Hacking electronic-toll systems

LAS VEGAS--Electronic toll systems like FasTrak and E-ZPass may be convenient for drivers, but they are rife with privacy risks, a security expert said Wednesday at the Black Hat 2008 security conference.

Strangers with the right transponder reader walking through a parking lot can steal the ID number off the transponders that are visible through the windshield, put the data on their devices and pass through bridge and other tolls for free, with the victim paying the bill, according to Nate Lawson, principal of security consultancy Root Labs.

The transponder ID, which lacks encryption, could be wiped and switched with that of a device from a different car used in a crime, such as for alibi purposes, he said.

The e-toll systems also pose a risk in that a driver's movements could be tracked in real time, and e-toll operators have already been served with subpoenas seeking customer information, Lawson said.

Although the ID is not personally identifiable, it can be linked in the back-end database to customer information like name, driver's license, and credit card number, he said.

The FasTrak system, used in the San Francisco Bay Area, has said it will improve the security, but it is difficult to make a system secure after the fact, Lawson said. So, he is designing a FasTrak Privacy Kit that people can use to make their transponders more secure.

Basically, the kit will allow someone to put a "kill switch" on their transponder so the ID can't be read unless the device is turned on with a special button. The system is only vulnerable while it is on.

Or, you could just do what I do, and keep the device in the mylar pouch it comes in when you buy it and that will protect the data.

Click here for full coverage of Black Hat 2008.

In this video Lawson explains why consumers should be wary of using electronic-toll systems:

[Methuss]

DUH! And not only that but they can send you speeding tickets in the mail. All they need is the distance between two toll booths, the time leaving the first and the time arriving at the second and they have all they need to determine how fast you were going. Any 3rd grader can do the math for that. Since they also have the transponder number, they have positive identification of the registered driver too.

[myosh_tino]

To prevent hackers from doing as the article suggests, someone should develop software that will compare the license plate to the one linked to the FasTrak account. If they don't match, notify the account holder and send the driver using the cloned transponder a hefty toll violation notice.

[TV James]

Yeah, that's great... an on/off switch. How much money will they make from people who forget to turn it on? Or how money will they lose from people who "forget" to turn it on?

[ZaphodQB]

So I am guessing Methuss thinks that getting a ticket for breaking the law is bad, but breaking the law is not?

[ZaphodQB]

So I am guessing Methuss thinks that getting a ticket for breaking the law is bad, but breaking the law is not?

[jsjonesnet]

Having one of the SF Bay transponders I can tell you that the photo they take when you pass the toll gate shows them the license plate which they match to the Fastrack account.
My low battery transponder works only 1/2 the time.
They do not fine the Fastrack users when passing the toll gate without the transponders, as long as their plates are registered with them.
This is so as you could have many cars and only one transponder possibly forgetting to take the transponder.
BTW our bridges here have only one toll gate in one direction only.

[morlamweb]

What about the Fast Lane system in Massachusetts? Was that system mentioned in the conference? And how exactly would one track a car with an e-toll tag, anyway? I thought that the tags were read only at the toll gates. To say that someone could be tracked real-time makes me think of something out of the Bourne movies.

[benjaminstraight]

I didn't know this.