Bay Area's FasTrak road tolls easy to hack
numbers. One of these is used to register the device when a customer purchases it, while the other acts as a unique identifier to let radio receivers at tolls detect cars as they pass by.
When Lawson opened up a transponder, however, he found that there was no security protecting these IDs. The device uses two antennas, one to detect a request signal from the toll reader and another to transmit its ID so that it can be read, he says. By copying the IDs of the readers, it was possible to activate the transponder to transmit its ID. This trick does not have to be carried out on the highway, Lawson notes, but could be achieved by walking through a parking lot and discreetly interrogating transponders.
What is more, despite previous claims that the devices are read only, Lawson found that IDs are actually stored on rewritable flash memory. “FasTrak is probably not aware of this, which is why I tried to get in touch with them,” he says. It is possible to send messages to the device to overwrite someone’s ID, either wiping it or replacing it with another ID, says Lawson. “Access to a tag number does not provide the ability to access any other information,” says MTC’s Rentschler. “We also believe that significant effort would need to be invested in cloning tags.” He adds, “If any fraudulent toll activity is detected on a customer’s account, the existing toll-enforcement system can be used to identify and track down the perpetrator.”
Lawson says that using each stolen ID just once would make it difficult to track down a fraudster. A better solution, he believes, would be to require toll readers and transponders to carry out some form of secure authentication. This would require changes by MTC, though. As an alternative, Lawson is working on a privacy kit to let drivers turn their transponders on and off so that they are only vulnerable for a brief period as they pass a toll. There is another way, he says. “It’s probably in the user’s best interest to just leave it at home.” This is because FasTrak uses license-plate recognition as a backup.
Ross Anderson, a professor of security engineering at Cambridge University, in the United Kingdom, says that “very many embedded systems are totally open to tampering by anyone who can be bothered to spend some time studying them.” Competent use of encryption is the exception rather than the norm, Anderson adds, and the situation is unlikely to change soon. “One industry after another is embracing digital technology, and none of them realize that they need computer security expertise until it’s too late and they get attacked,” he says.
Bruce Schneier, chief security technology officer at BT, based in Mountain View, California, says that it is too easy for companies to get away with lousy computer security. “Honestly, the best way is for the transportation companies to sue the manufacturers,” he says. “Then they’ll think twice about selling shoddy products in the future.”
