BLACK HAT: Highway toll systems flawed

Share this article:
Automatic toll collection systems lack privacy controls and can easily be cracked to steal customer identification numbers, a security researcher warned attendees Wednesday at the Black Hat conference in Las Vegas.

Presenter Nate Lawson, founder of San Francisco-based Root Labs, spent several months studying FasTrak, the RFID-enabled electronic toll collection system used in California.

He purchased a $26 transponder at a local Safeway store and investigated its various features. What he found, he told about 200 audience members, is a system lacking basic security and privacy controls.

“It's a really old system,” he said. “It has no encryption. [The readers] can overwrite the transponder. I think there are a lot of [these] systems where people added wireless before security.”

For instance, a criminally motivated person can troll a parking lot and point a receiver at transponders sitting in a victim's windshield, he said.

Through “cloning,” crooks could steal the IDs, which are unencrypted on the transponder. Then they could sell the stolen credentials to others, who could overwrite their own ID numbers with the stolen numbers - in essence, allowing them free tolls.

In a more perverse scenario, someone could update the transponder of a select person – someone who, say, routinely travels a highway at a certain time – with their own ID number before they commit a crime. The transponder could serve as bogus alibi.

FasTrak has disputed these possibilities. In a television report several weeks ago, a company spokesman said the transponders are read only and do not contain any memory to allow for overwrites.

In addition, the company has told Lawson that the back-end database is encrypted to protect any stored information. But Lawson said it is not necessary to hack into the database when sensitive information can be culled from the transponders themselves, which are unencrypted.

A FasTrak spokesperson could not immediately be reached for comment on Monday.

There also are reasons to worry from a privacy standpoint.

Lawson said the receivers are mounted above toll plazas to read data from customer transponder as they pass by on the highway. But there is no way of knowing how long FasTrak holds on to this data, which is often used to gauge traffic delays.

FasTrak – and other electronic toll collection providers such as EZ-Pass – must build in anonymity, he said. Also, they must reduce the collection of customer data – a random sampling would provide enough information necessary to determine traffic patterns – in addition to limiting distribution and quickly expunging records.

“Everything is done on the server side,” Lawson said. “All they have to do is update their server to change the way they process this information.”

Lawson said he is developing a free privacy kit for consumers, which acts a kill switch. In other words, drivers would be able to activate their transponders when they pass through tolls – and then turn it off immediately after.

Of course, Lawson admitted this would not suit the average commuter as it requires drilling a hole in the transponder to connect the add-on switch.

To truly solve the problem, developers must instill these controls from the start.

“It takes effort to design in privacy, but people don't get to that stage,” he said. “They're just trying to get the functionality to work.”

Audience members said Lawson's revelations will make them more skeptical of paying tolls electronically.

“I've been very concerned for the way they use the data and whether it's secure,” said Rick Farina, a senior wireless security researcher. “Someone clones it and sells it. Then you get a bill for $1,000 on tolls. That's not cool.”

This material may not be published, broadcast, rewritten or redistributed in any form without prior authorization. Your use of this website constitutes acceptance of Haymarket Media's Privacy Policy and Terms & Conditions