Security? What Security? Automatic Toll Systems And Passports Found Easily Hackable
from the security-as-an-afterthought dept
At this point it shouldn’t be a surprise that various systems that shouldn’t be are quite easily hacked, but that doesn’t make it any less disturbing. Over at this years Black Hat event there was a demonstration of just how easy it is to hack the automatic toll devices used at most bridges and toll roads throughout the country. The stunning part is that it appears that the folks who created these transponders did almost nothing to keep them secure. They’re constantly broadcasting and they include no encryption. And this is a device that often connects directly to a registered credit card. Sense a potential problem? The researchers who showed this pointed out that it wouldn’t be difficult for someone to clone your transponder and make you start paying for their tolls. Alternatively, it could be used to create an alibi for someone planning to commit a crime — since police have used toll crossing data to establish where someone is.
Meanwhile, over in the UK, an investigation has found that the chips in the supposedly “fakeproof” e-passports are easily cloned, manipulated and passed through the checking machine — which is especially worrisome given that 3,000 blank e-passports were stolen just last week. Of course, people have talked about the possibility of such hacks for years — even before they were put in place — to show how silly it was to think they were secure. And, of course, the best response comes from the UK gov’t. After being presented with the fact that the chips can be changed or modified, the statement from the government was: “No one has yet been able to demonstrate that they are able to modify, change or alter data within the chip. If any data were to be changed, modified or altered it would be immediately obvious to the electronic reader.” If you keep saying it, maybe you can pretend it’s true.
In both cases, though, the striking thing is that these aren’t “surprise” vulnerabilities. They should have been somewhat obvious to those who crafted these systems in the first place. Both are now working on “patches” to deal with the problems, but it’s pretty difficult to completely patch a system that’s so widespread — and either way it will take some time. So why weren’t these systems designed with better security in the first place?
Filed Under: automatic toll, e-passports, ez pass, fastpass, hacking, passports, security
Comments on “Security? What Security? Automatic Toll Systems And Passports Found Easily Hackable”
Q & A
question: So why weren’t these systems designed with better security in the first place?
answer: lowest bidder
Now if these hackers could reverse engineer the RFID’s to triangulate on the transponsders so I can go blow them up, I’d create the next Boston Tea Party. Let me know how it progresses.
Did I miss some technological developement that only allows cars to be driven by their rightful owners? “Gee officer, even though I’m covered in blood, it couldn’t have been me, my car… Uh, I mean *I* was across town at the time. Just check the toll records.”
Re: Re:
“Did I miss some technological developement that only allows cars to be driven by their rightful owners?”
Maybe?
It’s likely the toll information is used in conjunction with other evidence to lend weight. E.g. a witness says they saw someone who looked like X at location Y. Toll information backs this up.
Time to Market
Secure systems are the most difficult to design/develop. In an effort to get a product to market before the competition, baseline functionality is always placed ahead of security for most companies, thinking (falsely) that they can “add more security later”. After all, it’s only software, right?
further developments
Students at MIT recently hacked one of these systems as a demo and in true Streisand Effect fashion, the manufacturer sued them to make sure the information was as widely distributed as possible.
Security in a different place
At least some of the widely-used toll collection systems (e.g., the one’s that use the EZ-Pass name in the US Northeast) knew from the beginning that the transponders could be cloned easily. Their security is elsewhere: They photograph the license plate and driver of every car. So, yes, you can drive around with a cloned pass – but eventually the original owner will complain, and there will be your car, plate, and photo providing evidence against you.
Note that EZ-Pass requires that you use your pass with a single car/plate. Right now, they don’t seem to do much with this, but I suspect that in the long run they’ll go with automated license plate recognition, which is already a reasonably workable technology. Then they could instantly cross-check the transponder with the plate.
You can come up with all sorts of variations on cloning, but they don’t work out so well or are easy to counter. For example, you could build a device that listened for the passes being used as you approached a toll station and then just picked one and used it. That way, the any given person whose id you were using (a) would have only have one extra charge; (b) would have it at at time/place he expected to go. Of course, the system could easily spot multiple uses of the same id too close together. If you extend this to a “tumbler” system – record many id’s over time and pick one at each toll station – you can probably keep going for a while, but eventually you’re going to use an exhausted account, or one used 10 second before 100 miles away, or any of a variety of other things that will flag your car for a quick discussion with the police – at which point what you’re doing is going to be pretty obvious.
There are attacks on every system and there may be attacks on this one, but simple cloning is not a significant one.
Re: Security in a different place
They don’t actually photograph every license plate and car that goes through. If the transponder reads- no photo. That’s why I am stuck paying for $57 worth of tolls that have been run up and down the east coast while my car and transponder have never left Maryland. EZ Pass has no intention of refunding my money or giving me a new transponder to replace mine.