Black Hat 2008: FasTrak toll system completely broken

Posted Aug 6th 2008 5:30PM by Eliot Phillips
Filed under: transportation hacks, cons, security hacks

FasTrak is the electronic toll collection system used by the state of California. Motorists can purchase a toll transponder for ~$26 and link the serial number with a debit account to have their tolls deducted automatically. Today at Black Hat in Las Vegas, security researcher [Nate Lawson] presented not just the privacy problems with FasTrak, but why absolutely no transaction from the tag should be trusted.

On the privacy side, FasTrak claims that all the collected data is anonymized and not kept for long (they won't tell you how or how long). The court system still subpoenas the data from time to time, so there must be something of use in there. As AOL taught us, user behavior is incredibly hard to anonymize. In addition to the toll booths, the transponders are also polled at all offramps for the statistical traffic data presented at 511.org.

[Nate] initially purchased a transponder to explore these privacy concerns. The transponder is an RFID device with a receive and transmit antenna, a low powered Texas Instruments MSP430 microcontroller, a long life battery, and a large analog demodulation section. Usually the firmware on the microcontroller can not be read via a JTAG cable, because the manfacturer will burn a fuse to prevent it. This was not the case with the three year old tag he purchased. A more recently purchased tag did have the fuse burned. Flylogic repackaged that silicon so it could be read back; the firmware turned out exactly the same.

The transponders and readers perform no authentication. Someone could wander through a parking lot with an RFID reader and pick up the ID of every tag in the lot. They could then write their own transponder with the stolen IDs. Here's the really bad part: the transponders support unauthenticated over the air upgrading. You can force any transponder to take on a new ID. An attacker could overwrite every tag passing a certain intersection and cause havoc in the toll system. Some have suggested that there are IDs in the system that are unbilled, since they're assigned to administrators; these would be especially attractive to thieves.

How do we fix this system? Here's the problem: the system is defined by California law. An update to the way things are done would take legislative action. [Nate] suggested one possible check that could be implemented to determine if the system was being exploited at this time: When a tag read fails now, the system takes a picture of your license plate so a human can determine what account it belongs to. The system could be updated to randomly take photos of cars that were reading correctly just to make sure the ID belongs to the car pictured.

As for the privacy issues, [Nate] is hoping to develop a timer circuit so you can power up the transponder only during the time you're passing through the toll plaza. In the end though, none of the transactions with these FasTrak transponders can be trusted.

[photo: 24thcentury]

Reader Comments

(Page 1)

1. We have all read 'Little Brother' by Cory Doctorow, right? :-)

Posted at 5:45PM on Aug 6th 2008 by jeremy

2. yeah, but they take a pic of your vehicle (license plate & the driver) when you pass through the fastrak lane. front plates are required in california.

so if you're using a 'stolen' id, they'd probabyl be able to eventually figure out who you are.

Posted at 6:18PM on Aug 6th 2008 by pepe prawn

3. Here in the North-East, our EZ-Pass/FastLane toll booths routinely photograph your plates and run random checks on ALL cars going through (photo of REAR plate). Many tag holders will tell you about the false positives; EZ-Pass will mail you a letter with a fine and a photo of your alleged car if you lend your tag to a friend, your tag is unreadable, license plate obscured, etc.

Posted at 6:41PM on Aug 6th 2008 by PiP

4. here in brazil we use a similar system (it is called "sem parar", something like "nonstop" in english). I think it have the same problems...
Our laws make the use of front plates obligatory, and some cities (like Sao Paulo) have speedtraps with a "plate recognition system", used to issue tickets about speed or registration debits. You just pass near one, the system identifies your license plate, make the ticket and mail the fine to yuor home - no human needed. And it is f###ing reliable...

Question is: they know who you are and where you live. Why the need of a transponder?

Oh, almost forgot: transit authorities here are experimenting a new licensing "add-on": an rfid tag (completely passive, like a smart label) sticked in your windshield. Park in front of a garage, and the officer does not even need to note your plate... they say it can be used to monitor the traffic, by automatically reading all vehicles getting in and out a certain street.

Spooky, huh?

Posted at 7:09PM on Aug 6th 2008 by tramontano

5. Thanks pip, I was wondering about our EZ-pass. I just got mine not to long ago!

Posted at 7:23PM on Aug 6th 2008 by Mike

6. here in TX my brother used to tailgate people (mostly his friends, and in a distance of about 6in) through toll booths and never received a ticket! Apparently the system thought he was in tow or just one long vehicle

Posted at 9:19PM on Aug 6th 2008 by Neolin

7. toll tags here are handed out with anti-static bags. to help secure your tag, get in the habit of bagging it when not driving. kinda hard to snarf a tag when it's shielded.

Posted at 9:36PM on Aug 6th 2008 by sly

8. @7 yeah but wouldnt it be smarter for the manufacturer to simply add a power switch.. or even better, a 'tap to tag' button (would operate for 14 seconds, then shut off again)??

A VERY simple hardware change could cut the vulnerabilities in half. (you are still vulnerable in the toll booth)

Posted at 11:42PM on Aug 6th 2008 by MRE

9. Randomly photographing the vehicle would provide some level of protection but how much? From what I am reading the transponder is assigned to an account or person, not a vehicle. So this leads me to believe that it can travel from one vehicle to another (please correct me if I am mistaken). You would actually need to take a picture of the owner, but then that leaves out anonymity doesn't it. Actually linking it with an account leaves out anonymity in my book. Let's not even go any further with this. I wouldn't trust it based upon the information given here.

Posted at 12:30AM on Aug 7th 2008 by Elvis has risen, uhhthankyaverymuch

10. We have something similar here in Italy (called "TelePass") ... it should be a very similar hardware.
When you go too fast they take a picture of the plates ... and probably also at random times ...
And they have introduced a "average speed check" with cameras shooting your plates every 50Km.
That wuold make it unsafe to hack but probably very open to data stealing or DOS.

Posted at 4:49AM on Aug 7th 2008 by Phenix

11. EZ-pass in MA. The tag is registered to an account, which can have up to three vehicles associated with it. They read your plate and can bill to it if the tag fails to read (happens quite often here in Boston) or, as I found out, if you forget to move the tag back to your vehicle after using it on another! They were able to bill from the photo of the plate.

Though the user agreement provides for all kinds of "violations" - going over the 10 mph speed limit, not calling them if you get a yellow light as you go through the reader, in practice, they seem to ignore them. I've never gone 10 mph through the readers...you'd get rear-ended for sure. My wife says in New Jersey, the tags are read at highway speed (60-70 mph).

I am kinda surprised that the serial number passed to the reader doesn't have some kind of hash on it, so you couldn't just make one up...

Posted at 10:03AM on Aug 7th 2008 by Peter

12. I worked on contract as a technical writer for the company that created toll tag systems and continues to design and deploy most of them. I don't want to name names, but this is the company founded by the inventor of RFIDs. While I agree totally with the many posters who point out that regulation of toll tag use can easily be done by the state implementing the system, and by all means should be that state's responsibility, I also know from firsthand experience how flawed the toll systems are.

But don't look to the designers to repair these urgent security problems anytime soon. In the three months I was with the company, I was in the worst work environment I'd seen since my high school job at a really bad Arby's. The whole place is riddled with personal vendettas, quality control disasters, interdepartmental drama, frat house sexual behavior and unqualified key employees. I met and befriended some wonderful, dedicated engineers and managers - and struggled with total clowns who had online degrees in unrelated fields. When I approached my manager for the raise that I needed to continue dealing with this crap, his response was "Doesn't your husband have a really good job?" I later learned I was the second of three technical writers who literally put my stuff in a box and walked away from the position.

Yeah. So while I was there one multi-million dollar contract project was deployed in a foreign country with a 70% failure rate. After I walked, I ran into a friend who told me that the latest deployment had a 100% failure rate. Not that no one is aware of the security problems... but the week I left, the guys who were working on a simple mechanical solution to reduce the user's vulnerability had to deal with the hideous workmanship of the lowest Chinese bidder to which the manufacturing was outsourced by management.

So I'm really, really glad that I live in a state with no toll roads. Come to think of it, maybe lots of these problems wouldn't exist if the people who build the tags actually had to live with them every day...

Posted at 11:06AM on Aug 7th 2008 by Suzanne Smith

13. here in IL, we have ipass, but it's essentially the same as all the northern state systems, as it works in NY and is going to work in IN too. I still think the best method is that if they can bill by plates, then just bill by the plates for everyone, that would circumnavigate this entire issue. also, be looking for the toll plazas that we all blast through with these systems to start sending out tickets, some of my friends have good radar detectors that pick up the speed cameras, and they're starting to go off when they go through the booths.

Posted at 11:10AM on Aug 7th 2008 by Dylan

14. @9. Here in Florida with our system when you buy a transponder you need to register it with the liscence plates of whatever cars you are going to take it in. That way like #3 said if you lend it to a friend and their plates aren't registered with it there is a possibility of them being fined for it.

Posted at 12:23PM on Aug 7th 2008 by adam

15. Not sure of the security of the tags them selves, but in Dallas, the tolltag lanes are continually videoed and checked for tag accounts to match up with license plates.

Posted at 12:42PM on Aug 7th 2008 by DiddyWolf

16. I live in South Texas where they are building Toll roads as fast as they can. In the article they mentioned about using the Toll tags to track traffic patterns. This is used extensively in Houston. Along the road ways hanging off signs and polls you'll see the antennas to light up the tags to get the id as you pass. We also have a new style tag that has no battery and is powered up only when it's hit with an RF source, so this would stop passive scanning of this style of tag.

Posted at 12:58PM on Aug 7th 2008 by Mike

17. As pointed out, any change would require legislative action, and we know how cumbersome that can be. Well, I bet it would get fast tracked if some hackers messed with the system in a blatant way in order to point attention to the matter. With this info, and suggested hacks, out there I suspect it has crossed the minds of more than one reader. And unlike me, that reader may possess the skills to do it.

Posted at 2:34PM on Aug 7th 2008 by kevin

18. The revamped FasTrak systems (namely the one on the Benicia-Martinez Bridge because it's the only current one) have lanes that can read tags at highway speeds.

Posted at 3:32PM on Aug 7th 2008 by David

19. Here in the country of California we have no temp plates for new cars. So it is not uncommon to see cars with no license plates at all - driving around. As it takes months for the plates to arrive in the mail - if you have a "new" model car, you could presumable drive around for years with no plates. Unlike New England where I bet I'd be pulled over in under 2 minutes for not having license plates.

If you had a cloned FastPass in your silver, brand new, BMW 3 series with no plates - it would be next to impossible to find you. At $265 a month for some commuters - that's MOST of a car payment.

Speed Safely,
- Kris

Posted at 3:33PM on Aug 7th 2008 by Kris

20. @16:

That's like what they use for truckers to determine if they need to pull into the weigh stations.. It's called something like speed-weigh or something to do with weighing at highway speeds.

Posted at 3:47PM on Aug 7th 2008 by Shadyman

Next 20 Comments

Add your comments

Please keep your comments relevant to this blog entry: inappropriate or purely promotional comments may be removed. Email addresses are never displayed, but they are required to confirm your comments. To create a live link, simply type the URL (including http://) or email address and we will make it a live link for you. You can put up to 3 URLs in your comments. Line breaks and paragraphs are automatically converted — no need to use <p> or <br> tags.