Ah yes, the "head in the sand" approach to security. If we don't allow ourselves to see it, then it doesn't exist. Besides, the sales rep said it was secure, what does a pesky researcher know about such things?

Surprised he hasn't contacted Sirit yet. Or has he tried to contact them and been forwarded to their sales and marketing department, who reassured him that his research was incorrect since they have assured their customers that it's completely secure?

Who designs these things? I mean honestly, you have to be fairly well qualified to design an RFID tag. You'd think they'd have learnt that 'security by obscurity' doesn't work, and even if they're relying on obscurity, they should at least make it obscure!

I'd argue that all security is via obscurity, it just depends how obscure. Even the strongest encryption relies on obscurity...

While by no means I am happy with the security gap, the tolls in California always capture the photo of the license plate along with the fasTrak log record on crossing.

The license plate is then OCR'ed and matched to FasTrak ID for billing purposes.

Why did they call their company 'Sirit Technology' - has someone else already grabbed the name 'Shit Technology'?

Fraud on this type of device could be quite interesting. They allow pedestrians right next to the cars going across the bridge, and with a small Yagi antenna, one could re-program all of the devices to say, the Mayor of San Francisco. Now THAT would be a very interesting idea.

Yes, I have one of these things. I've kept it "out of sight" (not stuck to the windscreen) since I've moved it to a new vehicle. Didn't know they were THAT insecure!

I'm sure if there is wide scale fraud, they can OCR to match transponders to plates.

I do not believe they currently do that match for EVERY transaction -- only when the transponder isn't read do they run the plate and either bill fastrak account, or send you a bill for non account holders.

http://www.thetollroads.com/home/common_fastrak.htm#8

The trouble with RFID:

1. Cheap

2. Secure

3. Long range (more than a couple of cm)

Pick two. Obviously FasTrak chose 1 and 3.

on 13.56MHz (RFID)? That would be about 10 meters wide then.

I am sceptical of this, the variant used throughout New England (EZPass) uses number plate verification to cross check the transponder. When I transferred a transponder from one car to the new one without telling them it picked it up after the 2nd time we went through a toll and flashed the orange warning.

I don't know the CA system, are you sure it has no such verification

I bet you were wondering what those tin can like structures were pointing at the front and rear of your car?

"I am sceptical of this, the variant used throughout New England (EZPass) uses number plate verification to cross check the transponder."

I don't think that's a safe assumption - at least in NYS, you are allowed to use your EZ-Pass with any other vehicle of the same type (i.e. use a car tag in another car but not a truck):

"Your Tags can be used in any other vehicle classified as an individually owned or leased vehicle with two axles, a maximum gross weight of 7,000 pounds (vehicle and load) and single rear tires (includes RV’s and pickup trucks with dual rear tires)."

http://www.ezpassny.com/static/downloads/i_guide.pdf

I have used my car's tag with borrowed/rented etc cars and the billing has gone through fine. Perhaps a license plate photo can be accessed in case of dispute or billing failure, but it doesn't appear to require cross-verification in most circumstances.

As always looking for root causes, I point in this case to tenders that do not fully specify functional requirements.

Just why a tender for these transponders was issued without specifying "cannot be hacked" with long list of example hack methods, I do not know, but a little bird suspects that it's because tenders are drawn up by purchasing departments, wherein serious knowledge of IT issues is utterly lacking.

I offer as an example the purchasing agent at my former employer who was a dimwit and a liar in the bargain.

"Call me scruffy" might do better starting a new career in writing tenders for government departments; or at least the IT security sections.

Small yagi? Yep, that's what the CA FasTrak system uses.

There's just one tiny problem, it's a little thing called licence plate cloning. It's apparently very popular here in the UK at the moment, what with us having speed cameras every two feet.

Not a big issue in the states. Caught with stolen tags or plates in a California you can face up to three years in the slammer