Comments on: FasTrak findings are serious http://rdist.root.org/2008/08/06/fastrak-findings-are-serious/ Embedded security, crypto, software protection Tue, 16 Mar 2010 03:16:39 +0000 http://wordpress.com/ hourly 1 By: Robert Thille http://rdist.root.org/2008/08/06/fastrak-findings-are-serious/#comment-5736 Robert Thille Wed, 17 Feb 2010 18:08:51 +0000 http://rdist.wordpress.com/?p=158#comment-5736 The key problem is that you can walk by some car parked on the street, see it's tag, read the number, and transfer it to your own. They don't correlate the Fastrak tag ID against license plates, and only use the plate if there's a problem with reading the tag. The key problem is that you can walk by some car parked on the street, see it’s tag, read the number, and transfer it to your own. They don’t correlate the Fastrak tag ID against license plates, and only use the plate if there’s a problem with reading the tag.

]]> By: Nate Lawson http://rdist.root.org/2008/08/06/fastrak-findings-are-serious/#comment-4752 Nate Lawson Sat, 16 Aug 2008 02:31:17 +0000 http://rdist.wordpress.com/?p=158#comment-4752 They are correct that the transponder does not contain anything more than a serial number (not your name, credit card, etc.) Of course, their reply is a non-sequitur since I never claimed it did have any of that info on it. Could you <a href="http://www.rootlabs.com/contact.html" rel="nofollow">forward</a> that email to me? I guess they won't mind me posting full details if it's no security threat. They are correct that the transponder does not contain anything more than a serial number (not your name, credit card, etc.) Of course, their reply is a non-sequitur since I never claimed it did have any of that info on it.

Could you forward that email to me? I guess they won’t mind me posting full details if it’s no security threat.

]]> By: MG http://rdist.root.org/2008/08/06/fastrak-findings-are-serious/#comment-4751 MG Thu, 14 Aug 2008 22:17:19 +0000 http://rdist.wordpress.com/?p=158#comment-4751 Nate - no doubt you've seen similar responses already, but just in case - here is a reply I received this afternoon: Thank you for contacting The Toll Roads. Upon extensive review, The Toll Roads and the transponder industry determined that Mr. Lawson's claim poses no security threat to our patrons. Transponder identification numbers do not include any personal information. No data is stored on a transponder! Transponder numbers are processed to FasTrak accounts in a secure environment using modern systems, procedures and processes. We ask that you promptly review your statement and notify the FasTrak Service Center if you have any questions regarding any charges and we will be happy to assist you with your account at that time. Nate – no doubt you’ve seen similar responses already, but just in case – here is a reply I received this afternoon:

Thank you for contacting The Toll Roads.

Upon extensive review, The Toll Roads and the transponder industry determined that Mr. Lawson’s claim poses no security threat to our patrons. Transponder identification numbers do not include any personal information. No data is stored on a transponder! Transponder numbers are processed to FasTrak accounts in a secure environment using modern systems, procedures and processes. We ask that you promptly review your statement and notify the FasTrak Service Center if you have any questions regarding any charges and we will be happy to assist you with your account at that time.

]]> By: Nate Lawson http://rdist.root.org/2008/08/06/fastrak-findings-are-serious/#comment-4738 Nate Lawson Thu, 07 Aug 2008 00:21:01 +0000 http://rdist.wordpress.com/?p=158#comment-4738 Hi from Blackhat. grey is right in that an unreadable/missing tag just results in a human looking up your license plate photo. Since FasTrak doesn't charge you more for this, it's probably best to just ditch the toll tag after registering. If they read your plate, it costs the same. If they can't (angle of photo, dirt, etc.), free toll. Meanwhile, less privacy concerns -- everyone wins! However, it does cost FasTrak more for this (9 cents a photo from what I found in public docs.) The worst attack I've heard is to swap IDs around instead of wiping (credit: Adam Shosthack). This way everyone has a valid ID, but sorting out who had what at the end of the month becomes a nightmare. The real cost to FasTrak is the customer service in handling all those calls and replacing the tags ($19 each, according to last public invoice). Hi from Blackhat. grey is right in that an unreadable/missing tag just results in a human looking up your license plate photo. Since FasTrak doesn’t charge you more for this, it’s probably best to just ditch the toll tag after registering. If they read your plate, it costs the same. If they can’t (angle of photo, dirt, etc.), free toll. Meanwhile, less privacy concerns — everyone wins! However, it does cost FasTrak more for this (9 cents a photo from what I found in public docs.)

The worst attack I’ve heard is to swap IDs around instead of wiping (credit: Adam Shosthack). This way everyone has a valid ID, but sorting out who had what at the end of the month becomes a nightmare. The real cost to FasTrak is the customer service in handling all those calls and replacing the tags ($19 each, according to last public invoice).

]]> By: grey http://rdist.root.org/2008/08/06/fastrak-findings-are-serious/#comment-4736 grey Wed, 06 Aug 2008 16:47:02 +0000 http://rdist.wordpress.com/?p=158#comment-4736 I have to disagree a bit Toby - once you've registered your FasTrak in the system, even if the device is non functional, you still get billed thanks to the cameras there to charge people who went through the wrong lane without paying a toll. They correlate the license plate with registered FasTrak owners and if you are one, you get billed and not a ticket, whereas if you aren't expect a citation in the mail. While this will certainly cost them some extra time and thus perhaps money, a failed fastrak isn't the end of the system. Also, in the bay area we only charge one way not both so I think you are looking for 1/7th of the day's revenue rather than 1/14th, but again that's inaccurate because fastrak is used as a billing automation system, it has fallback billing mechanisms too (but if you obfuscated your license plate you might skirt them - but you could do that without attacking fastrak to begin with). Anyway, not to diminish the research, but just wanted to point out it's not relied upon solely. I have to disagree a bit Toby – once you’ve registered your FasTrak in the system, even if the device is non functional, you still get billed thanks to the cameras there to charge people who went through the wrong lane without paying a toll. They correlate the license plate with registered FasTrak owners and if you are one, you get billed and not a ticket, whereas if you aren’t expect a citation in the mail. While this will certainly cost them some extra time and thus perhaps money, a failed fastrak isn’t the end of the system. Also, in the bay area we only charge one way not both so I think you are looking for 1/7th of the day’s revenue rather than 1/14th, but again that’s inaccurate because fastrak is used as a billing automation system, it has fallback billing mechanisms too (but if you obfuscated your license plate you might skirt them – but you could do that without attacking fastrak to begin with).

Anyway, not to diminish the research, but just wanted to point out it’s not relied upon solely.

]]> By: Toby http://rdist.root.org/2008/08/06/fastrak-findings-are-serious/#comment-4735 Toby Wed, 06 Aug 2008 12:20:33 +0000 http://rdist.wordpress.com/?p=158#comment-4735 The Sirit press release indicates that around 42% of the 120 million toll-paying vehicles that cross the 7 state-owned bridges use FasTrak transponders, hence the 50 million transactions per year. Assuming a (below) average transaction cost of $3, that's $150 miliion in transactions a year, or a $400,000 a day from 137,000 transactions. Sit on one bridge and take out half the transponders going across in the course of a day and 1/14th of the day's revenue has been lost, or roughly $28,500. Surely it's in the interest of the authorities in the Bay Area who rely on this income to see that these vulnerabilities are addresses since they, presumably, have most to lose from them. The Sirit press release indicates that around 42% of the 120 million toll-paying vehicles that cross the 7 state-owned bridges use FasTrak transponders, hence the 50 million transactions per year. Assuming a (below) average transaction cost of $3, that’s $150 miliion in transactions a year, or a $400,000 a day from 137,000 transactions. Sit on one bridge and take out half the transponders going across in the course of a day and 1/14th of the day’s revenue has been lost, or roughly $28,500.

Surely it’s in the interest of the authorities in the Bay Area who rely on this income to see that these vulnerabilities are addresses since they, presumably, have most to lose from them.

]]>