FasTrak hacking claim - we suspect it's baloney

July 10, 2008
By Peter Samuel

A security specialist is claiming he has "reverse engineered" the Title 21 read-only transponder used in California and Colorado, and says there are "gaping holes" in its security which he says make it vulnerable to "sniffing, cloning, and surreptitious tracking of the driver's comings and goings."

Nate Lawson who works for something called Root Labs is reported at length in a web service called Dark Reading that specializes in security breaches. (Root Labs doesn't have an operational website which for a technology company hardly inspires confidence.)

Dark Reading reports: "Lawson is also researching whether malware could be planted on a FasTrak transponder."

That sentence makes us think this guy Lawson is an amateur.

The only "research" needed to establish whether anything could be planted on the FasTrak transponder is a visit to the website of the manufacturer, Sirit, here:

This makes clear what everyone in the toll business knows, namely that the FasTrak transponder is a read-only device which cannot have anything written to it at all - unlike E-ZPass or SunPass transponders. California has no ticket system tollroads and no need to write to a transponder the entry information for use at exit.

Being exclusively point tolls the California toll roads and bridges have no need to store any information on the transponder and so there is no memory to write to.

The only data FasTrak transponders have encoded is an account number and vehicle class. The account number doesn't tell anyone anything unless they have access to the records on the toll authority's servers - the customer database. The transponder is no help in getting to that.

Vehicle class is hardly a secret - it can be established by looking at the vehicle.

"Yes a car, no a truck."

If you cloned someone else's transponder account number you might put some tolls on someone else's account for a month or so, until the account holder saw the anomalous toll charges. Once notified, all the toll authority would have to do to catch you would be to program the violation cameras to retain pictures of the transactions on that account number, and they'd have you for fraud.

BATA trying to talk to Lawson

John Goodwin at the Bay Area Toll Authority which runs FasTrak in the Bay Area told us they don't know anything about Lawson's claims yet, but early today they were trying to talk to him to find out precisely what he was claiming.

If Lawson has not even established that FasTrak transponders are a read-only device (best called a "tag") rather than read-write, then he's totally unqualified to be talking about potential misuse.

Also reverse engineering this device is hardly much of an accomplishment since all the specifications and protocols of Title 21 are open source. They are 1990 RF technology devised by Texas Instruments, which company put them in the public domain over a decade ago. They were a technical deadend.

Here's the dubious report

TOLLROADSnews 2008-07-10

Leave a comment: