California's Wireless Road Tolls Easily Hackable

An anonymous reader writes "Nate Lawson, a researcher at RootLabs, has found a way to clone the wireless transponders used by the Bay Area FasTrak road toll system. This means you can copy the ID of another driver onto your own device and, as a result, travel for free while others foot the bill. Lawson also raises the interesting point of using the FasTrak system to create false alibis, by overwriting one's own ID onto another driver's device before committing a crime. Luckily, Lawson wasn't sued before he could reveal his research, unlike those pesky MIT students."

Re:Cameras at every toll booth

[introspekt.i]

Unless you dirtied up your license plates so they weren't recognizable by those pesky cameras they use at the toll stations...but hey, I'm from the midwest...wtf are toll booths?

cameras / scanners

[j00r0m4nc3r]

I don't know about California, but in New England they have cameras that can match up a vehicle with a FASTLANE transmitter. It would not be very hard to also hook up license plate scanners. This seems like a crime with very little payoff, and huge chance of getting caught.

No Authentication = Easy Crime

[binaryspiral]

When you have the ability to send the same data over and over again without any form of authentication or obfuscation - yes, it can be copied and used by anyone else.

There are ways to prevent this:

Use a rolling code, like my garage door, key fob, and online banking fob uses.

Use another form of authentication, like color of vehicle, plate number, or something else easily identifiable on the car.

These are about as secure as my Speedpass fob that I can use to purchase fuel and snacks at Mobil stations. If its stolen, anyone can use it.

Re:cameras / scanners

[halcyon1234]

I don't have the newspaper article on hand, but a couple years ago in Toronto, someone was avoiding tolls on the 407 (Ontario's only toll road). They put their license plate on hinges, and attached a piece of string to it that ran through the car to the front. A tug on the string, and the plate flipped up.

And he would have got away with it if it wasn't for those meddling-- well, Ontario Provincial Police doing a blitz on the highway specifically looking for speeders, dangerous drivers and toll-evaders.

Re:Alibis?

[Farmer Pete]

This wont help with Alibis because no court will accept a time stamp and a transponder id as evidence. Who is to say that you were driving the car, or even that someone didn't take your FastPass and drive through with a different car. To be entered into evidence you would have to take the time/id and review the video records to get a car/face match.

Even if this worked for an alabi like TFA implied, you could get into trouble real quick if you didn't know the final destination of the car. What? You tell the police you went to X? Well the car you gave your ID went to Y. The car also is still driving around town and went through two toll booths while you were in police custody.

Re:cameras / scanners

[dfm3]

Where I live, it's common for thieves to steal license plates and slap them on their car before committing a crime. It raises far less attention than a car with no plates, and even if bystanders copy down the offending plate number, such information is useless.

Combine a stolen plate with a stolen ID, and it would be very difficult to track down a one-time offender disregarding something like facial recognition (drive through the tollbooth every day at 8 AM, though, and I'm sure they'd catch on pretty quickly).

Another loophole is those temporary 30 day tags you get when you purchase a new car. In many states they are not unique, not trackable (in our state they just have a sharpied 6-digit expiration date in big numbers), easy to fake, and nobody thinks twice about them.

Re:Cameras at every toll booth

[cayenne8]

"I mean, come on - I am against taking pictures of everything all the time, but the red light cameras are one where they are pretty foolproof at only taking pictures of scofflaws who are endangering everyone else. That seems to be a good thing."

As the other poster said, there have been cases where the private company running these cameras weren't making enough money, and shortened the yellow light, or even rigged the cameras to take pics while light was yellow, but, showing red on the ticket. Studies have shown that in a VERY high percentage of cases, if they extended the length of the yellow light at troublesome intersections, that the number of people running red lights almost dropped to near zero.

One of my other problems with the system here...was that the cameras aren't only taking pictures of light runners. They have still and full motion cameras...they showed a case of cars sitting there at a red, and a car going around the front one and running the light, all in full motion. That means the cameras are running all the time...I don't like that.

I'd heard that someone was bringing suit against them in that they are unconstitutional in the state of LA...in that they aren't on every intersection, and the law states something like there has to be equal enforcement on all LA roads,etc.

Re:Cameras at every toll booth

[mshannon78660]

Down here (central Texas, Austin area), they have something called 'video tolling'. Essentially, anyone can go through the TxTag lanes, whether they have a transponder or not. If you have a transponder, you get a discount (I think it's 20%) off the cash rate; if you don't, you pay a premium (again, something like 20-33%) on the toll, plus a handling fee (something like $1 per bill). So yes, they can, in a completely automated fashion, take a picture of your license plate and record in a database exactly when you went through that toll plaza. If you drive on the toll road, you should not expect that anything will restore your anonymity.

Simple solution

[FST777]

Don't let private companies run these things.

As a Dutchie, I'm completely stunned at the thought that any government will let privately owned companies run the traffic...

If you know a hack, DON'T TELL anybody! Fool...

[Simonetta]

If you know a hack, DON'T TELL anybody! Fool... Really. What's the point of holding a press conference to point out a way for techies to save money? If you have studied for years for skills to design, program, and build a device that can defeat the automatic removal of money from your bank account, then for goodness sake's, don't tell anybody. Use this knowledge discretely for the benefit for your family and your people.

    Spend the money that you save on your children. Or have some children if you don't have any. Or give it to your favorite charity. Or help someone that you know that is hurting in these bad times. Or put the money that you save under the mattress to support your own bad times that may come in the future.

    No one in a giant corporation is going to give you anything for pointing out security flaws that allow people in the tech community to save money. They are going to take the money that you save them and bribe politicians to give them massive tax breaks! Don't you pay attention to the news? All giant corporations are corrupt to their very core. If you find a way to keep them from taking your money, well don't tell them.

    There wouldn't be the need for toll roads if the state highway administrations had not been ripping off the funds for the past fifty years. Illinois is the third most corrupt state in the USA (after Rhode Island and Louisiana). Toll highways is only the latest and greatest scam.

    Be real. The country is falling apart after forty years of absolute corruption. Take care of yourself and your family first. Then give your money to giant corporations and the super-rich tax-avoiders that control them.

Anonymous clubs

[bugnuts]

Perhaps this can be used to create privacy clubs, where they all travel on cloned cards and all share the bill. Their movements couldn't be tracked via this system as long as multiple people were using it.

I hope this wasn't posted already... I searched the thread for "Anonymous" and then felt kind of silly.

It's worse than that, Jim!

[seanonymous]

When this story first broke a couple of weeks ago, they suggested a far more serious abuse than just taking someone's transponder ID as your own.

It was suggested that the reading and reprogramming could be accomplished so quickly that one could set up an antenna near a busy highway and read IDs from vehicles while assigning them the ID of the previous vehicle.

This would result in a huge shuffling of IDs that would be a bureaucratic nightmare for the state and a huge pain for FastTrac's customers. The state is trying to get as many people as possible to adopt this system, and a major hack like that could possibly reverse their momentum.

Re:Cameras at every toll booth

[TooMuchToDo]

I rode my motorcycle from Chicago to Milford, CT to see a Nine Inch Nails concert at the beginning of this month. I put my IPass (Illinois Tollway toll collection) transponder on the top of all my clothes/laptop/etc in my T-Bag (straps to my cruiser's backrest). Worked like a champ through Indiana (I-Zoom), the Pennsylvania turnpike, as well as on some huge bridge from New Jersey to Connecticut.

Also, it'd be quite easy to switch to electronic tolls altogether. Everyone should get one (a transponder) to keep the flow of traffic moving (also, think of the cumulative fuel and maintenance saved if no one had to stop for cash tolls). If you go through and your transponder isn't working, they should read the plate and send a bill as Canada does. You'll always miss a few people because of dirty plates, but toll authorities could always strike back by requiring toll registration tied to the RFID tags now placed in all tires.

Aren't all RFID systems intrinsecally vulnerable?

[Brandano]

Even without going all the way to cloning the RFID or transponder apparatus, as long as an invalid code or handshake sequence causes the toll boot to fail you just have to rig a bad copy with a small activation delay to attack a toll boot with a DOS. Go through the toll boot as usual and throw your decoy tag on the roadside and every car going through will fail to activate the receiver. And if you feel particularly devious you just need the device to turn on and off randomly...

Re:Cameras at every toll booth

[repvik]

So you consider the use of licence plates for cars a slippery slope?
There is a very visible difference between taking a stroll on the sidewalk and controlling a several-ton metal hunk at high speeds.
I sort of agree with your sentiment, except that I percieve using a car on the road is a privilege, and strolling on the sidewalk a right.

Re:sounds familiar

[Z00L00K]

Hardly surprising for anybody in the business of computers and wireless devices.

If it's possible to hack - it will be hacked.

Another way to keep under the radar is to pay cash.

There are cameras at the toll booths, but they aren't a big problem for anybody with some simple skills.

Re:sounds familiar

[HungryHobo]

I'm waiting for anyone out there who doesn't like these systems to cause a little chaos.

Imagine grabbing the ID of the mayor as he drives by(pretty damn easy) then it's just a matter of wandering through a carpark programming every tag with a matching code.

Re:Cameras at every toll booth

[rayzat]

My buddy had his truck stolen with EZ-Pass ( automatic toll payment system for those non-eastcoasters). He filled out the police reports and all the other crap. About a month later he realized the guys who stole his truck were still using his EZ-Pass driving around Jersey and they were going though the same toll boothes about the same time everyday. So he staked out the toll booth and at their usual time he saw them zip through the EZ-pass lane in his truck. So he went through himself and called the state troopers to report he found his stolen truck and it was on the turnpike. The cops were more concerned about whether he was using a hands free headset or not then getting the people who stole his truck. So he eventually followed the people to their house and called the cops again saying he was driving around and spotted his stolen truck, the cops said they would look into it. The next day he found they had done nothing so he drove up with another guy and stole the truck back with his spare key, which is when he learned it's a pain in the ass to get a car declared unstolen.

Re:Cameras at every toll booth

[torkus]

You can't opt out of paying for the roads. Therefore no, he shouldn't be banned.

If he runs someone over because he's drunk and kills them - toss him in an electric chair and be done with it. The next guy will think VERRRRRRY carefully - not about what BAC he's going to blow but if he's actually OK to drive safely. Some people can drive fine (or nearly enough) with a BAC above .10. Others have issues standing up unaided at or below .04. It varies per person. To make matters worse, studies have shown that distracted driving (cell phone - hands free or not, makeup, newspaper, eating, kids) or driving while tired can be AT LEAST as imparing as being drunk.

Here's a suggestion - make people responsible for the outcome of their actions. Don't criminalize things if no one is being hurt, inconviniences, or suffering some kind of loss. It seems like a brutal system (let the DUI's go free and kill someone) at first but if we attach REAL penalties that match the ACTUAL loss the dumb people will be weeded out plenty quickly.