By on August 7, 2008

EZPass is even easier when you steal transponder codesCNet News reports a FasTrak/EZPass exploit from the Black Hat security conference in Las Vegas. Millions of older transponders in use have unencrypted RFID chips, allowing a malicious individual to steal ID's and use those accounts to get free tolls using a "cloned" transponder. Transponders can also be reprogrammed on the fly, wreaking all sorts of havoc down at Billing Central. Also, an "electronic alibi" could be created that could have a miscreant listed in the system has having paid a toll at a particular place and time when they were elsewhere. Newer transponders do have some security to prevent reprogramming, although this was also defeated. The hacker involved suggests inserting a switch to the keep the transponder from automatically activating, the less convenient alternative being the bag the unit came in or an aluminum foil wrap.

Get the latest TTAC e-Newsletter!

17 Comments on “FasTrak/EZ-Pass eToll Transponders Hacked...”


  • avatar
    Robstar

    I really can’t understand why stuff like this is possible in 2008.

    I’m not an RFID guy, but how hard would it to use something proven like SSL encrypted communication between sender & receiver?

    In this day and age with fairly good encryption software available, there is no excuse. These agencies who use unencrypted/craptastic software should be financially liable.

    How many times do laptops with personal information have to be lost before someone GETS A CLUE? How many open wireless networks (I’m looking at you TJMAX) have to be compromised for the law to be changed?

    When will I be able to pick a 20 digit pin for my ATM card and/or restrict which ATM’s can be used to pick up cash from?

    Companies should be financially liable for this stuff 10x over.

  • avatar
    J.on

    It really shouldn’t be that complicated to implement a handshake protocol. Like Robstar, I’m dumbfounded.

  • avatar

    Ummm it is a lot harder to do then you realize.

    Consider that the car can be moving pretty fast and the time of transmission is pretty low. As I recall the engineers have so far used increasing speeds of tag based systems to speed up the lanes, while they could have been adding multistage interrogation.

    Also while these are active RFID tags (i.e. battery powered) they don’t have enough power to do much. SSL is right out (and insane for something like this). SSL handshaking through TLS requires 5 exchanges to get to an encrypted connection.

    That said there are fully encrypted (using decent encryption even) RFID tags, but they are 10-70x more expensive.

    Oh and if one was really bored if one drives slow enough through the toll gate with a good wireless connection, one could do a man in the middle attack to some other site.

  • avatar
    RichardD

    The obvious solution is not to use RFID at all. Toll roads are an inefficient and dangerous way to raise money.

  • avatar
    Robstar

    Actually RFID shouldn’t even be needed.

    Here in Illinois if our car goes through without EZ-PASS registering (say..it’s in your other car), your plate gets photoed. Once photoed it is processed through OCR and looked up in an oracle database. If your OCR’d plate is registered to an account, money is deducted from that account. If not, you get a $20 ticket.

    No need for rfid or even the transponder enclosure, really.

  • avatar
    quasimondo

    So then all you’d have to do is steal somebody else’s plate for a free ride.

    Laugh not, my sister has been the victim of stolen license plates twice over.

  • avatar
    Robstar

    1) people can already break your window & steal your transponder. I’d prefer for them to steal the plates as they are cheaper to replace.

    2) people already steal plates here to put on stolen vehicles.

    3) I also think if it was publicly advertised that plates were tracked via EZ-pass/ipass that people might be less likely to steal them.

    I still don’t see a reason for a transponder.

  • avatar

    The reason they don’t use OCR full time is it has clean hit rates of 40-60% (in actual real world conditions). Also in most cases they use OCR to provide a near match, but require at least a brief glance by a human.

    RFID is a pretty sane way to do this, it just needs to be tweaked some, and people may have to go back to driving 25 mph through the gates.

  • avatar
    quasimondo

    1) people can already break your window & steal your transponder. I’d prefer for them to steal the plates as they are cheaper to replace.

    Getting replacement license plates are a pain in the ass. Police reports, trips to the DMV for a new plate and new registration, lost time to do both. A phone call to EZPass to deactivate the stolen tag and a new one arrives in the mail less than a week later. A tag costs less than trying to get a plate replaced too.

    2) people already steal plates here to put on stolen vehicles.

    So why give them another reason to steal your plate?

    3) I also think if it was publicly advertised that plates were tracked via EZ-pass/ipass that people might be less likely to steal them.

    That doesn’t stop people from stealing EZpass tags, so why would it stop somebody from stealing license plates. Besides, most EZpass tolls don’t have a gate, so even if it does flag a stolen plate, how are they going to be stopped?

  • avatar
    Corvair

    Keep in mind that the key technology suppliers to these transponder systems are likely to be either the incumbent governor’s best fund raiser, or the brother-in-law of the current party (D or R) chairman. And you wonder why they are hacked so easily?

  • avatar
    escapenguin

    I’d like to second yasth. OpenSSL is heavier than you’d think. Even if EZ-Pass booths just snagged a public key and matched it to a private key associated with your account it would take significant processing power to match up a fast-moving car, let alone a squadron of them.

    This is a pretty soft target for black hats. Surprised they wasted this much time on such an obvious vulnerability.

  • avatar
    westhighgoalie

    AM i correct that rfid works like a reflector… The broadcast signal above the toll booth sends out a signal and when a tag goes in the beam its information is kind of “reflected back” at the thingy majiger?

  • avatar
    mdf

    Robstar: I really can’t understand why stuff like this is possible in 2008.

    This is not my area of expertise, but I would guess the server end — the machinery behind the toll-gates — is unremarkable stuff. Even if it was hyper expensive equipment, operated by super-duper expensive administrators, there is so little of it that it doesn’t even rise above the financial noise.

    The real issue is with the client end. Given possibly millions of customers, the urge to shave every last micro-penny of cost would be great.

    So the bean-counters go to the supplier and say “we’ll take the unsecured $0.01 RFID tags, please”, because the $1.00 secure RFID tags would be millions of dollars more “at the end of the day”.

    My personal view is this kind of thing is a false economy in the long run. EZ-Pass is probably discovering this now.

  • avatar
    Robstar

    mdf> I don’t think it’s a financial thing.

    We pay for our ipass transponders. If you DON’T have one, you pay double toll usually. So even if it was $100 instead of $20, you’d still make it back in tolls saved.

  • avatar
    RFortier1796

    So I just went over to that Black Hat site to get at least an idea of what it was. Now, I don’t advocate a police state or thought crime or any of that…but…in this case, couldn’t we make an exception?

    Around here, we have TollTags, but it doesn’t matter. As someone posted above, if you have a plate registered to a Tag, even if you don’t have one and go through the toll, they just send you an “administrative fee” around 50 cents.

  • avatar
    mdf

    Robstar: We pay for our ipass transponders.

    I guess I should also have noted I am not an EZ-Pass customer. But this business of buying the transponders is variable:

    http://en.wikipedia.org/wiki/EZ-Pass

    (see table near end of article). For the 407 “ETR” (where I am also not a customer):

    http://en.wikipedia.org/wiki/407_ETR

    you rent the road, you rent the transponder, you rent the administrators while you rent the transponder while renting the road, and you probably rent the air you breath, while perhaps being simply charged for the CO2 you exhale, while you rent the road, renting the transponder, carefully managed by the rented administrators.

    RFortier1796: Now, I don’t advocate a police state or thought crime or any of that…but…in this case, couldn’t we make an exception?

    No.

  • avatar
    ZoomZoom

    This news story is just going to be more fodder fot the bureaucrats, taxers, big-brothers, and pro-big-government types who want to use GPS to figure out where we have been and charge us for road use based on that.

    Or the others who want to inspect all of our odometers and charge us on miles driven, over and above all of the gas taxes we’ve paid.

    We’ll know they’re serious when we begin hearing them make noises about putting GPS on scooters and bicycles, too.


Back to TopLeave a Reply

You must be logged in to post a comment.

Subscribe without commenting

Recent Comments

New Car Research

Get a Free Dealer Quote

Staff

  • Contributing Writers

  • Jack Baruth, United States
  • Brendan McAleer, Canada
  • Marcelo De Vasconcellos, Brazil
  • Vojta Dobes, Czech Republic
  • Matthias Gasnier, Australia
  • W. Christian 'Mental' Ward, Abu Dhabi
  • Mark Stevenson, Canada
  • Cameron Aubernon, United States
  • J Emerson, United States