rdist

August 6, 2008

FasTrak findings are serious

Filed under: Misc,Security — Nate Lawson @ 1:00 am

I haven’t revealed all the details yet about my Blackhat talk on RFID toll pass security.  One reason was I hoped to speak with Bay Area transit officials to alert them beforehand.  The other reason is that I’ve still been analyzing the potential impact of the flaws I found.

Well, the results are in and it’s pretty serious.  I’m reasonably certain an attacker can send a couple messages to a FasTrak transponder and wipe its internal ID.  Also, the ID can be overwritten with a different one.  There is a population of at least 1 million of these vulnerable transponders in California, sold over the past 15 years.  They conduct 50 million transactions per year on Bay Area bridges.  This does not include their use on southern California toll roads.

I think this is a big deal.  If anyone reading this is responsible for engineering at FasTrak, please contact me.  The messages I’ve sent via your website haven’t worked.  Thanks.

6 Comments

  1. The Sirit press release indicates that around 42% of the 120 million toll-paying vehicles that cross the 7 state-owned bridges use FasTrak transponders, hence the 50 million transactions per year. Assuming a (below) average transaction cost of $3, that’s $150 miliion in transactions a year, or a $400,000 a day from 137,000 transactions. Sit on one bridge and take out half the transponders going across in the course of a day and 1/14th of the day’s revenue has been lost, or roughly $28,500.

    Surely it’s in the interest of the authorities in the Bay Area who rely on this income to see that these vulnerabilities are addresses since they, presumably, have most to lose from them.

    Comment by Toby — August 6, 2008 @ 4:20 am

  2. I have to disagree a bit Toby – once you’ve registered your FasTrak in the system, even if the device is non functional, you still get billed thanks to the cameras there to charge people who went through the wrong lane without paying a toll. They correlate the license plate with registered FasTrak owners and if you are one, you get billed and not a ticket, whereas if you aren’t expect a citation in the mail. While this will certainly cost them some extra time and thus perhaps money, a failed fastrak isn’t the end of the system. Also, in the bay area we only charge one way not both so I think you are looking for 1/7th of the day’s revenue rather than 1/14th, but again that’s inaccurate because fastrak is used as a billing automation system, it has fallback billing mechanisms too (but if you obfuscated your license plate you might skirt them – but you could do that without attacking fastrak to begin with).

    Anyway, not to diminish the research, but just wanted to point out it’s not relied upon solely.

    Comment by grey — August 6, 2008 @ 8:47 am

  3. Hi from Blackhat. grey is right in that an unreadable/missing tag just results in a human looking up your license plate photo. Since FasTrak doesn’t charge you more for this, it’s probably best to just ditch the toll tag after registering. If they read your plate, it costs the same. If they can’t (angle of photo, dirt, etc.), free toll. Meanwhile, less privacy concerns — everyone wins! However, it does cost FasTrak more for this (9 cents a photo from what I found in public docs.)

    The worst attack I’ve heard is to swap IDs around instead of wiping (credit: Adam Shosthack). This way everyone has a valid ID, but sorting out who had what at the end of the month becomes a nightmare. The real cost to FasTrak is the customer service in handling all those calls and replacing the tags ($19 each, according to last public invoice).

    Comment by Nate Lawson — August 6, 2008 @ 4:21 pm

  4. Nate – no doubt you’ve seen similar responses already, but just in case – here is a reply I received this afternoon:

    Thank you for contacting The Toll Roads.

    Upon extensive review, The Toll Roads and the transponder industry determined that Mr. Lawson’s claim poses no security threat to our patrons. Transponder identification numbers do not include any personal information. No data is stored on a transponder! Transponder numbers are processed to FasTrak accounts in a secure environment using modern systems, procedures and processes. We ask that you promptly review your statement and notify the FasTrak Service Center if you have any questions regarding any charges and we will be happy to assist you with your account at that time.

    Comment by MG — August 14, 2008 @ 2:17 pm

  5. They are correct that the transponder does not contain anything more than a serial number (not your name, credit card, etc.) Of course, their reply is a non-sequitur since I never claimed it did have any of that info on it.

    Could you forward that email to me? I guess they won’t mind me posting full details if it’s no security threat.

    Comment by Nate Lawson — August 15, 2008 @ 6:31 pm

  6. The key problem is that you can walk by some car parked on the street, see it’s tag, read the number, and transfer it to your own. They don’t correlate the Fastrak tag ID against license plates, and only use the plate if there’s a problem with reading the tag.

    Comment by Robert Thille — February 17, 2010 @ 10:08 am


RSS feed for comments on this post.

Blog at WordPress.com.