Def Con speaker [pukingmonkey] has spent quite a bit of time studying methods government and law enforcement use to track private citizens’ vehicles on the roads. One of the major tracking methods is E-ZPass, an electronic toll collection system used in several states around the country. [pukingmonkey] cracked open his E-ZPass tag to find a relatively basic circuit. In his DEF CON presentation (PDF), he notes you shouldn’t do this to your own tag, as tags are legally not the property of the user.
The tag uses a 3.6 volt long life battery to operate. When idle, the tag only draws 8 microamps. During reads, current draw jumps to 0.3 mA. Armed with this information, it was relatively simple to add a current detecting circuit that outputs a pulse on tag reads. Pulses are then fed into a toy cow, which lights up and “Moos” on each read.
With the circuit complete, it was time for some wardriving around New York City. In [pukingmonkey’s] rather harrowing drive between Times Square and Madison Square Garden, (a route with no tolls) the cow was milked 6 separate times. New York Department of Transportation has long stated that these reads are used only to track traffic congestion. Even so, we’d suggest putting your tag away in an anti-static bag (Faraday cage) when not approaching a toll.
[via Boing Boing]
It would be more fun to know where the readers are, and implemented a geolocation based lock-out. Open the Faraday lid while near the reader, close it when not.
I think he should’ve used Two Cows…
He actually did! =) Shown on page 100 in his presentation: http://www.youtube.com/watch?v=UwBK_SpYJdo
Am I wrong in thinking TUCOWS?
Not as far as I’m concerned. Great place for PalmOS and WinMo apps.
What if no-toll moos were only vain tries to decode unmodulated signals from dumb sensors ?
This is NYC, the realm of the totalitarian bloomberg, who is a noted fan on controlling and tracking people.
And as the article states they claim it’s for tracking traffic congestion, or in other words they admit the tracking.
That does not in any way answer the question. Try to be a little more rational, please.
How many of the moos were false positives?
The device is obviously built to wake up on a carrier and wait for a magic packet, then reply. To do that, it must wake up sometimes just on signals that happen to land on the carrier frequency.
He should rather monitor when the tag -sends- data rather than just wake up to listen.
Plus, what’s the sensitivity of the ampifier circuit he’s using? Could it be triggered by things like cellphone hails, like what usually happens to radios when you have someone calling nearby?
A while ago EZ-Pass had issues where cell phones would wake a EZ-Pass, especially if you had a built in phone interface in your car. My battery died after 6 months of use. They gave me a new one…6 months later dead…. At some point they did change the frequency of the tags to prevent that. Though it can still be activated by background noise from phones or other devices. Rev your engine just right and it can turn it on.
Take this one step further. Is there reader identification data that is transmitted when reading a tag? If so, what would you have to do to in order to capture that info?
In the presentation PDF he pretty clearly shows the antennas setting off the cow — they’re official looking panel antennas, mounted on highway signs and utility poles, and the tag read is repeatable at the same location. He also mentions that NYSDOT confirmed that they read tags at non-toll locations for the purpose of generating travel time estimates.
Stop bringing facts into the wild speculation!
Of course it sets off the cow. That wasn’t the point.
The point was, what other things can cause the tag to activate, but not necessarily broascast its signal? What he’s doing with the thing is simply monitoring when it draws power from the battery, which can happen for any reason such as cellphones or car spark plugs etc. interfering with the circuit and causing it to wake up at random.
Also, knowing that he’s measuring sub-miliamp currents with a shunt resistor without any sort of low-pass filtering judging from the circuit diagram, I’m kinda surprised the cow doesn’t moo constantly from just random electromagnetic noise picked up by the long unshielded leads.
Just flick a piezo lighter next to the circuit and watch it go.
I was curious myself, but nope it doesn’t. I used the electric start on a gas stove which sparks every second holding it on to start. It it did not active, nor had cell phones (idle or making a call), nor driving past cell towers, power lines, nor a power co-generation plant.
In the Bay Area, the EZ Pass units automatically beep when being read going through the toll.
That doesn’t mean there aren’t non-beeping reads too.
Like others have said, maybe it only beeps when it’s being read by an EZ Pass system and not picking up something else that happens to use the same carrier frequency.
Would it be possible to test this theory with workbench-grade software defined radio? If anything it should be easy to find out the frequencies that wake the transponders up.
Some of the goals was the parts could be obtained at radios shack and it was easy. Also the design of ezpass itself is simple, to set of the transponder. When it receives a 915.75MHz signal for about 20 microseconds it will trasmit at 914.75MHz for 500 microseconds, 100 microseconds later. This is consitent with mine, others with an ezpass and 900MHz radios can confirm this easily. Its ISM band, so yes false positives exist and part of the exercise is to find the ezpass readers once you are notified the transponder triggered. There is a unattended parking garage that uses 900MHz RFID hang tags for entrance. I get notified, but is it reading ezpasses? no, but the transponder still does respond and transmit its serial number to it.
Thanks for coming in to the comments section! I didn’t know the tags could be “false triggered” so easily. It also makes me worry about about the possibility of someone “stealing” serial numbers by activating tags on parked cars and recording the response.
that’s also right in the 33cm amateur band… could be hams setting that cow off… ha
Neat project. Wouldn’t it be useful to pair this with a gps so the tag is only powered when approaching a known toll?
Riskier because you don’t know for sure if any information is stored in volatile memory. It may result in a non-working tag. Also, that would involve modification of the tag. If you want to be really “correct” about it, you’d need to jam or suppress it, and in no way modify the tag itself.
It would break entry/exit systems like the NY State Thruway or the NJ Turnpike. Those write to the tag when you enter (where in olden times you would have taken a ticket) and read it back when you exit (where you would have returned the ticket and paid). The memory is backed by the battery so pulling power would cause it to lose the entry location — which would result in you getting charged the maximum toll for that road.
I’m gonna call BS on that.
More likely, they just log which entrances and exits you use and bill you accordingly. EZPass statements show every exit and entrance that you use.
EZ-Pass tags have been replaced in our area with non-removable (with destroying) stickers. No easy way to prevent non-toll reads.
yes there is. Tinfoil and tape.
So there is something to the tin foil hat theory!
I have one of those. Well, it’s actually in a plastic housing with suction cups so that I can stick it to the windshield, but it’s still got the ‘passive’ tag in it.
And the Emmy for best use of a “Wait, What!?!” sentence goes to………………
“Pulses are then fed into a toy cow, which lights up and “Moos” on each read.”
It’s got my vote!
Can you just imagine the hype?
“Terrorist Hacks E-Zpass system…”
“Homegrown terrorist thwarts law enforcement by tampering..”
“State Police raided the home of electronic terrorist..”
Careful.. The people who place tracking and control systems in place don’t like when their systems are used or manipulated in anyway other than for their personal gain..
I’ve mentioned it in comments before….
Twenty-some years ago I heard about the apprehension of a suspected terrorist.
The radio played the voice of a sheriff (with a southern drawl) saying something like..
“In his apartment we found, wahr (wire), electronic components, and books on electronic circuits…” As if that was all he needed to know that suspect WAS a terrorist…
Look around your house, ARE YOU A TERRORIST? B^)
But hey.. At least now they don’t have to go through the trouble of getting a warrant, bringing charges, letting you have a lawyer, or even acknowledging to anyone that they are the reason your missing..
You can just vanish. :D
This is old news. The NYC DOT put out a press release over a year ago explaining what these readers are for: http://www.nyc.gov/html/dot/html/pr2012/pr12_25.shtml
Do you really think you’re the first person to point this out?
Based on the replies in this thread, it bears repeating.
Probably not but the link is nice. Let’s face it, if they put an honest title on this no one would read it.
Experiment shows that the government is telling the truth.
This was only part of a larger presentation. I too originally thought many people all ready knew, but they didn’t when I talked to them. I would get comments like “conspiracy theory, ” “conjecture,” or “you cannot prove it.” So I had to. Also I wasn’t as bothered by this as say the ALPRs, as you could opt out by bagging the tag, but few people knew that too. When I tried to find out about who gets this data, how long is it kept, I could not get any answers. This was either just bureaucracy or the fact the they can no longer talk about it, no way for one to know. In fact it took a reporter from a National publication 5 weeks to get some answers that were not even very clear. The answer that might make you feel better — the tag number is “scrambled.” How? It needs to be able to be scrambled the same way between readers for the timing to work. Add 1 to it on Mondays, and 2 on Tuesdays? An crypto check sum? We are not told, Even if it is an MD5/SHA1, how many tags are there? As of 2012 there were 24,321,324 tags. The tags have agency id, it is 15 bits (but there are there are only 15 issuing agencies) and then a 24 bit serial number = 39 bits, which is < 5 bytes (characters). So how long would it take to "scramble" this list of known numbers so could be reversible? Hint: I just did 24 million on my laptop in 4 seconds. So "scrambling" is just a pacifier. If you knew for a fact before this that the transcore boxes where the readers, that in some areas in midtown they are at every intersection (so it could be determined where one even parks in those areas). and while downtown, there are not as many many tag readers, but lost of license plate readers, then yes, it is old news.
I don’t much care for the EZ pass or the conspiracy theories generated from this.
I only want to know one thing: Where the hell can I acquire my own mooing toy cow?!!!
the exact one came from dollartree, their monkey was used for the license plate reader alert. they come and in stock. party city has similar ones you can get now
http://www.partycity.com/product/cow+light+up+keychain.do
I know right.. These damn conspiracy theorists.. It’s not like the government is listening to every phone conversation and reading every internet communication.. Why would they want to know the location of and track your vehicle? Pft.. That just crazy talk.
o.o
Those LED torches with sound effects are available in other animals as well. Surely there’s a more “traditional” option for the pointing out when the presence of law enforcement (as claimed to be operating the tracking)
I did a version for the January 2014 issue of Popular Science.
Complete parts list (all obtainable from RadioShack) and build instructions are at http://www.popsci.com/article/diy/ezpass-hack-covert-scanning?nopaging=1 and a video of it working at http://www.youtube.com/watch?v=J-BGNefFAa8
Hey PM,
What is the bare minimum needed to get a single LED to blink when the EZ pass is activated? Is it possible to have that minimalist circuit only run off the internal EZ Pass battery?
Thank you for your write ups.
Sure. It will require different parts, and I have not actually built this. Here’s a link to a modified schematic:
http://www.authorstream.com/Presentation/pukingmonkey-2374590-minimalist-schematic/
The plans in PopSci were designed specifically with parts that could be purchased at Radio Shack. I will eliminate that requirement here.
First let’s look at the battery in the E-ZPass. It’s 3.6V and is ultra-long life but only at low current draw.
So we cannot use the 555, it requires 4.5v and is a power hog. Since we only want and LED to light we don’t need it at all, and just use U1 to do that.
– Now we’ll need U1 to be low voltage and low current drain. We could try to use an LM6132 as its rail-to-rail but it’s not ultra-low power. Or we can try and TS271 which also seems to fit the requirements.
– the original R1 & R2 were combined into a single 82 ohm resistor R1
– Since we reduced our supply voltage to 3.6V well need to increase the original R4 (now R3) to 270 ohms
– Check what the current load of the new circuit in it’s quested state (LED not on). If the draw is over 50 micoramps try the other OpAmp for U1.
– Check also that the U1 is sensitive enough for the 2mV reference voltage that is provided by R2-R3 (it should be). If not R1 may need to be increased. This is not recommenced as it is a shunt resistor and is all ready pretty high. If R1 is increased R3 will have to be as well.
– C1 is optional, but it should help save of battery life
– For R4 I assumed use of a standard 1.9V high intensity LED and limited it to 15mA, you can increase this slightly to reduce this draw, but that will make the LED dimmer.
Other caveats
– the LED will only light when the tag is transmitting, which at low speeds in toll plazas will be a few seconds and noticeable.
Even highway speed toll plazas, there are always have multiple readers to make sure the tag is read it will be a second or so. But the single reader for traffic monitoring has a beam footprint of 25-50 ft which means at highway speeds (100ft/sec) the LED will light for only 1/4 to 1/2 second, this may barely be noticeable.
– also with the LED on it is 50 times the power draw of what the tag would normally use transmitting. Bear this in mind when sitting under a reader while stuck in traffic. If the LED was left on continuously it would completely drain the E-ZPass battery in two weeks.
References —
http://www.tadiranbat.com/pdf.php?id=TL-4920
http://pdf.datasheetcatalog.com/datasheet/texasinstruments2/lm6132.pdf
http://www.st.com/web/en/resource/technical/document/datasheet/CD00000494.pdf
Wow, PM, I was not expecting a reply at all considering the slightly historic nature of this post(in internet time). You not only replied way before the 24 hour mark, but you had a new schematic and write up in hand, including references. I feel it is my duty to fulfill this new schematic and hopefully take pictures during the process. Now to look up some random online place to order the little parts.
Thank you.
:-) Your request was one of my original ideas, so I had previously investigated it. But because of the listed caveats, that’s not was done. I had actually replaced my tag battery with a rechargeable cellphone battery and added a microUSB port for charging it, but in reality it would always be dead (from the sensing circuit draw) when I needed to use it, so it was always plugged into the car changer anyway when needed for use. So either forget the rechargeable and just use the car charger all the time or use removable batteries (and a switch) just for the sensing circuit, and leave the tag battery just for the tag.
BTW, you could just use the LM324 (get it from RS) as listed in the article, but it’s draw is ~0.7mA so that will drain the E-Zpass battery in about 1 year (vs. 5-10 yrs expected tag life). Also note if you use a TS271 you will need also set the power draw by use of a 100k-1M resistor between pin 4 and 8 (not in my schematic). See figure 6 in it’s datasheet.
good luck with your build.
Here’s the Radio Shack only parts build —
http://www.authorstream.com/Presentation/pukingmonkey-2375294-minimalist-schematic2/
just remember to turn off the switch when you are not driving, as U1 will drain the E-ZPass tag battery in about 1 year if left on continuously.
Out here in CA, the tags already have beepers in them. The only time outs goes off when questionable is at the airport. This is an FAQ at this point – the technology to track taxi and limo visits is compatible and the “extra” tags are ignored.
Hi,
I have a few questions.
1) The link to the battery you posted above seems to be a dead link now. Zooming in on the image you posted, it looks like the battery is the Tadiran TL-4902 is that right? This thing: http://www.tadiranbat.com/assets/tl-4902.pdf ?
– It looks according to their website like this battery is optimized for extremely low steady state current draw, whereas their other batteries (like the TLL-5902) are better suited for applications with peak current pulses. I am curious why they would use the TL-4902 in an application where peak current pulses are needed. Are they just assuming such a small duty cycle for how often the peak current pulses (I think you mentioned these pulses are 300uA for 500 microseconds every time the transponder is woken by a 915MHz signal?) that the math just works out better with the 4902?
2) In one of your comments you mention the transponder ‘wakes’ when receiving a 915.75MHz signal and responds back by transmitting a 914.75MHz signal. Was that a typo or is it true that the responding signal is 1MHz lower frequency than the received signal?
– Do you know what the bandwidth for the ‘waking’ signal/transmitted signal are? I.E. would the transponder ‘wake’ anywhere between 915.5 MHz and 916MHz (500 KHz bandwidth) and would it transmit the various bytes of information back with any particular bandwidth around the ~915MHz carrier signal?
Love that I read this after getting mine……