Forgot your password?
typodupeerror
Security Transportation News

California's Wireless Road Tolls Easily Hackable 354

Posted by timothy
from the no-sir-I-was-in-seattle-at-the-time dept.
An anonymous reader writes "Nate Lawson, a researcher at RootLabs, has found a way to clone the wireless transponders used by the Bay Area FasTrak road toll system. This means you can copy the ID of another driver onto your own device and, as a result, travel for free while others foot the bill. Lawson also raises the interesting point of using the FasTrak system to create false alibis, by overwriting one's own ID onto another driver's device before committing a crime. Luckily, Lawson wasn't sued before he could reveal his research, unlike those pesky MIT students."
This discussion has been archived. No new comments can be posted.

California's Wireless Road Tolls Easily Hackable

Comments Filter:
  • sounds familiar (Score:5, Informative)

    by gentooligan (936853) on Tuesday August 26, 2008 @10:00AM (#24750783)
    I think I read about this in little brother [craphound.com].
    • Re: (Score:3, Interesting)

      by Z00L00K (682162)

      Hardly surprising for anybody in the business of computers and wireless devices.

      If it's possible to hack - it will be hacked.

      Another way to keep under the radar is to pay cash.

      There are cameras at the toll booths, but they aren't a big problem for anybody with some simple skills.

  • by maynard (3337) <j...maynard...gelinas@@@gmail...com> on Tuesday August 26, 2008 @10:01AM (#24750791) Journal

    And they can record license plates. I think this hack has little criminal viability. Anyone who used it extensively would be caught in short order. Though authorities might be willing to let the criminal conduct continue on until the criminal passed the felony threshold.

    • Re: (Score:2, Interesting)

      by introspekt.i (1233118)
      Unless you dirtied up your license plates so they weren't recognizable by those pesky cameras they use at the toll stations...but hey, I'm from the midwest...wtf are toll booths?
      • by neapolitan (1100101) on Tuesday August 26, 2008 @10:17AM (#24750967)

        Yep - that was my first thoughts too. Driving with an unreadable license plate, though, is grounds to get you pulled over anyway.

        In case you didn't know, most toll booth places have:

            Cameras front-mounted to take a picture of YOU or passengers...

            Cameras in the back to take a picture of your plate...

            Occasional cops sitting at the side of the road that are ready to pull you over.

        It's academically interesting (and it should be) but not useful for the criminal. You can always simply drive through a checkpoint without an ez-pass, and most likely nothing will happen [nbc4.com] for a long time. Is it worth it? Nope.

        • by pla (258480)
          "The system is about to take a sweeping technological turn, doing away with booths, baskets, cash and relying on video cameras to bill drivers."

          How exactly do they plan to do that? Not everyone passing through their state lives there, or near enough to realistically expect them to sign up for EZ-Pass. Personally, I don't have it because, while I live in a state that does use EZ-Pass, I only go through the tolls perhaps twice a year.

          Clearly, the states would much rather switch to all electronic tolls (
          • by Dog-Cow (21281)

            I live in MI. When I go to Toronto, I use the 407. They never have a problem sending me the bill in the mail. There are no booths at all that I've ever seen.

          • Re: (Score:3, Interesting)

            by TooMuchToDo (882796)
            I rode my motorcycle from Chicago to Milford, CT to see a Nine Inch Nails concert at the beginning of this month. I put my IPass (Illinois Tollway toll collection) transponder on the top of all my clothes/laptop/etc in my T-Bag (straps to my cruiser's backrest). Worked like a champ through Indiana (I-Zoom), the Pennsylvania turnpike, as well as on some huge bridge from New Jersey to Connecticut.

            Also, it'd be quite easy to switch to electronic tolls altogether. Everyone should get one (a transponder) to ke

            • Re: (Score:3, Informative)

              by ForestGrump (644805)

              On the other side...
              I spent 5 months last year in Illinois (business trip that was extended too many times, but as a contractor either do it or go home and stop getting $$$).

              There is a real need for cash lanes because of the out of towners, and rental car users.

              Driving rental cars you have either:
              1. No i-pass and must stop at ever toll booth and throw quarters
              2. is a more expensive car with an i-pass, but then avis decides to charge you administrative fees if you use the i-pass (which results in me throwi

      • by PoliTech (998983)

        ...but hey, I'm from the midwest...wtf are toll booths?

        I'm guessing that you've never been to Illinois. "Welcome to Illinois! Pay toll."

        • Re: (Score:3, Funny)

          by kg9ov (611270)
          Ohhh.... you must mean the great state of Chicago...
        • by sm62704 (957197) on Tuesday August 26, 2008 @11:18AM (#24751685) Journal

          I'm guessing that you've never been to Illinois. "Welcome to Illinois! Pay toll."

          The only toll roads in the whole state are north of I-80. Of course, you guys up there think Illinois' southern border is I-80 anyway.

          Uncyclopedia has a good article about our great state. [uncyclopedia.org]

          Illinois boasts hundreds of thousands of miles of roadway, almost 1.7% of which are in drivable condition at any given time. The rest are under construction, fuelling the state's economy by adding needed jobs in the road construction industry, and the Illinois Political Patronage Brotherhood of Sign Holders and Shovel Leaners, which depends on constant road construction for its continued existence. To maintain the roads in this condition, state law requires concrete to contain at least 35% white corn meal (cleverly subsidizing the Illinois farmer as well as the road construction industry). It also mandates tar products to be replaced with black licorice in the manufacture of asphalt. During summer months, hapless Illinois home-owners across the state obtain big brushes and squeegees, and can be seen coating their driveways with a new layer of melted black licorice, vainly but valiantly attempting to prevent them (the driveways, not the home-owners) from disintegrating into grey pebbles. This explains the popular saying: "There are two seasons: Blizzard, and Tornado". Also synonymous with "Winter and Construction" in the North.

      • I just drove cross country (from Seattle to D.C.). Illinois, Indiana and Ohio all use toll roads. The Midwest is not uniquely different from anywhere else; toll roads are a state policy, not a way of life.
        • Re: (Score:3, Informative)

          by initdeep (1073290)

          funny, i drive from des moines iowa to raleigh north carloina several times a year, passing through illinois, indiana and ohio, and never once payed a toll.

          all interstate driving too.

          seems like you went the wrong way to me.

      • by erroneus (253617)

        That wouldn't work for long. MOST people generally drive the same areas on a routine basis. And even those people that don't could be flagged for chase. Essentially, once someone has been identified as using a false or copied code, they can take pictures of the vehicle and post it for chase along with the code being used. There are a variety of ways an individual can be flagged and the only way to continue doing it is to change vehicles and codes frequently and that would become a burdensome crime to ma

    • Re: (Score:3, Insightful)

      by Aphoxema (1088507) *

      The only problem is that they probably started this system to cut on costs and cut out human error. I doubt they'll actually put in any protection or change the system, they'll just try to crack down on people that commercialize it like blueboxing and cable descramblers.

    • The real use of this 'hack' is to screw over your pesky neighbors. Especially if you keep doing it.
      • Re: (Score:2, Funny)

        by chaim79 (898507)
        If the chances of getting caught are high enough you can use it in reverse to screw your neighbors, program theirs to be some random person (or find one from a cop car) and let them explain it to the judge. :)
    • leaving the new car plates on your car even after you get your real license plates?

      • by Firethorn (177587)

        Yes. The temporary tags are only good for so long, though that's creating some annoyance here because the state is taking longer to issue plates than what the tags are good for.

    • by omeomi (675045)
      I think I remember reading somewhere that they take pictures of everybody's license plate, but only save the ones of toll violators. So, if you don't trigger a violation in the system, your picture wouldn't be saved...maybe...
    • Re: (Score:3, Informative)

      FasTrak is also used access the Express Lanes on Highway 91 [91expresslanes.com], a 10 mile stretch between Riverside & Orange counties. There are no toll booths, but apparently they have Cameras [91expresslanes.com] to track down violators.

      Average highway speed on that road is easily 75mph+ on highway 91, so I bet the cameras are higher-speed then the regular cameras used on the Bay Bridge toll booth.

    • Re: (Score:3, Interesting)

      by rayzat (733303)
      My buddy had his truck stolen with EZ-Pass ( automatic toll payment system for those non-eastcoasters). He filled out the police reports and all the other crap. About a month later he realized the guys who stole his truck were still using his EZ-Pass driving around Jersey and they were going though the same toll boothes about the same time everyday. So he staked out the toll booth and at their usual time he saw them zip through the EZ-pass lane in his truck. So he went through himself and called the stat
  • Alibis? (Score:4, Informative)

    by goose-incarnated (1145029) <lelanthran.gmail@com> on Tuesday August 26, 2008 @10:03AM (#24750817) Homepage Journal

    You've got it the wrong way around - people won't use this to create alibis before committing a crime, they'll use it to establish evidence of the target being in a certain area at a certain time even though he swears he was elsewhere

    At any rate, certain requirements have to be met before something can be introduced as evidence. I'm assuming most things (like this) would, by default, not constitute evidence anyway. Email (at least in this country) needs to be provided along with an audit trail before it's accepted as evidence

    • by chebucto (992517)

      Stop, you're both right!

      I would think false alibis are just as likely as framing.

      As for evidence, I seem to remember hearing snippets on Off The Hook about this sort of data being used as evidence in the past.

    • Re: (Score:2, Interesting)

      by Farmer Pete (1350093)
      This wont help with Alibis because no court will accept a time stamp and a transponder id as evidence. Who is to say that you were driving the car, or even that someone didn't take your FastPass and drive through with a different car. To be entered into evidence you would have to take the time/id and review the video records to get a car/face match.

      Even if this worked for an alabi like TFA implied, you could get into trouble real quick if you didn't know the final destination of the car. What? You te
    • by aug24 (38229)

      That could be done by just inserting values in the database. No cloning required.

  • Article Text (Score:5, Informative)

    by dfm3 (830843) on Tuesday August 26, 2008 @10:04AM (#24750825) Journal

    Between the splash screen redirects and the ads, this article is nearly unreadable. Here's the text for those who don't want to put up with the crap.

    ----
    Drivers using the automated FasTrak toll system on roads and bridges in California's Bay Area could be vulnerable to fraud, according to a computer security firm in Oakland, CA.

    Despite previous reassurances about the security of the system, Nate Lawson of Root Labs claims that the unique identity numbers used to identify the FasTrak wireless transponders carried in cars can be copied or overwritten with relative ease.

    This means that fraudsters could clone transponders, says Lawson, by copying the ID of another driver onto their device. As a result, they could travel for free while others unwittingly foot the bill. "It's trivial to clone a device," Lawson says. "In fact, I have several clones with my own ID already."

    Lawson says that this also raises the possibility of using the FasTrak system to create false alibis, by overwriting one's own ID onto another driver's device before committing a crime. The toll system's logs would appear to show the perpetrator driving at another location when the crime was being committed, he says.

    So far, the security flaws have only been verified in the FasTrak system, but other toll systems, like E-Z Pass and I-Pass, need to be looked at too, argues Lawson. "Every modern system requires a public security review to be sure there aren't different but related problems," he says. Indeed, in recent weeks, researchers announced flaws in another wireless identification system: the Mifare Classic chip, which is used by commuters on transport systems in many cities, including Boston and London. However, last week, the Massachusetts Bay Transportation Authority (MBTA) filed a lawsuit to prevent students at MIT from presenting an analysis of Boston's subway system.

    The Bay Area Metropolitan Transport Commission (MTC), which oversees the FasTrak toll system, maintains that it is secure but says it is looking into Lawson's claims. "MTC is in contact with vendors who manufacture FasTrak lane equipment and devices to identify potential risks and corrective actions," says MTC spokesman Randy Rentschler. "We are also improving system monitoring in order to detect potentially fraudulent activity."

    In the past, authorities have insisted that the FasTrak system uses encryption to secure data and that no personal details are stored on the device--just two unique, randomly assigned ID numbers. One of these is used to register the device when a customer purchases it, while the other acts as a unique identifier to let radio receivers at tolls detect cars as they pass by.

    But when Lawson opened up a transponder, he found that there was no security protecting these IDs. The device uses two antennas, one to detect a request signal from the toll reader and another to transmit its ID so that it can be read, he says.

    By copying the IDs of the readers, it was possible to activate the transponder to transmit its ID. This trick doesn't have to be carried out on the highway, Lawson notes, but could be achieved by walking through a parking lot and discreetly interrogating transponders.

    What's more, despite previous claims that the devices are read only, Lawson found that IDs are actually stored on rewritable flash memory. "FasTrak is probably not aware of this, which is why I tried to get in touch with them," he says. It is possible to send messages to the device to overwrite someone's ID, either wiping it or replacing it with another ID, says Lawson.

    "Access to a tag number does not provide the ability to access any other information," says MTC's Rentschler. "We also believe that significant effort would need to be invested in cloning tags." He adds, "If any fraudulent toll activity is detected on a customer's account, the existing toll-enforcement system can be used to identify and track down the perpetrator."

    Lawson says that using each stolen ID just once would make it difficult to track

    • Re: (Score:3, Informative)

      by Bryansix (761547)
      It is worth noting that the FasTrak system is deployed throughout California and not just in the Bay Area. I have four tollways near my home alone that use the system and I live in Southern California. It is a given that if it is a Toll Road and it is in California that it uses FasTrak. The only exception may be toll bridges.
  • cameras / scanners (Score:4, Interesting)

    by j00r0m4nc3r (959816) on Tuesday August 26, 2008 @10:04AM (#24750829)
    I don't know about California, but in New England they have cameras that can match up a vehicle with a FASTLANE transmitter. It would not be very hard to also hook up license plate scanners. This seems like a crime with very little payoff, and huge chance of getting caught.
    • by Lumpy (12016)

      and it's really easy to obscure your plate to side and overhead cameras. A very simple system is a frame with louvers that obscure it from side angles, can be made in anyone's garage with pop cans and is nearly invisible to cops driving behind you.

      • Re: (Score:3, Interesting)

        by halcyon1234 (834388)

        I don't have the newspaper article on hand, but a couple years ago in Toronto, someone was avoiding tolls on the 407 (Ontario's only toll road). They put their license plate on hinges, and attached a piece of string to it that ran through the car to the front. A tug on the string, and the plate flipped up.

        And he would have got away with it if it wasn't for those meddling-- well, Ontario Provincial Police doing a blitz on the highway specifically looking for speeders, dangerous drivers and toll-evaders.

    • Re: (Score:3, Interesting)

      by dfm3 (830843)

      Where I live, it's common for thieves to steal license plates and slap them on their car before committing a crime. It raises far less attention than a car with no plates, and even if bystanders copy down the offending plate number, such information is useless.

      Combine a stolen plate with a stolen ID, and it would be very difficult to track down a one-time offender disregarding something like facial recognition (drive through the tollbooth every day at 8 AM, though, and I'm sure they'd catch on pretty quickl

      • Here in Chicago area, we had someone years back rob a supermarket and kill a woman in the process, fleeing in a vehicle with temp plates. Now, dealers have to give out real plates when they sell a car (some dealers are still in the transition phase, but soon all will be required) and the plates are live as soon as you drive off the lot.
    • Re: (Score:3, Informative)

      by Rastl (955935)

      Any obvious physical means to obscure the license plate would be self-defeating.

      Just get some polarizing film and put it over your license plate. Unless the cameras are head-on (which generally they're not) they're going to get a black rectangle where the license plate should be.

      A 'clear' film would be much less likely to attract law enforcement attention than some kind of physical change.

      I believe this kind of thing is illegal but then again if you're going to be using a cloned transmitter I don't see tha

    • About 10% of the toll road rides are infrequent-users who dont have transponders. Colorado decided to terminate the booths and use cameras to mail bills to users. Its cheaper than people.
    • When this story first broke a couple of weeks ago, they suggested a far more serious abuse than just taking someone's transponder ID as your own.

      It was suggested that the reading and reprogramming could be accomplished so quickly that one could set up an antenna near a busy highway and read IDs from vehicles while assigning them the ID of the previous vehicle.

      This would result in a huge shuffling of IDs that would be a bureaucratic nightmare for the state and a huge pain for FastTrac's customers. The s
  • by Chineseyes (691744) on Tuesday August 26, 2008 @10:08AM (#24750865)
    When I was a teenager (late 90s) there were a few people selling a device about the size of two bricks that could fool ez-pass [ezpass.com] by using another person's id. This is why when you sign up for ez-pass you have to give them the make and model of your car as well as your license plate number. They have two cameras on either side of your car pointing at you and numerous overhead cameras when you pass through so I believe any sort of fraud would be pretty difficult to pull off. I'm sure California has a similar setup and if they don't then they better get working on it.
    • by ckthorp (1255134)
      Ah, but you could use the hack to frame someone for fraud. They would have a hard time clearing their name because computers are "infallible."
  • The transponder doesn't do challenge response, it just spews out an ID number when polled?

    • Nope, it's just an oversized RFID similar to what Walmart puts on their pallets.
    • Embedded devices are rarely designed to be very secure. One of the problems is that often there is not enough space for strong crypto, even a strong cryptographic hash. Things are getting better these days, with smaller transistors and lower power circuitry, but it is still difficult to get really strong crypto in a small RFID transponder like that.
      • by nwf (25607)
        Have you seen those toll tags? I have an EZPass, and it's larger than my iPhone. They could put all sorts of stuff in that thing.
        • Remember that your iPhone has a big, juicy battery in it, that can power more advanced computation. An EZPass tag is powered by the radio waves it receives, and so cannot have the same sort of processor than an iPhone has.
      • While it's true that passive RFID devices are notably short on power and computing capacity (and can be vulnerable to tricks like power-consumption analysis and direct physical probing to attack their encryption), the central reason most of these systems are poorly encrypted if at all is...

        Cheapness, intellectual laziness, and garden-variety stupidity.

        One CAN make these systems much more secure, but it requires cryptographic competence and the determination to do the job right. As Schneier says, crypto is h

  • by binaryspiral (784263) on Tuesday August 26, 2008 @10:11AM (#24750907)

    When you have the ability to send the same data over and over again without any form of authentication or obfuscation - yes, it can be copied and used by anyone else.

    There are ways to prevent this:

    Use a rolling code, like my garage door, key fob, and online banking fob uses.

    Use another form of authentication, like color of vehicle, plate number, or something else easily identifiable on the car.

    These are about as secure as my Speedpass fob that I can use to purchase fuel and snacks at Mobil stations. If its stolen, anyone can use it.

  • by faragon (789704) on Tuesday August 26, 2008 @10:17AM (#24750975) Homepage
    Old wireless toll systems didn't event use encryption, such as the case of old Amtech 2.4GHz systems, which are limited to store information similar to a typical ISO Track #2 credit card (PAN [wikipedia.org], and some other info). However, modern system, such as the CESARE [its-sweden.se] european standard (public information, no revealing secrets here, of course), includes modern security (realtime generated derivate key negotiation, etc.).
  • by jollyreaper (513215) on Tuesday August 26, 2008 @10:28AM (#24751099)

    all the streets are free
    and the highway's no pay
    I've been for a drive
    on a self-made freeway

    My hacks will do the charm
    Cuz I'm in L.A
    California Schemin'
    on a self-made freeway

  • by SuperBanana (662181) on Tuesday August 26, 2008 @10:39AM (#24751227)
    ...given that almost all of the toll transponder systems in the US have cameras, and plate recognition is done. I once got a ticket from another state (NY), claiming a plate I had years ago had gone through one of their upstate tollbooths. Also, my father would get notices in the mail from our state's system when he moved the transponder to a vehicle that wasn't registered to use it. So. Useless hack, sensationalist article, film at 11.
  • Roll Eyes (Score:2, Insightful)

    by mpapet (761907)

    1. How many tolls will be stolen? Too few for anyone in the project to care. They will treat this like "ID theft" and the burden is on you.

    2. How many people are going to want or actually *do* anything TFA suggests. It's a number very close to zero.

    The same kind of thinking applies to most automated transit toll collecting system. No one that could do anything about these issues cares or would be foolish enough to waste budget on corner cases like this. It would be a huge political/professional liabili

  • If you know a hack, DON'T TELL anybody! Fool... Really. What's the point of holding a press conference to point out a way for techies to save money? If you have studied for years for skills to design, program, and build a device that can defeat the automatic removal of money from your bank account, then for goodness sake's, don't tell anybody. Use this knowledge discretely for the benefit for your family and your people.

    Spend the money that you save on your children. Or have some childr

  • Anonymous clubs (Score:5, Interesting)

    by bugnuts (94678) on Tuesday August 26, 2008 @11:46AM (#24752069) Journal

    Perhaps this can be used to create privacy clubs, where they all travel on cloned cards and all share the bill. Their movements couldn't be tracked via this system as long as multiple people were using it.

    I hope this wasn't posted already... I searched the thread for "Anonymous" and then felt kind of silly.

  • Luckily, Lawson wasn't sued before he could reveal his research

    That's all that the Boston MTA has done with their stupid suit, and the stupid judge that initially went along with it. Now if you've done research that you feel deserves presentation, the target of your research gets no warning and no time to find a clueless judge. If you don't feel this is an improvement, let that Boston judge know about it.

  • Unfortunately, a lot of these systems have been based on the premise that end users either didn't have the technology or weren't sufficiently interested in hacking them. Most subway fare collection systems are the same way -- the manufacturer puts in some safeguards by storing data in a different way but it's all eventually hackable.

    Security by obscurity only works until you can buy the technology your system is based on at Best Buy. Back in the '80s, when New York established EZPass, your garden variety ha

  • McDonald's uses that very same system to allow you to pay for your meals in the drive through. Just make sure you clone someone who is insanely rich and you might not ever have to pay for another McDonald's meal again.

    Well, eventually you'll pay with your life, but that's a different matter altogether.
  • Summary of Article (Score:3, Insightful)

    by lancejjj (924211) on Tuesday August 26, 2008 @12:09PM (#24752393) Homepage

    This means you can copy the ID of another driver onto your own device and, as a result, travel for free while others foot the bill.

    Interpretation:

    This means that one can steal services electronically, committing a felony punishable by jail time, while at the same time greatly annoying fellow citizens whose id has been stolen.

  • Even without going all the way to cloning the RFID or transponder apparatus, as long as an invalid code or handshake sequence causes the toll boot to fail you just have to rig a bad copy with a small activation delay to attack a toll boot with a DOS. Go through the toll boot as usual and throw your decoy tag on the roadside and every car going through will fail to activate the receiver. And if you feel particularly devious you just need the device to turn on and off randomly...

COMPASS [for the CDC-6000 series] is the sort of assembler one expects from a corporation whose president codes in octal. -- J.N. Gray

Working...