Hack ushers in the insatiable toll booth A widely used device for paying traffic tolls electronically is vulnerable to tampering that could create trouble for those who use it, a researcher said Wednesday. The FasTrak transponder uses radio frequency identification (RFID) technology to communicate with reader devices located at toll booths. Motorists use the devices …
Ah yes, the "head in the sand" approach to security. If we don't allow ourselves to see it, then it doesn't exist. Besides, the sales rep said it was secure, what does a pesky researcher know about such things?
Surprised he hasn't contacted Sirit yet. Or has he tried to contact them and been forwarded to their sales and marketing department, who reassured him that his research was incorrect since they have assured their customers that it's completely secure?
Who designs these things? I mean honestly, you have to be fairly well qualified to design an RFID tag. You'd think they'd have learnt that 'security by obscurity' doesn't work, and even if they're relying on obscurity, they should at least make it obscure!
I'd argue that all security is via obscurity, it just depends how obscure. Even the strongest encryption relies on obscurity...
Fraud on this type of device could be quite interesting. They allow pedestrians right next to the cars going across the bridge, and with a small Yagi antenna, one could re-program all of the devices to say, the Mayor of San Francisco. Now THAT would be a very interesting idea.
Yes, I have one of these things. I've kept it "out of sight" (not stuck to the windscreen) since I've moved it to a new vehicle. Didn't know they were THAT insecure!
I'm sure if there is wide scale fraud, they can OCR to match transponders to plates.
I do not believe they currently do that match for EVERY transaction -- only when the transponder isn't read do they run the plate and either bill fastrak account, or send you a bill for non account holders.
http://www.thetollroads.com/home/common_fastrak.htm#8
I know everything's always given to the lowest tender (which in turn almost guarantees the end result will suck), but seriously, sending in the clear?!? On a payment system?!? Are they absolutely insane? Someone should have their head stuck on a spike for this one.
> The license plate is then OCR'ed and matched to FasTrak ID
There's just one tiny problem, it's a little thing called licence plate cloning. It's apparently very popular here in the UK at the moment, what with us having speed cameras every two feet.
I think they chose a different kind of "Cheap", since the transponder is already an independently power gizmo, range is assured and cost is already a goner. I think they chose "Cheap" as in "This Hi School Kid doesn't charge much".
(Which is also the level of competence that forgets the code-protection bit.)
To be fair to them, once the black-hats came into play it was a fair bet that the any symmetric keys in the firmware would be discovered, any bespoke crypto function would be analysed and even small asymetric keys might have been factorised.
But that doesn't excuse them from making such a piss-poor effort. It would have been trivial for the transponder to broadcast the time and place of it's previous authentication as part of the handshake, and that would have raised the bar much higher for an attack.
I'm now jacking in my lucrative consultancy career to start tendering for government projects. Don't tell anyone but I'll just sell them the Fischer Price version, in a slightly less sturdy box.
This post has been deleted by its author
I am sceptical of this, the variant used throughout New England (EZPass) uses number plate verification to cross check the transponder. When I transferred a transponder from one car to the new one without telling them it picked it up after the 2nd time we went through a toll and flashed the orange warning.
I don't know the CA system, are you sure it has no such verification
"I am sceptical of this, the variant used throughout New England (EZPass) uses number plate verification to cross check the transponder."
I don't think that's a safe assumption - at least in NYS, you are allowed to use your EZ-Pass with any other vehicle of the same type (i.e. use a car tag in another car but not a truck):
"Your Tags can be used in any other vehicle classified as an individually owned or leased vehicle with two axles, a maximum gross weight of 7,000 pounds (vehicle and load) and single rear tires (includes RV’s and pickup trucks with dual rear tires)."
http://www.ezpassny.com/static/downloads/i_guide.pdf
I have used my car's tag with borrowed/rented etc cars and the billing has gone through fine. Perhaps a license plate photo can be accessed in case of dispute or billing failure, but it doesn't appear to require cross-verification in most circumstances.
As always looking for root causes, I point in this case to tenders that do not fully specify functional requirements.
Just why a tender for these transponders was issued without specifying "cannot be hacked" with long list of example hack methods, I do not know, but a little bird suspects that it's because tenders are drawn up by purchasing departments, wherein serious knowledge of IT issues is utterly lacking.
I offer as an example the purchasing agent at my former employer who was a dimwit and a liar in the bargain.
"Call me scruffy" might do better starting a new career in writing tenders for government departments; or at least the IT security sections.
There's just one tiny problem, it's a little thing called licence plate cloning. It's apparently very popular here in the UK at the moment, what with us having speed cameras every two feet.
Not a big issue in the states. Caught with stolen tags or plates in a California you can face up to three years in the slammer
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
