Modified E-ZPass Detects Reads Far From Toll Booths

Def Con speaker [pukingmonkey] has spent quite a bit of time studying methods government and law enforcement use to track private citizens’ vehicles on the roads. One of the major tracking methods is E-ZPass, an electronic toll collection system used in several states around the country. [pukingmonkey] cracked open his E-ZPass tag to find a relatively basic circuit. In his DEF CON presentation (PDF), he notes you shouldn’t do this to your own tag, as tags are legally not the property of the user.

The tag uses a 3.6 volt long life battery to operate. When idle, the tag only draws 8 microamps. During reads, current draw jumps to 0.3 mA. Armed with this information, it was relatively simple to add a current detecting circuit that outputs a pulse on tag reads. Pulses are then fed into a toy cow, which lights up and “Moos” on each read.

With the circuit complete, it was time for some wardriving around New York City. In [pukingmonkey’s] rather harrowing drive between Times Square and Madison Square Garden, (a route with no tolls) the cow was milked 6 separate times. New York Department of Transportation has long stated that these reads are used only to track traffic congestion. Even so, we’d suggest putting your tag away in an anti-static bag (Faraday cage) when not approaching a toll.

[via Boing Boing]

53 thoughts on “Modified E-ZPass Detects Reads Far From Toll Booths

    1. This is NYC, the realm of the totalitarian bloomberg, who is a noted fan on controlling and tracking people.
      And as the article states they claim it’s for tracking traffic congestion, or in other words they admit the tracking.

  1. How many of the moos were false positives?

    The device is obviously built to wake up on a carrier and wait for a magic packet, then reply. To do that, it must wake up sometimes just on signals that happen to land on the carrier frequency.

    He should rather monitor when the tag -sends- data rather than just wake up to listen.

    1. Plus, what’s the sensitivity of the ampifier circuit he’s using? Could it be triggered by things like cellphone hails, like what usually happens to radios when you have someone calling nearby?

      1. A while ago EZ-Pass had issues where cell phones would wake a EZ-Pass, especially if you had a built in phone interface in your car. My battery died after 6 months of use. They gave me a new one…6 months later dead…. At some point they did change the frequency of the tags to prevent that. Though it can still be activated by background noise from phones or other devices. Rev your engine just right and it can turn it on.

    2. In the presentation PDF he pretty clearly shows the antennas setting off the cow — they’re official looking panel antennas, mounted on highway signs and utility poles, and the tag read is repeatable at the same location. He also mentions that NYSDOT confirmed that they read tags at non-toll locations for the purpose of generating travel time estimates.

        1. Of course it sets off the cow. That wasn’t the point.

          The point was, what other things can cause the tag to activate, but not necessarily broascast its signal? What he’s doing with the thing is simply monitoring when it draws power from the battery, which can happen for any reason such as cellphones or car spark plugs etc. interfering with the circuit and causing it to wake up at random.

        2. Also, knowing that he’s measuring sub-miliamp currents with a shunt resistor without any sort of low-pass filtering judging from the circuit diagram, I’m kinda surprised the cow doesn’t moo constantly from just random electromagnetic noise picked up by the long unshielded leads.

          Just flick a piezo lighter next to the circuit and watch it go.

          1. I was curious myself, but nope it doesn’t. I used the electric start on a gas stove which sparks every second holding it on to start. It it did not active, nor had cell phones (idle or making a call), nor driving past cell towers, power lines, nor a power co-generation plant.

      1. Like others have said, maybe it only beeps when it’s being read by an EZ Pass system and not picking up something else that happens to use the same carrier frequency.

        Would it be possible to test this theory with workbench-grade software defined radio? If anything it should be easy to find out the frequencies that wake the transponders up.

        1. Some of the goals was the parts could be obtained at radios shack and it was easy. Also the design of ezpass itself is simple, to set of the transponder. When it receives a 915.75MHz signal for about 20 microseconds it will trasmit at 914.75MHz for 500 microseconds, 100 microseconds later. This is consitent with mine, others with an ezpass and 900MHz radios can confirm this easily. Its ISM band, so yes false positives exist and part of the exercise is to find the ezpass readers once you are notified the transponder triggered. There is a unattended parking garage that uses 900MHz RFID hang tags for entrance. I get notified, but is it reading ezpasses? no, but the transponder still does respond and transmit its serial number to it.

          1. Thanks for coming in to the comments section! I didn’t know the tags could be “false triggered” so easily. It also makes me worry about about the possibility of someone “stealing” serial numbers by activating tags on parked cars and recording the response.

    1. Riskier because you don’t know for sure if any information is stored in volatile memory. It may result in a non-working tag. Also, that would involve modification of the tag. If you want to be really “correct” about it, you’d need to jam or suppress it, and in no way modify the tag itself.

      1. It would break entry/exit systems like the NY State Thruway or the NJ Turnpike. Those write to the tag when you enter (where in olden times you would have taken a ticket) and read it back when you exit (where you would have returned the ticket and paid). The memory is backed by the battery so pulling power would cause it to lose the entry location — which would result in you getting charged the maximum toll for that road.

  2. Can you just imagine the hype?

    “Terrorist Hacks E-Zpass system…”
    “Homegrown terrorist thwarts law enforcement by tampering..”
    “State Police raided the home of electronic terrorist..”

    Careful.. The people who place tracking and control systems in place don’t like when their systems are used or manipulated in anyway other than for their personal gain..

    1. I’ve mentioned it in comments before….
      Twenty-some years ago I heard about the apprehension of a suspected terrorist.
      The radio played the voice of a sheriff (with a southern drawl) saying something like..
      “In his apartment we found, wahr (wire), electronic components, and books on electronic circuits…” As if that was all he needed to know that suspect WAS a terrorist…

      Look around your house, ARE YOU A TERRORIST? B^)

        1. This was only part of a larger presentation. I too originally thought many people all ready knew, but they didn’t when I talked to them. I would get comments like “conspiracy theory, ” “conjecture,” or “you cannot prove it.” So I had to. Also I wasn’t as bothered by this as say the ALPRs, as you could opt out by bagging the tag, but few people knew that too. When I tried to find out about who gets this data, how long is it kept, I could not get any answers. This was either just bureaucracy or the fact the they can no longer talk about it, no way for one to know. In fact it took a reporter from a National publication 5 weeks to get some answers that were not even very clear. The answer that might make you feel better — the tag number is “scrambled.” How? It needs to be able to be scrambled the same way between readers for the timing to work. Add 1 to it on Mondays, and 2 on Tuesdays? An crypto check sum? We are not told, Even if it is an MD5/SHA1, how many tags are there? As of 2012 there were 24,321,324 tags. The tags have agency id, it is 15 bits (but there are there are only 15 issuing agencies) and then a 24 bit serial number = 39 bits, which is < 5 bytes (characters). So how long would it take to "scramble" this list of known numbers so could be reversible? Hint: I just did 24 million on my laptop in 4 seconds. So "scrambling" is just a pacifier. If you knew for a fact before this that the transcore boxes where the readers, that in some areas in midtown they are at every intersection (so it could be determined where one even parks in those areas). and while downtown, there are not as many many tag readers, but lost of license plate readers, then yes, it is old news.

    1. I know right.. These damn conspiracy theorists.. It’s not like the government is listening to every phone conversation and reading every internet communication.. Why would they want to know the location of and track your vehicle? Pft.. That just crazy talk.


  3. Those LED torches with sound effects are available in other animals as well. Surely there’s a more “traditional” option for the pointing out when the presence of law enforcement (as claimed to be operating the tracking)

    1. Hey PM,
      What is the bare minimum needed to get a single LED to blink when the EZ pass is activated? Is it possible to have that minimalist circuit only run off the internal EZ Pass battery?
      Thank you for your write ups.

      1. Sure. It will require different parts, and I have not actually built this. Here’s a link to a modified schematic:

        The plans in PopSci were designed specifically with parts that could be purchased at Radio Shack. I will eliminate that requirement here.
        First let’s look at the battery in the E-ZPass. It’s 3.6V and is ultra-long life but only at low current draw.
        So we cannot use the 555, it requires 4.5v and is a power hog. Since we only want and LED to light we don’t need it at all, and just use U1 to do that.
        – Now we’ll need U1 to be low voltage and low current drain. We could try to use an LM6132 as its rail-to-rail but it’s not ultra-low power. Or we can try and TS271 which also seems to fit the requirements.
        – the original R1 & R2 were combined into a single 82 ohm resistor R1
        – Since we reduced our supply voltage to 3.6V well need to increase the original R4 (now R3) to 270 ohms
        – Check what the current load of the new circuit in it’s quested state (LED not on). If the draw is over 50 micoramps try the other OpAmp for U1.
        – Check also that the U1 is sensitive enough for the 2mV reference voltage that is provided by R2-R3 (it should be). If not R1 may need to be increased. This is not recommenced as it is a shunt resistor and is all ready pretty high. If R1 is increased R3 will have to be as well.
        – C1 is optional, but it should help save of battery life
        – For R4 I assumed use of a standard 1.9V high intensity LED and limited it to 15mA, you can increase this slightly to reduce this draw, but that will make the LED dimmer.
        Other caveats
        – the LED will only light when the tag is transmitting, which at low speeds in toll plazas will be a few seconds and noticeable.
        Even highway speed toll plazas, there are always have multiple readers to make sure the tag is read it will be a second or so. But the single reader for traffic monitoring has a beam footprint of 25-50 ft which means at highway speeds (100ft/sec) the LED will light for only 1/4 to 1/2 second, this may barely be noticeable.
        – also with the LED on it is 50 times the power draw of what the tag would normally use transmitting. Bear this in mind when sitting under a reader while stuck in traffic. If the LED was left on continuously it would completely drain the E-ZPass battery in two weeks.

        References —

        1. Wow, PM, I was not expecting a reply at all considering the slightly historic nature of this post(in internet time). You not only replied way before the 24 hour mark, but you had a new schematic and write up in hand, including references. I feel it is my duty to fulfill this new schematic and hopefully take pictures during the process. Now to look up some random online place to order the little parts.
          Thank you.

          1. :-) Your request was one of my original ideas, so I had previously investigated it. But because of the listed caveats, that’s not was done. I had actually replaced my tag battery with a rechargeable cellphone battery and added a microUSB port for charging it, but in reality it would always be dead (from the sensing circuit draw) when I needed to use it, so it was always plugged into the car changer anyway when needed for use. So either forget the rechargeable and just use the car charger all the time or use removable batteries (and a switch) just for the sensing circuit, and leave the tag battery just for the tag.

            BTW, you could just use the LM324 (get it from RS) as listed in the article, but it’s draw is ~0.7mA so that will drain the E-Zpass battery in about 1 year (vs. 5-10 yrs expected tag life). Also note if you use a TS271 you will need also set the power draw by use of a 100k-1M resistor between pin 4 and 8 (not in my schematic). See figure 6 in it’s datasheet.

            good luck with your build.

  4. Out here in CA, the tags already have beepers in them. The only time outs goes off when questionable is at the airport. This is an FAQ at this point – the technology to track taxi and limo visits is compatible and the “extra” tags are ignored.

  5. Hi,

    I have a few questions.

    1) The link to the battery you posted above seems to be a dead link now. Zooming in on the image you posted, it looks like the battery is the Tadiran TL-4902 is that right? This thing: ?
    – It looks according to their website like this battery is optimized for extremely low steady state current draw, whereas their other batteries (like the TLL-5902) are better suited for applications with peak current pulses. I am curious why they would use the TL-4902 in an application where peak current pulses are needed. Are they just assuming such a small duty cycle for how often the peak current pulses (I think you mentioned these pulses are 300uA for 500 microseconds every time the transponder is woken by a 915MHz signal?) that the math just works out better with the 4902?
    2) In one of your comments you mention the transponder ‘wakes’ when receiving a 915.75MHz signal and responds back by transmitting a 914.75MHz signal. Was that a typo or is it true that the responding signal is 1MHz lower frequency than the received signal?
    – Do you know what the bandwidth for the ‘waking’ signal/transmitted signal are? I.E. would the transponder ‘wake’ anywhere between 915.5 MHz and 916MHz (500 KHz bandwidth) and would it transmit the various bytes of information back with any particular bandwidth around the ~915MHz carrier signal?

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.