FasTrak Toll Hacked, Exposing Privacy Dangers

Granted, I'm a little late on this article (by two weeks), but as a FasTrak user, I am especially dismayed (though not surprised) by this article from Dark Reading about a recent discovery that FasTrak transponders are vulnerable to sniffing, cloning, and surreptitious tracking of a driver’s comings and goings.

How could this be you ask? Well, as you probably know, FasTrak uses RFID technology, which security researchers have shown is a technology rife with privacy and security risks. Before I get to the findings of researcher Nate Lawson, here's an excellent breakdown by the ACLU's Nicole Ozer's of how such a privacy breach is possible:

...the systems have no encryption or other technological protection measures to ensure that the information is not read by unauthorized readers or copied and cloned for misuse. Without protections, it is not just those toll booth and freeway sign readers that can track who you are and where you are going, but also that homegrown sniffer that Lawson plans to put up to collect information.

...

All it often takes to copy and clone RFID tags that lack adequate technological protections like robust encryption and authentication are some spare parts off the internet and some reason to want to do it- be it for monitoring and tracking, entering without authorization, or identity theft.

It is for these reasons in fact, that groups like the ACLU, and the Consumer Federation of California (among many others) have joined forces to ensure that state issued RFID-embedded documents have adequate protections to safeguard privacy, personal security, and public safety.

Currently, our coalition is working hard in support of a series of RFID regulation bills authored by State Senator Joe Simitian. I will thus repeat Nichole's request here that you please contact the Governor and urge him to sign SB 30 and SB 31.

Now let me get to a few of the choice clips from the article on this rather disturbing news:

A Black Hat researcher recently reverse-engineered the popular RFID-based FasTrak toll tag that some drivers in the San Francisco Bay Area affix to their windshields for pre-paying highway tolls, and discovered some gaping security holes that leave these transponders vulnerable to sniffing, cloning, and surreptitious tracking of a driver’s comings and goings.

...

The FasTrak transponder provides the user’s unique identification code -- the driver’s toll balance and other financial and personal information are stored on back-end servers. Lawson says it’s been difficult to get any information on how those servers are locked down, so it’s unclear how customers’ personal data is protected. He says hasn’t looked at any other toll tag systems such as EZPass -- and whether they leave users vulnerable to breaches of privacy depends on how they collect and handle the data.

...

After cracking the hardware and studying the firmware with help from fellow researcher Chris Tarnovsky, Lawson says he was surprised to see no sign of encryption inside, although there’s a “placeholder” for an encryption key. “It amazes me there has not already been widespread fraud, cloning, and selling of ‘free transponders’ that” were hacked and reprogrammed, he says. “There’s nothing there technically to prevent it.”

...

So he’s come up with an alternative way to shield the FasTrak transponder from sniffing and giving out too much information: “I designed a daughter-board that you add to the pass. You press a button on it so when you near the toll plaza, it activates RFID, and then immediately cuts the power to the whole circuit when it’s done,” he says.

Click here to read the article in its entirety.