SCDigest
Editorial Staff
Lawson Says: |
It amazes me there has not already been widespread fraud, cloning, and selling of ‘free transponders’ that” were hacked and reprogrammed...there’s nothing there technically to prevent it.
Click Here to See Reader Feedback
|
Experts at computer security firm Root Labs have found that at least one auto toll system based on RFID tags – the FasTrak system in San Francisco – uses little or no security and is therefore subject to many hacking, theft and privacy problems for Bay area drivers. It also highlights that various privacy-related issues with regard to RFID-based systems are not likely to go away soon, especially in systems not well architected to prevent such concerns.
Like many toll systems nation-wide and around the globe, the FasTrak system uses an RFID transponder, typically placed on a car’s windshield, to identify a vehicle as it approaches a toll booth. The identification number on the tag is read, allowing the vehicle to pass successfully through the toll booth area and adding the cost of the toll to the user/vehicle’s account.
The Root Lab analysis found the tags used in FasTrak do not employ any encryption, even though there’s a “placeholder” for an encryption key, according to Nate Lawson, a principal at the firm. He says for that and other reasons, tags could be copied or created with relative ease. This could enable, for example, someone to read the number off of another car’s tag, and then write that number to a different transponder that would then be accepted at the toll booth and debit the first driver’s account.
"It's trivial to clone a device," Lawson said at a recent security conference. "In fact, I have several clones with my own ID already."
He also said he is surprised a black market for cloned or copied devices hasn’t already emerged.
“It amazes me there has not already been widespread fraud, cloning, and selling of ‘free transponders’ that were hacked and reprogrammed,” he said. “There’s nothing there technically to prevent it.”
The vulnerability could lead to all sorts of problems. In addition to some drivers escaping the tolls, the drivers whose IDs were copied would then face toll charges that perhaps far exceed their real use; they would have to argue or prove that the charges weren’t theirs. In addition, criminals could theoretically copy their IDs to another vehicle to provide an alibi for the time of a crime.
(RFID and Automatic Identification Article - Continued Below) |