FasTrak is the electronic toll collection system used by the state of California. Motorists can purchase a toll transponder for ~$26 and link the serial number with a debit account to have their tolls deducted automatically. Today at Black Hat in Las Vegas, security researcher [Nate Lawson] presented not just the privacy problems with FasTrak, but why absolutely no transaction from the tag should be trusted.
On the privacy side, FasTrak claims that all the collected data is anonymized and not kept for long (they won’t tell you how or how long). The court system still subpoenas the data from time to time, so there must be something of use in there. As AOL taught us, user behavior is incredibly hard to anonymize. In addition to the toll booths, the transponders are also polled at all offramps for the statistical traffic data presented at 511.org.
[Nate] initially purchased a transponder to explore these privacy concerns. The transponder is an RFID device with a receive and transmit antenna, a low powered Texas Instruments MSP430 microcontroller, a long life battery, and a large analog demodulation section. Usually the firmware on the microcontroller can not be read via a JTAG cable, because the manfacturer will burn a fuse to prevent it. This was not the case with the three year old tag he purchased. A more recently purchased tag did have the fuse burned. Flylogic repackaged that silicon so it could be read back; the firmware turned out exactly the same.
The transponders and readers perform no authentication. Someone could wander through a parking lot with an RFID reader and pick up the ID of every tag in the lot. They could then write their own transponder with the stolen IDs. Here’s the really bad part: the transponders support unauthenticated over the air upgrading. You can force any transponder to take on a new ID. An attacker could overwrite every tag passing a certain intersection and cause havoc in the toll system. Some have suggested that there are IDs in the system that are unbilled, since they’re assigned to administrators; these would be especially attractive to thieves.
How do we fix this system? Here’s the problem: the system is defined by California law. An update to the way things are done would take legislative action. [Nate] suggested one possible check that could be implemented to determine if the system was being exploited at this time: When a tag read fails now, the system takes a picture of your license plate so a human can determine what account it belongs to. The system could be updated to randomly take photos of cars that were reading correctly just to make sure the ID belongs to the car pictured.
As for the privacy issues, [Nate] is hoping to develop a timer circuit so you can power up the transponder only during the time you’re passing through the toll plaza. In the end though, none of the transactions with these FasTrak transponders can be trusted.