Black Hat 2008: FasTrak Toll System Completely Broken


FasTrak is the electronic toll collection system used by the state of California. Motorists can purchase a toll transponder for ~$26 and link the serial number with a debit account to have their tolls deducted automatically. Today at Black Hat in Las Vegas, security researcher [Nate Lawson] presented not just the privacy problems with FasTrak, but why absolutely no transaction from the tag should be trusted.

On the privacy side, FasTrak claims that all the collected data is anonymized and not kept for long (they won’t tell you how or how long). The court system still subpoenas the data from time to time, so there must be something of use in there. As AOL taught us, user behavior is incredibly hard to anonymize. In addition to the toll booths, the transponders are also polled at all offramps for the statistical traffic data presented at 511.org.

[Nate] initially purchased a transponder to explore these privacy concerns. The transponder is an RFID device with a receive and transmit antenna, a low powered Texas Instruments MSP430 microcontroller, a long life battery, and a large analog demodulation section. Usually the firmware on the microcontroller can not be read via a JTAG cable, because the manfacturer will burn a fuse to prevent it. This was not the case with the three year old tag he purchased. A more recently purchased tag did have the fuse burned. Flylogic repackaged that silicon so it could be read back; the firmware turned out exactly the same.

The transponders and readers perform no authentication. Someone could wander through a parking lot with an RFID reader and pick up the ID of every tag in the lot. They could then write their own transponder with the stolen IDs. Here’s the really bad part: the transponders support unauthenticated over the air upgrading. You can force any transponder to take on a new ID. An attacker could overwrite every tag passing a certain intersection and cause havoc in the toll system. Some have suggested that there are IDs in the system that are unbilled, since they’re assigned to administrators; these would be especially attractive to thieves.

How do we fix this system? Here’s the problem: the system is defined by California law. An update to the way things are done would take legislative action. [Nate] suggested one possible check that could be implemented to determine if the system was being exploited at this time: When a tag read fails now, the system takes a picture of your license plate so a human can determine what account it belongs to. The system could be updated to randomly take photos of cars that were reading correctly just to make sure the ID belongs to the car pictured.

As for the privacy issues, [Nate] is hoping to develop a timer circuit so you can power up the transponder only during the time you’re passing through the toll plaza. In the end though, none of the transactions with these FasTrak transponders can be trusted.

[photo: 24thcentury]

35 thoughts on “Black Hat 2008: FasTrak Toll System Completely Broken

  1. yeah, but they take a pic of your vehicle (license plate & the driver) when you pass through the fastrak lane. front plates are required in california.

    so if you’re using a ‘stolen’ id, they’d probabyl be able to eventually figure out who you are.

  2. Here in the North-East, our EZ-Pass/FastLane toll booths routinely photograph your plates and run random checks on ALL cars going through (photo of REAR plate). Many tag holders will tell you about the false positives; EZ-Pass will mail you a letter with a fine and a photo of your alleged car if you lend your tag to a friend, your tag is unreadable, license plate obscured, etc.

  3. here in brazil we use a similar system (it is called “sem parar”, something like “nonstop” in english). I think it have the same problems…
    Our laws make the use of front plates obligatory, and some cities (like Sao Paulo) have speedtraps with a “plate recognition system”, used to issue tickets about speed or registration debits. You just pass near one, the system identifies your license plate, make the ticket and mail the fine to yuor home – no human needed. And it is f###ing reliable…

    Question is: they know who you are and where you live. Why the need of a transponder?

    Oh, almost forgot: transit authorities here are experimenting a new licensing “add-on”: an rfid tag (completely passive, like a smart label) sticked in your windshield. Park in front of a garage, and the officer does not even need to note your plate… they say it can be used to monitor the traffic, by automatically reading all vehicles getting in and out a certain street.

    Spooky, huh?

  4. here in TX my brother used to tailgate people (mostly his friends, and in a distance of about 6in) through toll booths and never received a ticket! Apparently the system thought he was in tow or just one long vehicle

  5. toll tags here are handed out with anti-static bags. to help secure your tag, get in the habit of bagging it when not driving. kinda hard to snarf a tag when it’s shielded.

  6. @7 yeah but wouldnt it be smarter for the manufacturer to simply add a power switch.. or even better, a ‘tap to tag’ button (would operate for 14 seconds, then shut off again)??

    A VERY simple hardware change could cut the vulnerabilities in half. (you are still vulnerable in the toll booth)

  7. Randomly photographing the vehicle would provide some level of protection but how much? From what I am reading the transponder is assigned to an account or person, not a vehicle. So this leads me to believe that it can travel from one vehicle to another (please correct me if I am mistaken). You would actually need to take a picture of the owner, but then that leaves out anonymity doesn’t it. Actually linking it with an account leaves out anonymity in my book. Let’s not even go any further with this. I wouldn’t trust it based upon the information given here.

  8. @9. Here in Florida with our system when you buy a transponder you need to register it with the liscence plates of whatever cars you are going to take it in. That way like #3 said if you lend it to a friend and their plates aren’t registered with it there is a possibility of them being fined for it.

  9. We have something similar here in Italy (called “TelePass”) … it should be a very similar hardware.
    When you go too fast they take a picture of the plates … and probably also at random times …
    And they have introduced a “average speed check” with cameras shooting your plates every 50Km.
    That wuold make it unsafe to hack but probably very open to data stealing or DOS.

  10. EZ-pass in MA. The tag is registered to an account, which can have up to three vehicles associated with it. They read your plate and can bill to it if the tag fails to read (happens quite often here in Boston) or, as I found out, if you forget to move the tag back to your vehicle after using it on another! They were able to bill from the photo of the plate.

    Though the user agreement provides for all kinds of “violations” – going over the 10 mph speed limit, not calling them if you get a yellow light as you go through the reader, in practice, they seem to ignore them. I’ve never gone 10 mph through the readers…you’d get rear-ended for sure. My wife says in New Jersey, the tags are read at highway speed (60-70 mph).

    I am kinda surprised that the serial number passed to the reader doesn’t have some kind of hash on it, so you couldn’t just make one up…

  11. Not sure of the security of the tags them selves, but in Dallas, the tolltag lanes are continually videoed and checked for tag accounts to match up with license plates.

  12. I worked on contract as a technical writer for the company that created toll tag systems and continues to design and deploy most of them. I don’t want to name names, but this is the company founded by the inventor of RFIDs. While I agree totally with the many posters who point out that regulation of toll tag use can easily be done by the state implementing the system, and by all means should be that state’s responsibility, I also know from firsthand experience how flawed the toll systems are.

    But don’t look to the designers to repair these urgent security problems anytime soon. In the three months I was with the company, I was in the worst work environment I’d seen since my high school job at a really bad Arby’s. The whole place is riddled with personal vendettas, quality control disasters, interdepartmental drama, frat house sexual behavior and unqualified key employees. I met and befriended some wonderful, dedicated engineers and managers – and struggled with total clowns who had online degrees in unrelated fields. When I approached my manager for the raise that I needed to continue dealing with this crap, his response was “Doesn’t your husband have a really good job?” I later learned I was the second of three technical writers who literally put my stuff in a box and walked away from the position.

    Yeah. So while I was there one multi-million dollar contract project was deployed in a foreign country with a 70% failure rate. After I walked, I ran into a friend who told me that the latest deployment had a 100% failure rate. Not that no one is aware of the security problems… but the week I left, the guys who were working on a simple mechanical solution to reduce the user’s vulnerability had to deal with the hideous workmanship of the lowest Chinese bidder to which the manufacturing was outsourced by management.

    So I’m really, really glad that I live in a state with no toll roads. Come to think of it, maybe lots of these problems wouldn’t exist if the people who build the tags actually had to live with them every day…

  13. here in IL, we have ipass, but it’s essentially the same as all the northern state systems, as it works in NY and is going to work in IN too. I still think the best method is that if they can bill by plates, then just bill by the plates for everyone, that would circumnavigate this entire issue. also, be looking for the toll plazas that we all blast through with these systems to start sending out tickets, some of my friends have good radar detectors that pick up the speed cameras, and they’re starting to go off when they go through the booths.

  14. I live in South Texas where they are building Toll roads as fast as they can. In the article they mentioned about using the Toll tags to track traffic patterns. This is used extensively in Houston. Along the road ways hanging off signs and polls you’ll see the antennas to light up the tags to get the id as you pass. We also have a new style tag that has no battery and is powered up only when it’s hit with an RF source, so this would stop passive scanning of this style of tag.

  15. As pointed out, any change would require legislative action, and we know how cumbersome that can be. Well, I bet it would get fast tracked if some hackers messed with the system in a blatant way in order to point attention to the matter. With this info, and suggested hacks, out there I suspect it has crossed the minds of more than one reader. And unlike me, that reader may possess the skills to do it.

  16. Here in the country of California we have no temp plates for new cars. So it is not uncommon to see cars with no license plates at all – driving around. As it takes months for the plates to arrive in the mail – if you have a “new” model car, you could presumable drive around for years with no plates. Unlike New England where I bet I’d be pulled over in under 2 minutes for not having license plates.

    If you had a cloned FastPass in your silver, brand new, BMW 3 series with no plates – it would be next to impossible to find you. At $265 a month for some commuters – that’s MOST of a car payment.

    Speed Safely,
    – Kris

  17. #7, Don’t count on an anti-static bag to shield your tag from being read- they’re just meant to dissipate static, not block RF.

    Here in Austin, TX, they take a picture of your front and rear plate for every vehicle that passes through the tag lanes and the pay with change lanes, no matter if you have a tag or not. They use a high speed flash which I assume helps prevent a blurry picture of a car going 70+ mph (the speed limit on the toll roads here is 70).

    I guess we’ve gotten to the point where digital storage of the images is cheap enough that they should keep everything. Heck, I think police cars should be fully monitored, in addition to the cameras that make such good fodder for TV clip shows.

  18. @8, a power switch or ‘tap to tag’ button both have the problem that if you forget, (unlike @11 in ma) you get fined :-(

    What I’d like is the option of having fastrak send me an email whenever my tag gets charged a toll. I could then report a spurious use. The ultimate would be: I get the email when I’m at home, report the violation immediately, they get the picture of the perp’s car, and pick him up when gets off the bridge. Would fastrak need legislative action to add something like this?

  19. #22: We already get a monthly statement that shows which transponder was used, when it was used, and the toll lane that it went through. In addition, there’s a website that you can login to to get up to date info on transponder use.

    And a slight correction to the article: You do not purchase the transponder for ~$26. The FasTrak folks give it to you when you sign up and pre-pay your tolls. If you need more than a certain number of transponders (like for a fleet for a delivery company), they do require a deposit in addition to pre-paying the tolls. When your pre-paid FasTrak account dips below a certain threshold, that is when your credit/debit card is accessed to replenish the account.

  20. Here in Portugal we have Via Verde (Green Lane), since 1991 (which was bought from the norwegians, although this is not publicised…), and it has since then expanded into parking lots and pump stations. According to them it follows CEN/TC278 standards, still, I wonder if it’s any safer…

    Electronic license plates are going to become law – they’ll read insurance and safety inspections data and allow toll payments as well, but won’t allow geo location or speed logging.

  21. It’s insane they make a mistake like this, The developers should have looked to how automotive rf key locks work. The problem is there is insufficient time to do a fancy “key” exchange between radios. The (secure) mobile systems work with a deviated rolling code system. For example when you purchase your RFID tag the tag action_counter will be zero. The exact value of the “action counter” is known by both radios, however the incrementing is done via a complex math formula burned in the ROM, if they didn’t make the mistake of not blowing security fuse, or use OTP non-readable devices. The radios will allow a deviance of +/- 10 counts to make sure a remote can handle some false triggering. The number length is about 32-128 bit depending on model. Microchip makes a IC that handles this. Not impossible to crack, but a heck of a lot better then plaintext flash based serial numbers.

  22. Holy Crap, my family just recently bought the new Sunpass Mini Transponder (its the equivalent of the FastTrak here in Florida). And once I saw that it was only an RFID chip built inside I knew that the only thing a person would need to do is read the id data, and overwrite it onto another one.
    Its great to see I was great.

  23. yeah ok but in belgium there is a seperate company for the speedcameras. but before the police can give you a fine they have to get your license plate and name and such. but if the speedcamera-company gives the pictures or license plates to the police isn’t this like a violation on privacy?

  24. The idea of checking plates against IDs is already in effect. If you borrow a transponder without adding your car to that account, you (not the account holder) will get hit with a fine (I think the first one is $25).

  25. I use this system daily for my commute from my house in Oakland to my job in San Francisco. About a year ago I missplaced the transponder someplace in my house and went for a week without it. I figured they would assume my transponder was malfunctioning or something and manually match my plate to my account.

    After a week of doing this I decided to never put the transponder back in the car and let the FasTrak agency decide how to deal with it. I’ve been commuting this way ever since. They match up my plate to my account with 100% accuracy and I don’t need to worry about the security problems.

    I did this because I am not sure who/where my car is queried electronically. It’s too easy to start gathering information at non-toll locations.

  26. It is going to take someone with a serious set of balls to over the air program all the fastrak tags to the free account of the CEO of Fastrack before people will take security seriously. At that point we will have their attention….

  27. The ez-pass system in the northeast run by NJ, actually allows you to use it any vehicle that you want to, as long as the tag isn’t put into a vehicle of a different class (i.e. you cant put a tag registered to a small car in a Commercial Truck).

    I doubt ez-pass does random checks or sends fines since they explicitly say that you can move it to other vehicles.

  28. Eliot,

    Since this very relevant and somewhat alarming piece was published, have any of your suggested fixes changes made it into the current FasTrak transponders being sold in Southern California on 10 and 110 HOV lane retirement projects?

    I was also interested to know it you have information as to what “private” companies manufacture ( and benefit) the transponders and those that manage the actual FasTrak infrstructure or if they are the same entity?

    From interacting with their “difficult to reach: live attendant call center, they may be based in Utah. Clearing the data gathered from passing sensors can easily be used to determine speed, so I anticipate for a bigger brother to appear.

    thanks,
    tom sebahar

Leave a Reply to DiddyWolfCancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.