Road Tolls hacked-A researcher claims that toll transponders can be cloned, allowing drivers to pass for free.

Under the hood: After studying the workings of FasTrak transponders such as this one, Nate Lawson says that it is possible to copy or change the identification numbers used to bill drivers as they pass through highway and bridge tolls.

Drivers using the automated FasTrak toll system on roads and bridges in California's Bay Area could be vulnerable to fraud, according to a computer security firm in Oakland, CA.

Despite previous reassurances about the security of the system, Nate Lawson of Root Labs claims that the unique identity numbers used to identify the FasTrak wireless transponders carried in cars can be copied or overwritten with relative ease.

This means that fraudsters could clone transponders, says Lawson, by copying the ID of another driver onto their device. As a result, they could travel for free while others unwittingly foot the bill. "It's trivial to clone a device," Lawson says. "In fact, I have several clones with my own ID already."

Lawson says that this also raises the possibility of using the FasTrak system to create false alibis, by overwriting one's own ID onto another driver's device before committing a crime. The toll system's logs would appear to show the perpetrator driving at another location when the crime was being committed, he says.

So far, the security flaws have only been verified in the FasTrak system, but other toll systems, like E-Z Pass and I-Pass, need to be looked at too, argues Lawson. "Every modern system requires a public security review to be sure there aren't different but related problems," he says. Indeed, in recent weeks, researchers announced flaws in another wireless identification system: the Mifare Classic chip, which is used by commuters on transport systems in many cities, including Boston and London. However, last week, the Massachusetts Bay Transportation Authority (MBTA) filed a lawsuit to prevent students at MIT from presenting an analysis of Boston's subway system.

The Bay Area Metropolitan Transport Commission (MTC), which oversees the FasTrak toll system, maintains that it is secure but says it is looking into Lawson's claims. "MTC is in contact with vendors who manufacture FasTrak lane equipment and devices to identify potential risks and corrective actions," says MTC spokesman Randy Rentschler. "We are also improving system monitoring in order to detect potentially fraudulent activity."

In the past, authorities have insisted that the FasTrak system uses encryption to secure data and that no personal details are stored on the device--just two unique, randomly assigned ID numbers. One of these is used to register the device when a customer purchases it, while the other acts as a unique identifier to let radio receivers at tolls detect cars as they pass by.

But when Lawson opened up a transponder, he found that there was no security protecting these IDs. The device uses two antennas, one to detect a request signal from the toll reader and another to transmit its ID so that it can be read, he says.

By copying the IDs ­­­of the readers, it was possible to activate the transponder to transmit its ID. This trick doesn't have to be carried out on the highway, Lawson notes, but could be achieved by walking through a parking lot and discreetly interrogating transponders.

What's more, despite previous claims that the devices are read only, Lawson found that IDs are actually stored on rewritable flash memory. "FasTrak is probably not aware of this, which is why I tried to get in touch with them," he says. It is possible to send messages to the device to overwrite someone's ID, either wiping it or replacing it with another ID, says Lawson.

"Access to a tag number does not provide the ability to access any other information," says MTC's Rentschler. "We also believe that significant effort would need to be invested in cloning tags." He adds, "If any fraudulent toll activity is detected on a customer's account, the existing toll-enforcement system can be used to identify and track down the perpetrator."

Lawson says that using each stolen ID just once would make it difficult to track down a fraudster. A better solution, he believes, would be to require toll readers and transponders to carry out some form of secure authentication. But this would require changes by MTC. As an alternative, Lawson is working on a privacy kit to let drivers turn their transponders on and off so that they are only vulnerable for a brief period as they pass a toll.

There is another way, he says. "It's probably in the user's best interest to just leave it at home." This is because FasTrak uses license-plate recognition as a backup.

Ross Anderson, a professor of security engineering at Cambridge University, in the U.K., says that "very many embedded systems are totally open to tampering by anyone who can be bothered to spend some time studying them."

Competent use of encryption is the exception rather than the norm, Anderson adds, and the situation is unlikely to change soon. "One industry after another is embracing digital technology, and none of them realize that they need computer security expertise until it's too late and they get attacked," he says.

Bruce Schneier, chief security technology officer at BT, based in Mountain View, CA, says that it is too easy for companies to get away with lousy computer security. "Honestly, the best way is for the transportation companies to sue the manufacturers," he says. "Then they'll think twice about selling shoddy products in the future."