FasTrak toll system exposed, could use a serious dose of security
Ah, Black Hat. How we adore you. Each year there's always one speaker who shows up and completely undermines something that most people assume is rock solid. This year, our pals at Hack-A-Day were in attendance to hear Nate Lawson expose California's FasTrak toll system for the security hole that it is. Essentially, toll transponders that are purchased and slapped onto vehicles offer up exactly no authentication, meaning that anyone with an ill will and an RFID reader could wander through a parking lot and lift all sorts of useful information. Think it can't get worse? The transponders reportedly support "unauthenticated over the air upgrading," which means that each tag could be forced to take on a new ID if the right equipment was present. We don't have to spell out "potential disaster" for you, now do we?[Image courtesy of Mindfully]
Filed under: Transportation
Reader Comments (Page 1 of 1)
Ricardo Sampaio @ Aug 7th 2008 6:59AM
This could make some one bill a nightmare...
Alessio @ Aug 7th 2008 9:45AM
In Italy we have a similar system called Telepass to pay highways' toll. To prevent that kind of problem you have to declare up to 3 license plates allowed to use your Telepass.
When you drive thru the tollgate a camera shots you up, getting both the license plate and your face.
I used it on an unauthorized car for a couple of weeks and they sent me a letter asking if I'd like to substitute an unused license plate for that one.
They BigBrothers us... :-)
Alessio.
Jack C @ Aug 7th 2008 1:44PM
Blackhat always brings up some vulnerabilities that security experts should take care of. Kaminsky released the details of the DNS flaw, and who knows what else has been exposed there.
As Jeff Moss (founder of DEFCON and Blackhat) wrote in this article http://www.internetevolution.com/author.asp?section_id=554&doc_id=139509&f_src=flffour talking about "the reporter incident" at the DEFCON conference, last year and about the hacker community in general.
DonatoM3 @ Aug 7th 2008 12:42PM
Actually Fasttrack asks you to register your license plates too. Luckily I only need to keep mine in my car when I drive out to Vegas or Palm Springs.
Yuriy @ Aug 7th 2008 9:53PM
It enough to register your plate and forget about transporder - each time you cross toll they take your picture and compare with database. ticket free.
YesHone @ Aug 11th 2008 1:03PM
Damn, if someone hijacked your unit, your bill could end up looking like a Sprint bill!
Antwan L. Payne @ Aug 7th 2008 7:00AM
I hope the TxTag or TollTag in Texas isn't this easy to hack...
ronzo @ Aug 7th 2008 7:09AM
I sent TxDOT's auditing department an e-mail through their contact page sending them the link to the article. I doubt I'll get a response, but... hey... worth a shot, I guess.
Bob @ Aug 7th 2008 7:39AM
Just log your miles with a GPS, then if you get a big bill, send it back to them and tell them it's their problem, not yours, and you aren't going to pay it.
Bobs @ Aug 7th 2008 7:47AM
Or you could, you know, put the transponder in the glove compartment when you arent actually going to use the fastrak.
Antwan L. Payne @ Aug 7th 2008 7:52AM
But mine is a RFID sticker applied to the windshield, not the older plastic box. If you attempt to remove it, you'll damage the RFID.
kjb434 @ Aug 7th 2008 9:04AM
Yes, I have the Houston toll tag (HCTRA) but can also run all over the state.
It is a small windshield sticker and not that unsightly box, but it's still RFID.
I'll send an email to HCTRA and see if they respond.
jordan @ Aug 7th 2008 7:22PM
@bobs
Yea...except for the fact that it's RFID. Is your glovebox RFID-proofed?
Bob @ Aug 7th 2008 7:37AM
This is about as stupid as big media always reporting on airport and other security holes. It's like saying "Psst... Terrorists (or in this case, hackers)... here's a way to get past our security and screw us over. Yay! We are morons!"
Ghen @ Aug 7th 2008 8:25AM
Do you really believe that reporting on this is a bad thing? If the company knew for a fact that no one would ever report on the problem they would never fix it. Way more cost effective to do nothing! Plus, anyone that would actually DO something would have other means, like oh... going to this conference?
I don't get the crappy logic some people try to use. Its 180° from logical thinking.
Optomist @ Aug 7th 2008 8:45AM
Another way to look at this is the media saying "Hey moron, this is a way the terrorists (or in this case hackers) can screw you. You might want to watch out for it."
Grey Acumen @ Aug 7th 2008 9:02AM
um, yeah, the hackers already knew about it. Who the heck do you think figured out that this could be done? the Amish?
ishism @ Aug 8th 2008 3:15AM
Crazy sh!t is, this is now used in your U.S. Passports. I guess the best way for this to work is if it's implanted in you and is activated by your D.N.A
Ah, the digital future has given us more freedom.
jalex @ Aug 7th 2008 7:52AM
In MA and neighboring states they also take a photo of your license plate as you drive through and check to make sure it matches the tag. In fact, as long as you don't do it frequently, you can drive right through without a tag as long as your plate is on file. This adds some protection for you bill, but of course it doesn't help at all if somebody actually tries to reprogram your transponder (which seems less likely). Of course, you could all protect yourselves the way I have: my transponder has a dead battery.
kjb434 @ Aug 7th 2008 9:07AM
In Houston if you drive through a toll booth without a tag, they take a picture of your license plate. When they do eventually catch you, you get massive fines, your car is impounded, and your license is suspended.
Joe @ Aug 7th 2008 10:03AM
The EZpass in use in most of the northeast is a small box that goes on your windshield, or if you have a fancy car with a metallic deicing windshield, on your license plate frame. They ship them out in anti-static bags, so they don't end up being accidentally scanned while in the mail. In the accompanying instructions they actually tell you to keep the bag and put your tag in it if you want to pay cash and get a receipt so someone can reimburse your trip. Lots of people keep and use the bag as a matter of course, and you see a mad rush to find and mount EZpasses as people approach toll plazas.
It has also been found and admitted that there are EZpass readers out there that have nothing to do with tolls. For instance I read of a program where tags are monitored on the way to the Tappan Zee bridge to see how fast traffic is moving and then provide updates on digital signs. You can also use tags to pay for airport parking, and I've heard of a pilot program for McDonald's drive thru.
So these things are like both credit cards and tracking devices. Kind of scary stuff. But since they just velcro on you have some physical control. Those RFID stickers some other places seem to be using I find really scary because you have no control.
vudean @ Aug 7th 2008 10:17AM
so do you think the EzPass is vulnerable too? I have one here in MD, and I heard when they started them in NJ, they would track what exits you get off and then send you travel info from the local town in the mail... thats annoying.
big brother is watching >:)
Ian @ Aug 7th 2008 4:46PM
KJB, HAHAHAH your car gets impounded and your lose your license for not paying a toll? you do like to spred bullshit dont you?
GoVegan @ Aug 7th 2008 8:09AM
@neofolklore
Calm down! He is only reporting the news about the Black Hat conf. Which again is only discussing the details that hackers already know about.
If you are using the system are not happy about the security flaw, contact the company and stop using it.
Bashing the messenger won't help you in any way.
ShadowKain @ Aug 7th 2008 8:14AM
Last time I checked, Black Hat, and the practice of hacking was very worthy of being a "tech" story. Just because you may not be affected by it means nothing to the rest of us :)
ShadowKain @ Aug 7th 2008 8:17AM
Well those same "morons" are protecting our borders as best they can. Pssht. They have to report it on the news because who else is the public going to know to expect a 5 hour delay before getting on board or to not bring certaint things with them? Seems illogical to you, but there really isn't much else they can do...unnnnless you think they can send notices with your Netflix DVD's :)
Mike Mielke @ Aug 7th 2008 8:18AM
glad i dont own one, also glad i dont pay tolls
bryantchoung @ Aug 7th 2008 10:22AM
- "random picture taking has/will solve this"
1. I routinely take my ezpass to rental cars. I have never received any trouble from "random picture taking"
2. Since the system is so hackable, and any id is easily updateable it would be really easy for someone to update multiple cars with hacked id tags. The attacker could also pick fleet cars since their toll tags will be under less scrutiny. Since the tags can so easily be updated, it would be difficult to prove which one was hacked by a hacker.
-"there should be a switch to turn on/off the transponder"
3. Putting the tag in your glove compartment won't guaranteed that the tag won't be read. I recently rented a car that had a special cage that the ezpass was in. if you wanted to use the ezpass, you just slide the box open. If you dont want to use it, you keep the box closed. I'm assuming this will also thwart any attempts from a passerby to read or write to your card.
Suzanne @ Aug 7th 2008 11:09AM
Hey Antwon, hell yes HCTRA and other systems can be hacked this easily. I used to sit about 15 ft from the guy who invented RFIDs - he founded the company who builds most of these systems.
This is my comment from the original blog. Yeah, it's long, but I just thought you all should know this stuff.
"I worked on contract as a technical writer for the company that
created toll tag systems and continues to design and deploy most of
them. I don't want to name names, but this is the company founded by
the inventor of RFIDs. While I agree totally with the many posters
who point out that regulation of toll tag use can easily be done by
the state implementing the system, and by all means should be that
state's responsibility, I also know from firsthand experience how
flawed the toll systems are.
But don't look to the designers to repair these urgent security
problems anytime soon. In the three months I was with the company, I
was in the worst work environment I'd seen since my high school job
at a really bad Arby's. The whole place is riddled with personal
vendettas, quality control disasters, interdepartmental drama, frat
house sexual behavior and unqualified key employees. I met and
befriended some wonderful, dedicated engineers and managers - and
struggled with total clowns who had online degrees in unrelated
fields. When I approached my manager for the raise that I needed to
continue dealing with this crap, his response was "Doesn't your
husband have a really good job?" I later learned I was the second of
three technical writers who literally put my stuff in a box and
walked away from the position.
Yeah. So while I was there one multi-million dollar contract project
was deployed in a foreign country with a 70% failure rate. After I
walked, I ran into a friend who told me that the latest deployment
had a 100% failure rate. Not that no one is aware of the security
problems... but the week I left, the guys who were working on a
simple mechanical solution to reduce the user's vulnerability had to
deal with the hideous workmanship of the lowest Chinese bidder to
which the manufacturing was outsourced by management.
So I'm really, really glad that I live in a state with no toll roads.
Come to think of it, maybe lots of these problems wouldn't exist if
the people who build the tags actually had to live with them every
day..."
Suzanne @ Aug 7th 2008 11:16AM
I just read more of the comments. Yeah, EZPass also has these problems. And yes, these RFID systems are used in all the applications you guys have heard of plus plenty more. They are mainly employed with the best intentions - for instance keeping terrorists from driving out onto airport tarmacs - but how safe do you feel now?
bytewise @ Aug 7th 2008 11:31AM
The fasttrak system also takes a photo of the license plate. Which by the way is not a security precaution for us but a security precaution for them so they can bill you even if your transponder dies. As a side note, they also charge you an extra service fee if they have to bill you this way.
Suzanne @ Aug 7th 2008 5:40PM
Yep. One of the good engineers I worked with was fixing a known firmware failure that caused the user of the toll tag to be waaaayyyy overbilled for their toll road use. Management prioritized a lot of their own CYA policy documentation through my workload ahead of that engineer's docs.
I'm tellin you guys, there is a reason the transponder/reader systems are a problem... and that reason is not the "Big Brother" agencies who are mandating their use. Don't be afraid of some all-powerful entity who you imagine cares where you are. Be afraid of the smart people who can take advantage of the holes left in this technology by the companies who sold it to your well-meaning Department of Transportation officials, who really did just want to make your lives easier.
Adam @ Aug 7th 2008 11:58AM
Anyone read Cory Doctorow's Little Brother? This reminds me of that book a lot. If you haven't read it, read it. It's free!
jcwestbrook @ Aug 7th 2008 12:14PM
Cory Doctoro's new book "Little Brother" (a fiction book for teens) uses this type of flaw as a major plot point! People in the book go around swapping people's information on their "FastPass" to make their behavior look "abnormal" to the Department of Homeland Security who has San Francisco on lock down after a terrorist attack on the Bay Bridge and BART tunnel.
The book should be read by any techogeek!
http://www.amazon.com/Little-Brother-Cory-Doctorow/dp/0765319853/ref=pd_bbs_sr_1?ie=UTF8&s=books&qid=1218125454&sr=8-1
mastman @ Aug 7th 2008 12:23PM
In NoCal, most if not all of the bridges take pictures of your license plate too. Not saying I like it, but it can be helpful if you forget to get your FasTrak out of the glove box - they just check to make sure the car is listed on an account and hit you for the toll. I keep mine put away all the time when not using it, but don't bother with the Mylar bag they provide. Anyone know if the bag really makes any difference or is the glove box enough to prevent remote (undesired) reading?
MasterCKO @ Aug 7th 2008 1:00PM
Also, the one of the main tenets of Black Hat (and tech security in general as I understand it) is that security through obfuscation DOESN'T WORK. So sharing that news and letting everyone know the problem works toward that goal.
Sure, a major part of Black Hat is to share holes that people find in order to exploit them, but there's just as large a part of it that's about sharing holes in important applications SO THAT IT GETS FIXED.
mannymix @ Aug 7th 2008 1:04PM
Hm, I figure that sunpass is just as vulnerable in FL, but I use it because I travel a lot and now that we have gotten an upgrade so you can continue driving in the fast lane and use it instead of having to slow down at the toll booth, I really can't live without it.
infoguy! @ Aug 7th 2008 1:28PM
The sensors onthe bay bridge are strong enough to read my fasttrak transponder when its in my glovebox. I don't even mount it on my windshield anymore. atleast in my case I would have to put the thing inthe static bag to prevent it from being read.
NoAndThen @ Aug 7th 2008 1:29PM
reasons I'll never get one of these damn things. Everyone always tells me I'm paranoid, but eff that, I don't need anyone to "Big Brothers Us" (quote, alessio).
I want nothing to do with people having an open book on my account readable from up to a hundred yards away with the right equipment. OR having someone take my picture whilst traveling.
I'll hike, thank you.
CJ @ Aug 7th 2008 2:26PM
Not exactly a security hole. The toll readers take photos of the cars that go through. The photos are good enough to catch a license plate so that if the transponder fails they can still bill you properly.
So as soon as I see surprises on my bill, I tell Fastrak. They pull up the photos and get a license plate of the blackhat. Welcome to fraud charges Mr. Blackhat!
Suzanne @ Aug 7th 2008 7:07PM
The ESD-protective ("Mylar") bag your tag was shipped in is to keep it from being fried by electrostatic discharge, NOT to keep it from being read during transit to the end user.
In theory, a hacker or terrorist employing a reader operating at high enough power to defeat an ESD bag placed around the tag would also damage the tag... which would defeat the hacker's purpose.
Putting the RFID in your glove box won't keep it from being read. No. It won't. Yes, trying to peel the tag off your windshield will destroy it. I learned that when some jerk stuck a dead prototype Texas tag over the clock in my cubicle.
Thanks bryantchoung: the special cage to "turn off" an RFID is called a radome and they work great - when they are made available to the user.
Thanks also to everyone who points out that the potential for toll tag abuse is minimal. We need to focus on the potential for terrorism at airports and underground railways where RFIDs are used.