[Cryptography] toll bills, was Encryption opinion

Jerry Leichter leichter at lrw.com
Wed Aug 27 12:27:54 EDT 2014 

On Aug 26, 2014, at 5:28 PM, John Levine <johnl at iecc.com> wrote:
> PS: So is there any crypto on toll transponders, or could I
> skim them from the side of the road and make clones?
From what I've seen concerning the E-ZPass transponders, there's no crypto; they simply respond with a unique ID.  They deal with cloning attacks by ensuring that every transponder reader takes a photo of the license plate and the driver to record along with the transponder ID.  So, sure, you could clone a transponder - or even steal a whole bunch of ID's and roll through them - but all it takes is one person to notice and complain and you're toast.  Since the legitimate license plate is registered with E-ZPass, there's no ambiguity about which charges are legitimate and which ones are from cloned transponders.

Also, the system could easily flag uses of the same transponder at two locations too far apart for a car to have traveled from one location to another in the time between them; for two closely-timed uses in the same location.  This would quickly catch most cloned usage (either capture now and use later, which will eventually trip the "too far apart" test; or capture now and use immediately, which will trip the "closely-time" test) without the legitimate user having to do anything.  With the increasing deployment of license plate OCR, they can detect a cloner immediately.  (The Henry Hudson bridge between Manhattan and the Bronx has a no-stop toll plaza:  If you have E-ZPass, they charge your account; if you don't, they send you a bill based on your license plate.  I doubt they have people reading the plates....)

An interesting and little-known facet of E-ZPass is that they will fine you for using your tag on the "wrong" car.  I was told this by a car rental agent: If you want to use your own tag with a rented car, make sure you register the rented car's plate with your account.  Enforcement of this rule is on a state-by-state basis:  As of a year or two ago, New Jersey was very aggressive about it, New York and Connecticut didn't seem to bother.

(The designers of E-ZPass do think some of these things through:  An account can have multiple registered plates and multiple registered tags, but they don't require you to associate plates with tags, as (a) it would be a pain for people to get right; (b) it would be a real pain for people to *keep* right.  In fact, you don't even have to have the same number of tags and plates.  Over all, the system works pretty well - surprisingly so, perhaps.)
                                                        -- Jerry

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4813 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140827/b3c129fc/attachment.bin>

More information about the cryptography mailing list