Comments on: Black Hat 2008: FasTrak toll system completely broken

By: Jefferson Manas

Jefferson Manas — Sat, 09 Jan 2010 20:38:13 +0000

I just wanted to drop you a line and let you know that I really have enjoyed your well-written articles. I have bookmarked this site and will definitely be checking back for new posts.

By: RAJEEV DHANDA

RAJEEV DHANDA — Thu, 20 Nov 2008 09:32:42 +0000

PLZ SEND ME THE COMPLETE BLOCK ,CIRCUT DIAGRAM ALONG WITH DATA SHEET AND COMLETE WORKING MANUAL AS SOON AS POSSIBLE

THANKS WITH REGARD
RAJEEV DHANDA
09971336366

By: naturalorange

naturalorange — Mon, 27 Oct 2008 15:02:08 +0000

The ez-pass system in the northeast run by NJ, actually allows you to use it any vehicle that you want to, as long as the tag isn’t put into a vehicle of a different class (i.e. you cant put a tag registered to a small car in a Commercial Truck).

I doubt ez-pass does random checks or sends fines since they explicitly say that you can move it to other vehicles.

By: shgb

shgb — Fri, 15 Aug 2008 01:55:31 +0000

It is going to take someone with a serious set of balls to over the air program all the fastrak tags to the free account of the CEO of Fastrack before people will take security seriously. At that point we will have their attention….

By: Terry

Terry — Mon, 11 Aug 2008 06:17:54 +0000

I use this system daily for my commute from my house in Oakland to my job in San Francisco. About a year ago I missplaced the transponder someplace in my house and went for a week without it. I figured they would assume my transponder was malfunctioning or something and manually match my plate to my account.

After a week of doing this I decided to never put the transponder back in the car and let the FasTrak agency decide how to deal with it. I've been commuting this way ever since. They match up my plate to my account with 100% accuracy and I don't need to worry about the security problems.

I did this because I am not sure who/where my car is queried electronically. It's too easy to start gathering information at non-toll locations.

By: Skazz

Skazz — Sun, 10 Aug 2008 12:45:35 +0000

The idea of checking plates against IDs is already in effect. If you borrow a transponder without adding your car to that account, you (not the account holder) will get hit with a fine (I think the first one is $25).

By: starfight

starfight — Sun, 10 Aug 2008 10:06:06 +0000

yeah ok but in belgium there is a seperate company for the speedcameras. but before the police can give you a fine they have to get your license plate and name and such. but if the speedcamera-company gives the pictures or license plates to the police isn’t this like a violation on privacy?

By: Greg

Greg — Fri, 08 Aug 2008 18:35:14 +0000

Holy Crap, my family just recently bought the new Sunpass Mini Transponder (its the equivalent of the FastTrak here in Florida). And once I saw that it was only an RFID chip built inside I knew that the only thing a person would need to do is read the id data, and overwrite it onto another one.
Its great to see I was great.

By: Yoshi

Yoshi — Fri, 08 Aug 2008 18:32:45 +0000

It’s insane they make a mistake like this, The developers should have looked to how automotive rf key locks work. The problem is there is insufficient time to do a fancy “key” exchange between radios. The (secure) mobile systems work with a deviated rolling code system. For example when you purchase your RFID tag the tag action_counter will be zero. The exact value of the “action counter” is known by both radios, however the incrementing is done via a complex math formula burned in the ROM, if they didn’t make the mistake of not blowing security fuse, or use OTP non-readable devices. The radios will allow a deviance of +/- 10 counts to make sure a remote can handle some false triggering. The number length is about 32-128 bit depending on model. Microchip makes a IC that handles this. Not impossible to crack, but a heck of a lot better then plaintext flash based serial numbers.

By: webmaren

webmaren — Fri, 08 Aug 2008 14:23:15 +0000

Still could be used to damage the system by RFID-cloning the tags and switching them around a bit.

Would put any RFID-based tracking system down the tubes.

By: CarlosMC

CarlosMC — Fri, 08 Aug 2008 06:26:41 +0000

Here in Portugal we have Via Verde (Green Lane), since 1991 (which was bought from the norwegians, although this is not publicised…), and it has since then expanded into parking lots and pump stations. According to them it follows CEN/TC278 standards, still, I wonder if it’s any safer…

Electronic license plates are going to become law – they’ll read insurance and safety inspections data and allow toll payments as well, but won’t allow geo location or speed logging.

By: David Vangerov

David Vangerov — Fri, 08 Aug 2008 03:00:41 +0000

#22: We already get a monthly statement that shows which transponder was used, when it was used, and the toll lane that it went through. In addition, there's a website that you can login to to get up to date info on transponder use.

And a slight correction to the article: You do not purchase the transponder for ~$26. The FasTrak folks give it to you when you sign up and pre-pay your tolls. If you need more than a certain number of transponders (like for a fleet for a delivery company), they do require a deposit in addition to pre-paying the tolls. When your pre-paid FasTrak account dips below a certain threshold, that is when your credit/debit card is accessed to replenish the account.

By: Stephen Malinowski

Stephen Malinowski — Fri, 08 Aug 2008 02:00:45 +0000

@8, a power switch or ‘tap to tag’ button both have the problem that if you forget, (unlike @11 in ma) you get fined :-(

What I’d like is the option of having fastrak send me an email whenever my tag gets charged a toll. I could then report a spurious use. The ultimate would be: I get the email when I’m at home, report the violation immediately, they get the picture of the perp’s car, and pick him up when gets off the bridge. Would fastrak need legislative action to add something like this?

By: dj caliban

dj caliban — Fri, 08 Aug 2008 01:57:18 +0000

i don’t even keep my transponders in the car. the system photographs my plates each time i roll through – the BACK plate – and bills my account.

By: Matt Bennett

Matt Bennett — Thu, 07 Aug 2008 23:26:55 +0000

#7, Don't count on an anti-static bag to shield your tag from being read- they're just meant to dissipate static, not block RF.

Here in Austin, TX, they take a picture of your front and rear plate for every vehicle that passes through the tag lanes and the pay with change lanes, no matter if you have a tag or not. They use a high speed flash which I assume helps prevent a blurry picture of a car going 70+ mph (the speed limit on the toll roads here is 70).

I guess we've gotten to the point where digital storage of the images is cheap enough that they should keep everything. Heck, I think police cars should be fully monitored, in addition to the cameras that make such good fodder for TV clip shows.