RFID industry tries to spin toll findings

I was interviewed today regarding my findings regarding the Fastrak electronic toll collection system.  It seems that the industry PR spin machine has already begun responding.

First, this article questions my credibility and claims that the Fastrak transponder is read-only.

‘If Lawson has not even established that FasTrak transponders are a read-only device (best called a “tag”) rather than read-write, then he’s totally unqualified to be talking about potential misuse.’

Apparently the author of the article has not even opened the cover on a Fastrak transponder.  They use an MSP430F1111A microcontroller, which is flash-based.  The firmware and all the data (i.e., your unique ID) are stored in flash.  I can easily authenticate this claim by revealing that your 32-bit ID appears at address 0x1002, which is part of the full “0x0001” Title 21 response packet.

Also reverse engineering this device is hardly much of an accomplishment since all the specifications and protocols of Title 21 are open source.

The base specification for Title 21 is freely available, but the extensions to it are not.  On disassembling a firmware dump from a transponder, I found some surprising things, including messages that allow a reader to update the transponder flash in the field.  Again, I can back up this claim with the message IDs that start this update process: 0x00DE and 0x0480.  To unlock the update process, you need to provide a global key that I will not reveal.

Second, I’ve heard that a vendor plans to issue a press release.  Expect the standard claims that privacy is protected because they “encrypt” your unique ID in their database and data is not retained for very long.  What they mean by “encrypt” is “replace each unique ID with a different one”.  The problem is, replacing the unique ID “CAR-A” with “WXYZ” does not change much.  There is still a unique ID that is stored which always corresponds to the same car, enabling tracking.  Somehow, that information is subject to subpoena, something few Fastrak users are aware of.  Corporations issue privacy policies describing exactly what information is collected and how long it is stored.  Where can I find that information about Fastrak?

Finally, I spoke last week to a consultant to Caltrans who offered to get the local MTC agency technical staff in touch with me.  I explained that I’d be happy to describe my findings and recommendations to them in advance of my Blackhat talk at no charge.  Anyone from those agencies can contact me via my company website here.

6 thoughts on “RFID industry tries to spin toll findings

  1. omg that rebuttal article blows, what utter crap. please, please, please crush them.

  2. It’s really a shame that business with crappy products resort to anything other than FIXING THEIR BROKEN CRAP when a problem is discovered. No, let’s (laughable) go after the messenger!

    Keep up the excellent work, Nate. Looking forward to your talk.

  3. “Nate Lawson who works for something called Root Labs (…)”
    “That sentence makes us think this guy Lawson is an amateur. ”

    Now I’m not a journalist, but that sample of prose from the article makes the writer look like someone tasked with containing the damage, and doing a piss poor job of it.

    “(Root Labs doesn’t have an operational website which for a technology company hardly inspires confidence.)”

    Funny that; for the heck of it, I put Nate Lawson into that search engine thingy, which directed me to http://www.root.org/~nate/, where again, the very first link directed me to http://www.rootlabs.com/.

    C’mon, I’ve witnessed the deterioration of journalistic standards for a few years now, but that kind of drivel has reached an altogether new level of pathetic. The writer must know that: he didn’t even sign it.

    Gosh, I hope this doesn’t rile you as much as it does me =)

  4. Thanks for the support. I’m still waiting to see if anyone technical contacts me to talk about my findings. In the meantime, I continue to work on this stuff in order to keep improving my results.

    I’m hoping some good will come out of all this and some longstanding privacy issues will be addressed, along with the particular implementation issues I will present.

  5. I wouldn’t count on getting anything resembling an intelligent response from that company, if my conversation with the editor of ‘tollroadsnews.com’ is any hint (his vehemence makes me wonder whether he’s an employee of FasTrak).

    I had a short email exchange with the editor, though with the lack of journalistic integrity I seriously hesitate to treat it as a news organization.

    First off, I don’t consider myself a security researcher. It’s an interesting field, but I haven’t the time to pursue it. I did, however, want to give the author the benefit of the doubt; give him an opportunity to see the light. The editor’s responses were scathing, and usually meant to belittle me or Nate (why me, though, I’m still unsure. I didn’t do the research, I was simply letting him know Nate isn’t a nobody).

    I linked him to the blog entry, and I’m fairly certain he didn’t read it. He feels the privacy concerns are unfounded, since if the govt wanted to spy on you they’d use cameras and OCR software to snap pictures of your license plate and record your movements that way. Nevermind that OCR software isn’t reliable, people don’t always have a license plate visible from the location the picture is snapped from, license plates can be swapped out, or covered with dirt/debris that may cause the OCR software to fail, is more expensive than RFID technology to implement, etc etc.

    My opinion is he’s a tool. A real journalist would bother to examine the facts.

Comments are closed.