Modified E-ZPass detects reads far from toll booths

ezpass1

Def Con speaker [pukingmonkey] has spent quite a bit of time studying methods government and law enforcement use to track private citizens’ vehicles on the roads. One of the major tracking methods is E-ZPass, an electronic toll collection system used in several states around the country. [pukingmonkey] cracked open his E-ZPass tag to find a relatively basic circuit. In his DEF CON presentation (PDF), he notes you shouldn’t do this to your own tag, as tags are legally not the property of the user.

The tag uses a 3.6 volt long life battery to operate. When idle, the tag only draws 8 microamps. During reads, current draw jumps to 0.3 mA. Armed with this information, it was relatively simple to add a current detecting circuit that outputs a pulse on tag reads. Pulses are then fed into a toy cow, which lights up and “Moos” on each read.

With the circuit complete, it was time for some wardriving around New York City. In [pukingmonkey's] rather harrowing drive between Times Square and Madison Square Garden, (a route with no tolls) the cow was milked 6 separate times. New York Department of Transportation has long stated that these reads are used only to track traffic congestion. Even so, we’d suggest putting your tag away in an anti-static bag (Faraday cage) when not approaching a toll.

[via Boing Boing]

Comments

  1. JC says:

    It would be more fun to know where the readers are, and implemented a geolocation based lock-out. Open the Faraday lid while near the reader, close it when not.

  2. Ren says:

    I think he should’ve used Two Cows…

  3. Shad says:

    What if no-toll moos were only vain tries to decode unmodulated signals from dumb sensors ?

  4. Dax says:

    How many of the moos were false positives?

    The device is obviously built to wake up on a carrier and wait for a magic packet, then reply. To do that, it must wake up sometimes just on signals that happen to land on the carrier frequency.

    He should rather monitor when the tag -sends- data rather than just wake up to listen.

    • Dax says:

      Plus, what’s the sensitivity of the ampifier circuit he’s using? Could it be triggered by things like cellphone hails, like what usually happens to radios when you have someone calling nearby?

      • Jason Dubrow says:

        A while ago EZ-Pass had issues where cell phones would wake a EZ-Pass, especially if you had a built in phone interface in your car. My battery died after 6 months of use. They gave me a new one…6 months later dead…. At some point they did change the frequency of the tags to prevent that. Though it can still be activated by background noise from phones or other devices. Rev your engine just right and it can turn it on.

    • Mike Szczys says:

      Take this one step further. Is there reader identification data that is transmitted when reading a tag? If so, what would you have to do to in order to capture that info?

    • Willis says:

      In the presentation PDF he pretty clearly shows the antennas setting off the cow — they’re official looking panel antennas, mounted on highway signs and utility poles, and the tag read is repeatable at the same location. He also mentions that NYSDOT confirmed that they read tags at non-toll locations for the purpose of generating travel time estimates.

      • fartface says:

        Stop bringing facts into the wild speculation!

        • Dax says:

          Of course it sets off the cow. That wasn’t the point.

          The point was, what other things can cause the tag to activate, but not necessarily broascast its signal? What he’s doing with the thing is simply monitoring when it draws power from the battery, which can happen for any reason such as cellphones or car spark plugs etc. interfering with the circuit and causing it to wake up at random.

        • Dax says:

          Also, knowing that he’s measuring sub-miliamp currents with a shunt resistor without any sort of low-pass filtering judging from the circuit diagram, I’m kinda surprised the cow doesn’t moo constantly from just random electromagnetic noise picked up by the long unshielded leads.

          Just flick a piezo lighter next to the circuit and watch it go.

          • pukingmonkey says:

            I was curious myself, but nope it doesn’t. I used the electric start on a gas stove which sparks every second holding it on to start. It it did not active, nor had cell phones (idle or making a call), nor driving past cell towers, power lines, nor a power co-generation plant.

  5. Fred says:

    In the Bay Area, the EZ Pass units automatically beep when being read going through the toll.

    • David says:

      That doesn’t mean there aren’t non-beeping reads too.

      • Anonymous says:

        Like others have said, maybe it only beeps when it’s being read by an EZ Pass system and not picking up something else that happens to use the same carrier frequency.

        Would it be possible to test this theory with workbench-grade software defined radio? If anything it should be easy to find out the frequencies that wake the transponders up.

        • pukingmonkey says:

          Some of the goals was the parts could be obtained at radios shack and it was easy. Also the design of ezpass itself is simple, to set of the transponder. When it receives a 915.75MHz signal for about 20 microseconds it will trasmit at 914.75MHz for 500 microseconds, 100 microseconds later. This is consitent with mine, others with an ezpass and 900MHz radios can confirm this easily. Its ISM band, so yes false positives exist and part of the exercise is to find the ezpass readers once you are notified the transponder triggered. There is a unattended parking garage that uses 900MHz RFID hang tags for entrance. I get notified, but is it reading ezpasses? no, but the transponder still does respond and transmit its serial number to it.

          • Adam Fabio says:

            Thanks for coming in to the comments section! I didn’t know the tags could be “false triggered” so easily. It also makes me worry about about the possibility of someone “stealing” serial numbers by activating tags on parked cars and recording the response.

          • yoyo says:

            that’s also right in the 33cm amateur band… could be hams setting that cow off… ha

  6. Trent says:

    Neat project. Wouldn’t it be useful to pair this with a gps so the tag is only powered when approaching a known toll?

    • jcwren says:

      Riskier because you don’t know for sure if any information is stored in volatile memory. It may result in a non-working tag. Also, that would involve modification of the tag. If you want to be really “correct” about it, you’d need to jam or suppress it, and in no way modify the tag itself.

      • InAComaDial999 says:

        It would break entry/exit systems like the NY State Thruway or the NJ Turnpike. Those write to the tag when you enter (where in olden times you would have taken a ticket) and read it back when you exit (where you would have returned the ticket and paid). The memory is backed by the battery so pulling power would cause it to lose the entry location — which would result in you getting charged the maximum toll for that road.

        • Anonymous says:

          I’m gonna call BS on that.

          More likely, they just log which entrances and exits you use and bill you accordingly. EZPass statements show every exit and entrance that you use.

  7. Barry says:

    EZ-Pass tags have been replaced in our area with non-removable (with destroying) stickers. No easy way to prevent non-toll reads.

  8. Ashaman says:

    And the Emmy for best use of a “Wait, What!?!” sentence goes to………………
    “Pulses are then fed into a toy cow, which lights up and “Moos” on each read.”

  9. Atwas911 says:

    Can you just imagine the hype?

    “Terrorist Hacks E-Zpass system…”
    “Homegrown terrorist thwarts law enforcement by tampering..”
    “State Police raided the home of electronic terrorist..”

    Careful.. The people who place tracking and control systems in place don’t like when their systems are used or manipulated in anyway other than for their personal gain..

    • Ren says:

      I’ve mentioned it in comments before….
      Twenty-some years ago I heard about the apprehension of a suspected terrorist.
      The radio played the voice of a sheriff (with a southern drawl) saying something like..
      “In his apartment we found, wahr (wire), electronic components, and books on electronic circuits…” As if that was all he needed to know that suspect WAS a terrorist…

      Look around your house, ARE YOU A TERRORIST? B^)

  10. InAComaDial999 says:

    This is old news. The NYC DOT put out a press release over a year ago explaining what these readers are for: http://www.nyc.gov/html/dot/html/pr2012/pr12_25.shtml

    • Blue Footed Booby says:

      Do you really think you’re the first person to point this out?

      • InAComaDial999 says:

        Based on the replies in this thread, it bears repeating.

      • lwatcdr says:

        Probably not but the link is nice. Let’s face it, if they put an honest title on this no one would read it.
        Experiment shows that the government is telling the truth.

        • pukingmonkey says:

          This was only part of a larger presentation. I too originally thought many people all ready knew, but they didn’t when I talked to them. I would get comments like “conspiracy theory, ” “conjecture,” or “you cannot prove it.” So I had to. Also I wasn’t as bothered by this as say the ALPRs, as you could opt out by bagging the tag, but few people knew that too. When I tried to find out about who gets this data, how long is it kept, I could not get any answers. This was either just bureaucracy or the fact the they can no longer talk about it, no way for one to know. In fact it took a reporter from a National publication 5 weeks to get some answers that were not even very clear. The answer that might make you feel better — the tag number is “scrambled.” How? It needs to be able to be scrambled the same way between readers for the timing to work. Add 1 to it on Mondays, and 2 on Tuesdays? An crypto check sum? We are not told, Even if it is an MD5/SHA1, how many tags are there? As of 2012 there were 24,321,324 tags. The tags have agency id, it is 15 bits (but there are there are only 15 issuing agencies) and then a 24 bit serial number = 39 bits, which is < 5 bytes (characters). So how long would it take to "scramble" this list of known numbers so could be reversible? Hint: I just did 24 million on my laptop in 4 seconds. So "scrambling" is just a pacifier. If you knew for a fact before this that the transcore boxes where the readers, that in some areas in midtown they are at every intersection (so it could be determined where one even parks in those areas). and while downtown, there are not as many many tag readers, but lost of license plate readers, then yes, it is old news.

  11. Slowpoke says:

    I don’t much care for the EZ pass or the conspiracy theories generated from this.

    I only want to know one thing: Where the hell can I acquire my own mooing toy cow?!!!

  12. Chris says:

    Those LED torches with sound effects are available in other animals as well. Surely there’s a more “traditional” option for the pointing out when the presence of law enforcement (as claimed to be operating the tracking)

  13. pukingmonkey says:

    I did a version for the January 2014 issue of Popular Science.
    Complete parts list (all obtainable from RadioShack) and build instructions are at http://www.popsci.com/article/diy/ezpass-hack-covert-scanning?nopaging=1 and a video of it working at http://www.youtube.com/watch?v=J-BGNefFAa8

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 92,004 other followers