Hacking Vulnerability Revealed in California Toll Pay System

Published November 1, 2008

Drivers using the automated FasTrak toll system on roads and bridges in California’s Bay Area could be vulnerable to identity theft and fraud, according to Nate Lawson of Root Labs, a computer security firm that exposed FasTrak’s security problems to the public.

Despite previous Bay Area Metropolitan Transportation Commission (MTC) reassurances the system was secure, Lawson says the unique identity numbers used to identify FasTrak wireless transponders carried in cars for the toll scanners to read can be copied or easily overwritten.

Toll transponders can be cloned, Lawson said, allowing fraudsters to travel for free while others unwittingly foot the bill. Criminals could use the FasTrak system to create false alibis by overwriting their own ID onto another driver’s device before committing a crime. The toll system’s logs would appear to show the perpetrator driving at another location when the crime was being committed.

No Encryption, Despite Assurances

State transportation authorities have insisted the FasTrak system uses encryption to secure data, and they have said no personal details are stored on the device—just two unique, randomly assigned ID numbers. One of these is used to register the device when a customer purchases it, and the other acts as a unique identifier to let radio receivers at toll areas detect cars as they pass.

Lawson opened up a transponder, however, and found there was no security protecting the IDs. Also, despite previous claims the devices are read-only and hence cannot be altered, Lawson found IDs are actually stored on rewritable flash memory.

“I’m not aware of any evidence that the flaws I found in the FasTrak system are being actively exploited,” Lawson said. “I found two classes of problems: Transponders can easily be cloned, and a special message can be sent to anyone’s transponder to reprogram its internal ID.”

The latter technique could be used to wreak havoc on the system, costing FasTrak money to recall hacked transponders.

Remedies Suggested

These are serious issues, Lawson notes, but there are things FasTrak could do—such as increasing auditing of successful transactions—to keep tabs on the fraud rate while transitioning to a new design.

“I haven’t seen evidence that they plan to replace the current system, though,” Lawson said.

“One thing I would like to see is more openness in the design and implementation of technology that has such widespread impact,” Lawson added. “There should be a detailed description of how the customer’s data is protected and privacy ensured, and regular system reviews performed by third-party security auditors.”

RFID Also Problematic

Lawson says turning to radio frequency identification devices (RFID) as a solution would be “worse security-wise than FasTrak.

“Because of the push by investors to increase profits, vendors constantly add features to commercial RFID systems, even ones that worsen the security,” Lawson said. “They quickly outgrow the original design parameters, and security suffers.”

In addition to stepped-up auditing of FasTrak records, Lawson recommends “a publicly reviewed process of upgrading their system [especially to add encryption],” he said. “It’s not yet time to run screaming, but perhaps they should move slowly but surely to replace the design that’s been around since the mid-’90s. This is an excellent time to add privacy to the list of design goals. As transponders naturally fail, new ones could be supplied until the old ones are all replaced.”

Mylar Bags Offered

MTC spokesman Randy Rentschler said his agency is examining potential FasTrak security problems.

“No one is denying there could be a problem,” Rentschler said. “We believe those who claim that they can do it. We are investigating this and currently have not found any evidence of a problem.”

Rentschler points out FasTrak tags contain no personal information, only the toll tag number. In addition, he said, “there is not a whole lot of motivation for people to do this.

“If a person does this, he could be subject to forgery and theft charges under California law,” Rentschler said. “The role of government is to enforce laws. I do not see many free-market opportunities to substitute for government enforcement.”

Rentschler offered the following solution: “If people are concerned, there are two options. First, they can pay cash. Second, we provide a Mylar bag that the tag can be put in when not in use.

“At this time, I think it’s fair to say that on this issue we have yet to have a real problem reported by a customer, nor have we found any problems by any other toll agency in the land,” Rentschler said.

Market Role Suggested

Bruce Schneier, chief security technology officer at BT Global Services, said the government policy significance of the problem depends on how much money is being lost.

“If individuals are doing it, probably none,” Schneier said. “If individuals are selling the solution in bulk, it could be a significant revenue loss.”

Tawnya Clark, director of marketing for Sirit Inc., a multinational RFID firm, suggested developing universal standards for programs such as FasTrak is the key to establishing long-term security.

“A unified standard agreed upon by [either government or private sector] agencies [allows] any manufacturer to build to a common interoperable standard, thus providing multiple sources for tags and readers which provide the toll authority and end users with better pricing, functionality, and level of service through competition between the different manufacturers,” Clark said.

“It would also eliminate the circumstances of being at the mercy of a single-source, proprietary equipment provider,” Clark added.

Tabassum Rahmani ([email protected]) writes from Dublin, California.