Security? What Security? Automatic Toll Systems And Passports Found Easily Hackable

from the security-as-an-afterthought dept

Thu, Aug 7th 2008 5:17pm — Mike Masnick

At this point it shouldn't be a surprise that various systems that shouldn't be are quite easily hacked, but that doesn't make it any less disturbing. Over at this years Black Hat event there was a demonstration of just how easy it is to hack the automatic toll devices used at most bridges and toll roads throughout the country. The stunning part is that it appears that the folks who created these transponders did almost nothing to keep them secure. They're constantly broadcasting and they include no encryption. And this is a device that often connects directly to a registered credit card. Sense a potential problem? The researchers who showed this pointed out that it wouldn't be difficult for someone to clone your transponder and make you start paying for their tolls. Alternatively, it could be used to create an alibi for someone planning to commit a crime -- since police have used toll crossing data to establish where someone is.

Meanwhile, over in the UK, an investigation has found that the chips in the supposedly "fakeproof" e-passports are easily cloned, manipulated and passed through the checking machine -- which is especially worrisome given that 3,000 blank e-passports were stolen just last week. Of course, people have talked about the possibility of such hacks for years -- even before they were put in place -- to show how silly it was to think they were secure. And, of course, the best response comes from the UK gov't. After being presented with the fact that the chips can be changed or modified, the statement from the government was: "No one has yet been able to demonstrate that they are able to modify, change or alter data within the chip. If any data were to be changed, modified or altered it would be immediately obvious to the electronic reader." If you keep saying it, maybe you can pretend it's true.

In both cases, though, the striking thing is that these aren't "surprise" vulnerabilities. They should have been somewhat obvious to those who crafted these systems in the first place. Both are now working on "patches" to deal with the problems, but it's pretty difficult to completely patch a system that's so widespread -- and either way it will take some time. So why weren't these systems designed with better security in the first place?

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: automatic toll, e-passports, ez pass, fastpass, hacking, passports, security

8 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 7 Aug 2008 @ 5:44pm

Q & A
question: So why weren't these systems designed with better security in the first place?

answer: lowest bidder
[ link to this | view in thread ]
Anonymous Coward, 7 Aug 2008 @ 8:28pm

Now if these hackers could reverse engineer the RFID's to triangulate on the transponsders so I can go blow them up, I'd create the next Boston Tea Party. Let me know how it progresses.
[ link to this | view in thread ]
Rekrul, 8 Aug 2008 @ 1:55am

Alternatively, it could be used to create an alibi for someone planning to commit a crime -- since police have used toll crossing data to establish where someone is.

Did I miss some technological developement that only allows cars to be driven by their rightful owners? "Gee officer, even though I'm covered in blood, it couldn't have been me, my car... Uh, I mean *I* was across town at the time. Just check the toll records."
[ link to this | view in thread ]
Anonymous Coward, 8 Aug 2008 @ 2:43am

Re:
"Did I miss some technological developement that only allows cars to be driven by their rightful owners?"

Maybe?

It's likely the toll information is used in conjunction with other evidence to lend weight. E.g. a witness says they saw someone who looked like X at location Y. Toll information backs this up.
[ link to this | view in thread ]
Rubberman, 8 Aug 2008 @ 6:42am

Time to Market
Secure systems are the most difficult to design/develop. In an effort to get a product to market before the competition, baseline functionality is always placed ahead of security for most companies, thinking (falsely) that they can "add more security later". After all, it's only software, right?
[ link to this | view in thread ]
another mike, 10 Aug 2008 @ 2:50am

further developments
Students at MIT recently hacked one of these systems as a demo and in true Streisand Effect fashion, the manufacturer sued them to make sure the information was as widely distributed as possible.
[ link to this | view in thread ]
Anonymous Coward, 13 Aug 2008 @ 3:48am

Security in a different place
At least some of the widely-used toll collection systems (e.g., the one's that use the EZ-Pass name in the US Northeast) knew from the beginning that the transponders could be cloned easily. Their security is elsewhere: They photograph the license plate and driver of every car. So, yes, you can drive around with a cloned pass - but eventually the original owner will complain, and there will be your car, plate, and photo providing evidence against you.

Note that EZ-Pass requires that you use your pass with a single car/plate. Right now, they don't seem to do much with this, but I suspect that in the long run they'll go with automated license plate recognition, which is already a reasonably workable technology. Then they could instantly cross-check the transponder with the plate.

You can come up with all sorts of variations on cloning, but they don't work out so well or are easy to counter. For example, you could build a device that listened for the passes being used as you approached a toll station and then just picked one and used it. That way, the any given person whose id you were using (a) would have only have one extra charge; (b) would have it at at time/place he expected to go. Of course, the system could easily spot multiple uses of the same id too close together. If you extend this to a "tumbler" system - record many id's over time and pick one at each toll station - you can probably keep going for a while, but eventually you're going to use an exhausted account, or one used 10 second before 100 miles away, or any of a variety of other things that will flag your car for a quick discussion with the police - at which point what you're doing is going to be pretty obvious.

There are attacks on every system and there may be attacks on this one, but simple cloning is not a significant one.
[ link to this | view in thread ]
Matthew, 31 Oct 2011 @ 9:27am

Re: Security in a different place
They don't actually photograph every license plate and car that goes through. If the transponder reads- no photo. That's why I am stuck paying for $57 worth of tolls that have been run up and down the east coast while my car and transponder have never left Maryland. EZ Pass has no intention of refunding my money or giving me a new transponder to replace mine.
[ link to this | view in thread ]