road toll transponder hacked

Dustin D. Trammell dtrammell at bpointsys.com
Tue Aug 26 14:24:02 EDT 2008 

On Tue, 2008-08-26 at 13:22 -0400, Ken Buchanan wrote:
> On Tue, Aug 26, 2008 at 11:56 AM, Dustin D. Trammell
> <dtrammell at bpointsys.com> wrote:
> > This is the same for the state-wide Texas tag, TxTag[1].  If your tag
> > doesn't register, or you disable or remove it, the toll system can still
> > accurately bill you based on your license plate and vehicle
> > registration.  If you're not in the TxTag system at all, they simply
> > mail you a bill.
> 
> I think this is a bit different than what Michael Heyman said.  TxTag,
> IIRC, was implemented by the same company (Raytheon) that implemented
> the 407 ETR toll system in Toronto.  In the case of the 407, there is
> no image recognition done if the car has a valid transponder.  Only in
> the case of a missing or invalid transponder is the plate imagery
> used.  Supposedly the OCR has a high enough error rate that there is
> still manual verification of plates before sending a bill, and
> accordingly a $3.60 additional charge is applied per trip.
> 
> If the images are used even when the vehicle has a valid transponder
> -- as Michael Heyman suggests is happening with E-ZPass -- then it
> might be feasible to have back end defenses against cloning, though
> not without inconvenience to customers who borrow cars, buy new cars,
> or rent cars while their own is getting serviced.  Also as Matt Blaze
> pointed out this makes the transponder wholly redundant.

I can confirm that they definitely use imagery even when a valid
transponder is detected.  A couple years or so ago I had to put my
vehicle in the shop and use the wife's for a few days.  I assumed that I
could use my TxTag in her vehicle, and it would simply bill my account,
however a couple of weeks later I received a bill for the tolls, billed
to the owner of her vehicle at our address.  When I called to inquire,
they informed me that it did read the transponder, but mismatched with
the plates.  There was a grace period during which I could update the
transponder to the new vehicle and avoid the fines, but as I would be
getting my vehicle back in a few days, I opted to just order a second
transponder for her car.  They were kind enough to transfer the tolls to
the new transponder and waive the fees.

-- 
Dustin D. Trammell
Security Researcher
BreakingPoint Systems, Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20080826/734e8f90/attachment.pgp>

More information about the cryptography mailing list