Road Tolls Can Be Hacked

25 August 2008, 8:54am

According to a computer security firm in Oakland, California, USA, drivers using an automated toll system on roads and bridges in California's Bay Area [FasTrak (www.bayareafastrak.org)] could be vulnerable to fraud, despite previous reassurances about the security of the system. A researcher at Root Labs claims that unique identity numbers used to identify FasTrak wireless transponders in cars can be copied or overwritten. So a fraudster could clone transponders by copying the ID of another driver onto his or her own device, and could travel for free while others unknowingly pay the bill. Root Labs’ Nate Lawson claims that cloning the devices is simple and that he already has several clones of his own ID. According to Lawson, this raises the possibility of using the FasTrak system to create false alibis by overwriting one's own ID onto another driver's device before committing a crime. The toll system's logs would appear to show the perpetrator driving at another location when the crime was being committed.

Lawson argues that every modern system needs a public security review to be sure there are not different but related problems, following exposure of flaws in the Mifare Classic chip, used by commuters in many cities, including Boston and London. The FasTrak system uses encryption to secure data and no personal details are stored on the device, only two unique, randomly assigned ID numbers. One of these is used to register the device when a customer purchases it, while the other acts as a unique identifier to let radio receivers at tolls detect cars as they pass by.

When Lawson opened a transponder, he found that there was no security protecting the IDs. The device uses two antennas, one to detect a request signal from the toll reader and another to transmit its ID so that it can be read. Thus it was possible to activate the transponder to transmit its ID simply by copying the IDs ¬¬¬of the readers – something that could be done walking through a parking lot and interrogating transponders of the cars parked there. Lawson also found that IDs are stored on rewritable flash memory, refuting manufacturers’ claims that the devices are ‘read only.’ Thus, it is possible to send messages to the device to overwrite someone's ID, either wiping it or replacing it with another ID.

Lawson says that using each stolen ID just once would make it difficult to track down a fraudster and he is working on a privacy kit to let drivers turn their transponders on and off so that they are only vulnerable for the brief period during which they pass a toll point.

A professor of security engineering at Cambridge University, U.K., Ross Anderson, states that many embedded systems “are totally open to tampering by anyone who can be bothered to spend some time studying them" and adds that competent use of encryption is the “exception rather than the norm.”

Source: Original article by Duncan Graham-Rowe
published in MIT Technology Review
Copyright Technology Review 2008.

MIT Technology Review

Root Labs

Geo: International