back to article Hack ushers in the insatiable toll booth

A widely used device for paying traffic tolls electronically is vulnerable to tampering that could create trouble for those who use it, a researcher said Wednesday. The FasTrak transponder uses radio frequency identification (RFID) technology to communicate with reader devices located at toll booths. Motorists use the devices …


This topic is closed for new posts.
  1. yeah, right.

    Ostrich security?

    Ah yes, the "head in the sand" approach to security. If we don't allow ourselves to see it, then it doesn't exist. Besides, the sales rep said it was secure, what does a pesky researcher know about such things?

    Surprised he hasn't contacted Sirit yet. Or has he tried to contact them and been forwarded to their sales and marketing department, who reassured him that his research was incorrect since they have assured their customers that it's completely secure?

  2. Ed


    Who designs these things? I mean honestly, you have to be fairly well qualified to design an RFID tag. You'd think they'd have learnt that 'security by obscurity' doesn't work, and even if they're relying on obscurity, they should at least make it obscure!

    I'd argue that all security is via obscurity, it just depends how obscure. Even the strongest encryption relies on obscurity...

  3. Mike Kay

    FasTrak billing process

    While by no means I am happy with the security gap, the tolls in California always capture the photo of the license plate along with the fasTrak log record on crossing.

    The license plate is then OCR'ed and matched to FasTrak ID for billing purposes.

  4. jack horner

    Running out of names?

    Why did they call their company 'Sirit Technology' - has someone else already grabbed the name 'Shit Technology'?

  5. Herby

    With the Golden Gate Bridge tolls going up...

    Fraud on this type of device could be quite interesting. They allow pedestrians right next to the cars going across the bridge, and with a small Yagi antenna, one could re-program all of the devices to say, the Mayor of San Francisco. Now THAT would be a very interesting idea.

    Yes, I have one of these things. I've kept it "out of sight" (not stuck to the windscreen) since I've moved it to a new vehicle. Didn't know they were THAT insecure!

  6. Matt

    Always the license plate?

    I'm sure if there is wide scale fraud, they can OCR to match transponders to plates.

    I do not believe they currently do that match for EVERY transaction -- only when the transponder isn't read do they run the plate and either bill fastrak account, or send you a bill for non account holders.

  7. A


    I know everything's always given to the lowest tender (which in turn almost guarantees the end result will suck), but seriously, sending in the clear?!? On a payment system?!? Are they absolutely insane? Someone should have their head stuck on a spike for this one.

    > The license plate is then OCR'ed and matched to FasTrak ID

    There's just one tiny problem, it's a little thing called licence plate cloning. It's apparently very popular here in the UK at the moment, what with us having speed cameras every two feet.

  8. Bas Scheffers

    The trouble with RFID

    The trouble with RFID:

    1. Cheap

    2. Secure

    3. Long range (more than a couple of cm)

    Pick two. Obviously FasTrak chose 1 and 3.

  9. call me scruffy

    @Bas Scheffers

    I think they chose a different kind of "Cheap", since the transponder is already an independently power gizmo, range is assured and cost is already a goner. I think they chose "Cheap" as in "This Hi School Kid doesn't charge much".

    (Which is also the level of competence that forgets the code-protection bit.)

    To be fair to them, once the black-hats came into play it was a fair bet that the any symmetric keys in the firmware would be discovered, any bespoke crypto function would be analysed and even small asymetric keys might have been factorised.

    But that doesn't excuse them from making such a piss-poor effort. It would have been trivial for the transponder to broadcast the time and place of it's previous authentication as part of the handshake, and that would have raised the bar much higher for an attack.

    I'm now jacking in my lucrative consultancy career to start tendering for government projects. Don't tell anyone but I'll just sell them the Fischer Price version, in a slightly less sturdy box.

  10. Steve

    researcher said Wednesday

    Why did the researcher say Wednesday? What does this have to do with the story?

  11. This post has been deleted by its author

  12. Roger

    But what about number plate verification

    I am sceptical of this, the variant used throughout New England (EZPass) uses number plate verification to cross check the transponder. When I transferred a transponder from one car to the new one without telling them it picked it up after the 2nd time we went through a toll and flashed the orange warning.

    I don't know the CA system, are you sure it has no such verification

  13. rob

    This is why they photograph the license plates.

    I bet you were wondering what those tin can like structures were pointing at the front and rear of your car?

  14. Throatwobbler Mangrove

    Tedious EZ Pass discussion

    "I am sceptical of this, the variant used throughout New England (EZPass) uses number plate verification to cross check the transponder."

    I don't think that's a safe assumption - at least in NYS, you are allowed to use your EZ-Pass with any other vehicle of the same type (i.e. use a car tag in another car but not a truck):

    "Your Tags can be used in any other vehicle classified as an individually owned or leased vehicle with two axles, a maximum gross weight of 7,000 pounds (vehicle and load) and single rear tires (includes RV’s and pickup trucks with dual rear tires)."

    I have used my car's tag with borrowed/rented etc cars and the billing has gone through fine. Perhaps a license plate photo can be accessed in case of dispute or billing failure, but it doesn't appear to require cross-verification in most circumstances.

  15. RW

    Government tenders

    As always looking for root causes, I point in this case to tenders that do not fully specify functional requirements.

    Just why a tender for these transponders was issued without specifying "cannot be hacked" with long list of example hack methods, I do not know, but a little bird suspects that it's because tenders are drawn up by purchasing departments, wherein serious knowledge of IT issues is utterly lacking.

    I offer as an example the purchasing agent at my former employer who was a dimwit and a liar in the bargain.

    "Call me scruffy" might do better starting a new career in writing tenders for government departments; or at least the IT security sections.

  16. Dick

    @ Kevin Blain

    Small yagi? Yep, that's what the CA FasTrak system uses.

  17. kain preacher

    licence plate cloning

    There's just one tiny problem, it's a little thing called licence plate cloning. It's apparently very popular here in the UK at the moment, what with us having speed cameras every two feet.

    Not a big issue in the states. Caught with stolen tags or plates in a California you can face up to three years in the slammer

  18. John
    Black Helicopters

    "no system is completely secure... I bet you Jim could get in"

    David Lightman (aka Matthew Broderick) - War Games 1983. This inspired me to get interested in computers. Helicopter cos there was one in the film.

  19. jubtastic1

    I just read about this in a book...

    'Little Brother' by Cory Doctorow, this exact exploit is used to stick it to the man, also a good book, and free to read at

    *fires up Xnet*

This topic is closed for new posts.

Other stories you might like