (MTC), which oversees the FasTrak toll system, maintains that it is secure but says it is looking into Lawson's claims. "MTC is in contact with vendors who manufacture FasTrak lane equipment and devices to identify potential risks and corrective actions," says MTC spokesman Randy Rentschler. "We are also improving system monitoring in order to detect potentially fraudulent activity."

    In the past, authorities have insisted that the FasTrak system uses encryption to secure data and that no personal details are stored on the device--just two unique, randomly assigned ID numbers. One of these is used to register the device when a customer purchases it, while the other acts as a unique identifier to let radio receivers at tolls detect cars as they pass by.

    But when Lawson opened up a transponder, he found that there was no security protecting these IDs. The device uses two antennas, one to detect a request signal from the toll reader and another to transmit its ID so that it can be read, he says.

    By copying the IDs of the readers, it was possible to activate the transponder to transmit its ID. This trick doesn't have to be carried out on the highway, Lawson notes, but could be achieved by walking through a parking lot and discreetly interrogating transponders.

    What's more, despite previous claims that the devices are read only, Lawson found that IDs are actually stored on rewritable flash memory. "FasTrak is probably not aware of this, which is why I tried to get in touch with them," he says. It is possible to send messages to the device to overwrite someone's ID, either wiping it or replacing it with another ID, says Lawson.

    "Access to a tag number does not provide the ability to access any other information," says MTC's Rentschler. "We also believe that significant effort would need to be invested in cloning tags." He adds, "If any fraudulent toll activity is detected on a customer's account, the existing toll-enforcement system can be used to identify and track down the perpetrator."

    Lawson says that using each stolen ID just once would make it difficult to track

  5. As former toll systems programmer... by faragon · · Score: 4, Informative

    Old wireless toll systems didn't event use encryption, such as the case of old Amtech 2.4GHz systems, which are limited to store information similar to a typical ISO Track #2 credit card (PAN, and some other info). However, modern system, such as the CESARE european standard (public information, no revealing secrets here, of course), includes modern security (realtime generated derivate key negotiation, etc.).

  6. Easily hackable, but a useless hack... by SuperBanana · · Score: 4, Insightful

    ...given that almost all of the toll transponder systems in the US have cameras, and plate recognition is done. I once got a ticket from another state (NY), claiming a plate I had years ago had gone through one of their upstate tollbooths. Also, my father would get notices in the mail from our state's system when he moved the transponder to a vehicle that wasn't registered to use it. So. Useless hack, sensationalist article, film at 11.

    --
    Please help metamoderate.
  7. Anonymous clubs by bugnuts · · Score: 5, Interesting

    Perhaps this can be used to create privacy clubs, where they all travel on cloned cards and all share the bill. Their movements couldn't be tracked via this system as long as multiple people were using it.

    I hope this wasn't posted already... I searched the thread for "Anonymous" and then felt kind of silly.