First, this article questions my credibility and claims that the Fastrak transponder is read-only.
‘If Lawson has not even established that FasTrak transponders are a read-only device (best called a “tag”) rather than read-write, then he’s totally unqualified to be talking about potential misuse.’
Apparently the author of the article has not even opened the cover on a Fastrak transponder. They use an MSP430F1111A microcontroller, which is flash-based. The firmware and all the data (i.e., your unique ID) are stored in flash. I can easily authenticate this claim by revealing that your 32-bit ID appears at address 0x1002, which is part of the full “0x0001” Title 21 response packet.
Also reverse engineering this device is hardly much of an accomplishment since all the specifications and protocols of Title 21 are open source.
The base specification for Title 21 is freely available, but the extensions to it are not. On disassembling a firmware dump from a transponder, I found some surprising things, including messages that allow a reader to update the transponder flash in the field. Again, I can back up this claim with the message IDs that start this update process: 0x00DE and 0x0480. To unlock the update process, you need to provide a global key that I will not reveal.
Second, I’ve heard that a vendor plans to issue a press release. Expect the standard claims that privacy is protected because they “encrypt” your unique ID in their database and data is not retained for very long. What they mean by “encrypt” is “replace each unique ID with a different one”. The problem is, replacing the unique ID “CAR-A” with “WXYZ” does not change much. There is still a unique ID that is stored which always corresponds to the same car, enabling tracking. Somehow, that information is subject to subpoena, something few Fastrak users are aware of. Corporations issue privacy policies describing exactly what information is collected and how long it is stored. Where can I find that information about Fastrak?
Finally, I spoke last week to a consultant to Caltrans who offered to get the local MTC agency technical staff in touch with me. I explained that I’d be happy to describe my findings and recommendations to them in advance of my Blackhat talk at no charge. Anyone from those agencies can contact me via my company website here.