Here are the slides from my FasTrak talk and a short summary of my findings. I’m hoping what I’ve found can help officials improve the security and privacy of these systems.
FasTrak and related toll collection systems have been around since the mid-90’s. I started looking at them because I had never signed up due to privacy concerns. However, while the underlying Title 21 standard is public, I couldn’t find any details about the internal workings of the system or any security measures. I bought a few transponders and took them apart to find out.
Besides support for the standard messages, I found no encryption. So it’s easy for an attacker to use a simple RFID reader to collect transponder IDs from cars in a parking lot, then replay them to bill tolls to the real owners. By only using each stolen ID once, it would be difficult to track them down.
Even more surprising, I found support for a lot of proprietary messages that go far beyond toll collection. By sending a few packets, an attacker can activate a hidden “update mode” that allows the ID to be wiped or overwritten with a different one. This goes against claims that the transponder is “read-only” and “there is no memory to write anything to”.
The ability to clone and/or overwrite IDs over-the-air calls into question the admissibility of FasTrak logs as evidence. They get regular subpoenas for these logs, and I wonder how many innocent people were convicted based on the claimed reliability of this system. A non-technical attack is to steal a transponder from the victim and surrepititiously plant it in someone else’s car, creating fraudulent evidence that the victim was somewhere they were not.
Also, the 511.org service creates a massive collection of data, logging every section of freeway traveled by each car that has a transponder. FasTrak has told a reporter (story) that this data is discarded after 24 hours but I can find no written evidence of this. Since all this system does is generate statistics of average travel times, it could be significantly reduced from its current form. Instead of querying and logging all cars, it could randomly sample cars so only 1 out of every 100 were used. Each record could be discarded after 10 minutes or so since the readers are located approximately at each freeway exit. A car that was logged at one sign but not the next probably exited.
This updated system would still achieve the stated goals while reducing the chances for a privacy compromise. It also would only require changing the server software, not the readers or transponders.
I’m working on an add-on “privacy kit” to retrofit transponders. It consists of a timer circuit and activation button, similar to a garage door opener. It keeps the transponder powered off except for a minute or so after the user presses the button. This protects the user from privacy exposure (except while paying tolls) and cloning or overwrite attacks. The downside is it would require technical skills to attach to the transponder. However, newer models are coming out that have an open battery bay, making it easy to add this privacy kit.
I hope to release schematics free of charge and create a kit that would be available at no profit to myself. Hopefully this will convince transponder vendors to add an opt-out capability into future designs.
Transit agencies interested in more details on my research can contact me here.