RFID Tags Everywhere…

Check out its vulnerabilities before going all in…

People rarely like history, so bear instead with an easy-to-chew fact that it was around World War II when mankind first used the RFID technology. And the timeframe around which you get to see initial articles on RFID hacking are popularly from 2008 when Nate Lawson from Root Labs blah-blah-blah… not going to ruin my month long research all in the first paragraph! Read it all patiently because it took an awful lot of research, at least for me haha.

So while sluggishly researching on RFID, I stumbled upon a Wired article from as far back as 2006 titled “The RFID Hacking Underground“. It was a really COOL article and I was beguiled at how well-researched the article is even if it’s from nearly two decades ago (see you wouldn’t have known about this if you had simply read the first para…). In that article, there was a mention of a German security expert who hacked the chips of an RFID-based retail shopping store situated in Rheinberg, Germany by cowriting a program called RFDump which let him access and alter price chips using a PDA (with an RFID reader) and a PC card antenna — Lukas Grunwald. And the journalist writing that piece just went about interviewing a bunch of Cybersecurity geeks, who were able to hack nearly all types of RFID chips — ranging from library chips from Libramation Company, chips used in gas stations like SpeedPass, the Texas Instruments RFID tag, and even VeriChip which was an implantable tag. Remember the program RFDump which I mentioned a while ago… Lukas claimed in the piece that it is programmed additionally with the ability to place cookies on RFID tags the same way websites put cookies on browsers to track returning customers. And these cookies can further be used for stalking through an E-Z Pass, the same holds true for books too.

Okay let’s talk about web series… most of you all would have watched, or at least heard (unashamedly I am one of them haha!) about Mr. Robot. Therein was a scene where Elliot, using the “Tastic RFID Thief” (works within the range of 3 feet) from Bishop Fox, clones an employee badge at Steel Mountain — one of Evil Corp’s data centres. Not just that, even the famous “Danger Drone” from Bishop Fox meant for penetration testing can also be used to attack “over the air” protocols such as RFID. Another quite popular RFID reader includes Proxmark III. Don’t expect me to tell you the execution… I AM A NOOB TECHNICALLY, GO LOOK UP FOR YOURSELVES!

This piece will precisely delve into RFID technology flaws with regard to electronic toll collection systems. So let’s get into the basics…

Well for others more into RFID as a whole, there’s a research paper I know of for a detailed approach on RFID cyber risks and its cures — here’s the link. And about RFID hacking and technical stuff, you can watch Bishop Fox’s DEFCON presentation on “Guide to Hacking HF NFC & UHF RFID“!

Electronic Toll Collection Systems

An electronic toll collection system can use a vehicle-mounted transponder that is activated by an antenna and is most commonly operated by RFID. There are also other ways of electronically collecting tolls without a transponder on the windshield — some electronic toll systems are able to record the license plate (services like FasTrak) and automatically send the toll bill to the registered vehicle owner. Additionally, smartphone applications have been developed to help collect toll fees and provide new channels for toll collection. Here, the possible vulnerabilities in toll services like FasTrak (used in California), E-Z Pass (used in U.S.) and FASTag (used in India) will be covered chronologically soon after common security flaws in toll systems as a whole is discussed.

Citing this article, there are several factors to keep in mind when it comes to toll security:

• Cyber risks for toll hacks can occur across any stage of the process, beginning with tag purchase and registration. Online registration process or at toll road rest stops. Using the free on site Wi-Fi to create the account can give a hacker easy access to credit card and personal information, as well as to the tag details.
• Electronic toll systems also depend on third parties to store the information held in their accounts and all networks are susceptible to data breaches.
• Most tags are RFID transponders and encryption on these devices is questionable. Drivers who use the passes daily often leave them attached to the windshield, leaving the device vulnerable to both physical and electronic theft. Hackers that clone RFID toll passes can use them while the toll pass holder foots the bill.
• Anyone using a mobile app for their toll system is also at risk. They’re in danger of downloading a malicious or fake app that can steal information directly from the smartphone.
• Privacy concerns have risen with the adoption of license plate readers and data collection.
• Organizations should have a rapid response mechanism in place to monitor and mitigate electronic toll collection incidents.

While dealing with all these security issues have been categorized in preventing physical as well as internet attacks in the above cited article, there are also other preventive measures which are equally necessary to mitigate further risks:

• Use of an Intrinsic ID which employs physical unclonable functions (PUFs) to differentiate chips from each other.
• Use of a cryptographic key different from the RFID tag’s serial number.

Tag sends serial no. to Reader –> Reader requests Cryptographic key that cannot be cloned

• Use an RFID tag that supports encryption technology (tags and readers based on the ISO 14443 standard support encryption). Here, the key is not generated from any physical differences in the tag. Although if the encryption scheme were cracked, you could clone these tags as well and send the correct key using a cloned card.
• Use the Tag ID (TID) in the transponder along with the serial number.
• A preferably better way would be to use a software layer for security to detect where the card has been used on a certain day to prevent frauds, similar to how credit card companies detect credit card fraud (though magstripe credit cards are easier to clone than RFID transponders).

Possible Vulnerabilities in FasTrak toll system of California

Okay so finally here we are, back again to Nate Lawson of Root Labs who in 2008 hacked the FasTrak toll system… there’s also an article on Hackaday on how he went about it. What he claimed was that the unique identity numbers used to identify the FasTrak wireless transponders carried in cars can be copied or overwritten with relative ease. This means that fraudsters could clone transponders by copying the ID of another driver onto their device. As a result, they could travel for free while others unwittingly foot the bill. Not just that, you can’t even wonder just how much useful these security flaws are for miscreants to carry out varied crimes and frauds. As Lawson says, this also raises the possibility of using the FasTrak system to create false alibis, by overwriting one’s own ID onto another driver’s device before committing a crime. The toll system’s logs would appear to show the perpetrator driving at another location when the crime was being committed.

At the time, the Bay Area Metropolitan Transport Commission (MTC) which oversees the FasTrak toll system said that it is secure. They further professed that it uses encryption to secure data and that no personal details are stored — just two unique, randomly assigned ID numbers. One of these is used to register the device when a customer purchases it, while the other acts as a unique identifier to let radio receivers at tolls detect cars as they pass by.

But there was not a sign of any encryption within the transponder when Lawson tested it. What’s more, despite previous claims that the devices are read only, Lawson found that IDs are actually stored on rewritable flash memory. It was possible to send messages to the device to overwrite someone’s ID, either wiping it or replacing it with another ID.

As a backup, there is an additional toll collection system in FasTrak for when the customers forget their RFID tags at home — License-plate recognition technology, which detects a certain license plate and sends the toll amount to pay notification to the customer’s account. Though, maintaining a database of license plates is also much debated when it comes to privacy and security of customers.

Possible Vulnerabilities in E-Z Pass toll system of the U.S.

First of all, let’s see how the E-Z Pass system functions:

• As you slowly pass through the E-Z Pass facility, your E-Z Pass tag is read.
• In an instant, the tag information is read by an overhead antenna in the E-Z Pass facility and the proper charge is deducted from your E-Z Pass account.
• At some facilities, there are gates that will go up when a valid tag is read.
• A video enforcement system is in place to identify charge evaders.

The toll plaza equipment consists of a lane controller, toll violation cameras, treadles, variable message signs (VMS), detector loops, and lane transponders. The lane controller coordinates all of the information from each transaction and interacts with the Plaza Local Area Network (LAN). The Plaza LAN connects either via wide area network (WAN) or direct connection to the appropriate service center for the toll road in question.

Each of the participating E-Z Pass toll authorities maintain their own service centers that issue the transponders and maintain the accounts for their local patrons. The centers receive and correlate all of the transactions from the toll plazas it services and adjusts the accounts of the patron, then sending the transaction result back to the plaza within milliseconds. These centers interact when patrons from one center use the toll services of another center.

ETC is generally broken up into three pieces; automatic vehicle classification (AVC), automatic vehicle identification (AVI), and violation enforcement (VE).

Automatic Vehicle Classification (AVC): Sensors, called treadles, are embedded in the roadway to count the axles and determine the tire width. Additional sensors similar to the motion sensors found on automated doors detect the presence of the vehicle and help distinguish and individualize the vehicles. Such sensors use the latest technologies magnetic induction loops, treadles, and laser imaging.

Automatic Vehicle Identification (AVI): The AVI component of the system consists of the RFID transponder located in the automobile and the equipment to communicate with the transponder located at the toll plaza and the License Plate Recognition (LPR) subsystem. While the toll plaza RFID transponder equipment is generally called a reader, in most ETC systems it can also write information to the vehicle transponder such as the time, date, location and vehicle class of the transaction.

Violation Enforcement (VE): Violation enforcement consists of using the identification elements gathered from the AVC and AVI components along with additional information such as license plate and vehicle images to allow authorities to collect from and/or prosecute those who violate the electronic toll plaza. Typical ETC violations are:

• Use of electronic toll collection lanes without a vehicle transponder,
• Insufficient funds in the associated account for identified transponders,
• Use of a transponder from a low-toll vehicle such as a car with two axles in a high-toll vehicle such as a tractor trailer.

Citing the SANS research paper on ETC Systems Vulnerabilities, there are two main types of vulnerability points for the ETC systems. The first type of vulnerability is to the backbone infrastructure, a traditional network security puzzle unique only in the end elements that make it up. The second type of vulnerabilities is at the toll plaza during a transaction. Its common vulnerabilities include:

Nonpayment: through fooling the system either by driving through the ETC lane without a transponder or by following the vehicle in front too closely leaving a negligible distance and hence fooling the toll reader (depends on its version).

Jamming: through popping the transponder off the window and dropping it in the “read prevention” bag.

Eavesdropping: With the signal, you can try to either replay it directly, or decode it and grab out just the responses to replay. Some of the difficulties in this technique are:

• Encoded Signals: the signals are encoded using the Manchester Encoding scheme8. While the Manchester encoding is not encryption, it does require implementing the correct decoding algorithm to obtain the original signal.
• Directional Antennas/Weak Signals: the antennas on both the auto and in the toll lane are highly directional, not only for security but to reduce crosstalk between toll lanes.

Collection: The truly devious would steal two tags from the parking lot, putting the first in the place of the second so the auto owner doesn’t report a stolen tag, then using the second one. Switching tags every few days would leave a confusing trail for law enforcement to unravel.

Build Your Own Token: The easiest way to build your own token is if you have physical access to the ETC transponder and a transponder tag programmer such as those offered by Sirit Technologies. In addition to the detailed information about the system and programming of the tokens, one crucial piece of information would be required, the transponder ID. This can be obtained in one of three ways:

• Eavesdropping at a toll plaza,
• Make one up,
• Copy one from another transponder.

Infrastructure Vulnerabilities: From the viewpoint of malicious intent greater in scale than simple toll fraud, the infrastructure is where it would make the most sense to concentrate efforts. The fact that the E-Z Pass system is decentralized makes it more difficult for miscreants to affect multiple centers. However, it also means there are more ingress points that need to be secured.

Backbone Connectivity: The backbone network for the E-Z Pass systems are, for the most part, sonnet fiber optic networks run from the toll plazas back to the customer service centers. Connection between the service centers utilizes the same types of networks found throughout the rest of cyberspace; leased lines, VPNs, and private networks. Probably it could be harnessed in some way too!

The Databases: All of the patron information is stored in various databases at the customer service centers servicing a particular toll segment. Due to the information contained in these databases, they are required to be protected under various privacy acts. Coordination between these databases is constant as patrons transit the entire E-Z Pass network. These databases are the true crown jewels in the ETC systems and should be the most protected. Compromise of these databases could yield anything from a single patron being able to avoid tolls to complete shutdown of the entire ETC system.

Other Information Stores: The E-Z Pass system provides email notification to users who register for such service. The email portion of the system was hacked into in late 2000 by Christopher Reagoso to demonstrate a system vulnerability. The information on the account was put in a static web page without authentication and the URL emailed to patrons. By replacing the account number in the URL with another, Reagoso was able to view the usage information of other patrons, but not able to directly access the backend datastore about that patron such as address and credit card information. Needless to say that particular hole was patched very quickly.

Possible Vulnerabilities in FASTag toll system of India

If you are looking for the execution part here, a guy called Seedon on Medium has researched to quite a great extent about it by physically testing the FASTag RFID tag. It’s a must to have a look at it!

Here, I’ll be mentioning all those issues which could possibly be harnessed by miscreants for carrying out their plan. But prior to that, let’s be acquainted with the functioning of the FASTag toll system.

FASTag has taken its idea both from the FasTrak system of California, and the E-Z Pass system of the U.S. If you go by the name, it sounds similar to FasTrak indeed… if you study its functioning however, its comparatively more identical to E-Z Pass rather than FasTrak. As an example, the backup toll collection system or the License-plate recognition system of FasTrak isn’t present in FASTag. And if you have studied how the E-Z Pass system works above, same goes for the FasTag. It uses UHF long-range RFID technology in its chips. Also, there exist varied RFID tags with different colors allotted based on the axles of the vehicle being registered (same as E-Z Pass) — these are seven in total:

• M-type: Private car (Violet)
• N-type: Commercial (Orange), Axle 2 (Green), Axle 3 (Yellow), Axle 4/5/6 (Pink), Axle 7 and above (Sky Blue), Machine (Black)

As I mentioned above in the E-Z Pass section, it’s possible to utilize those vulnerabilities here too. Also, the distance between the vehicles passing through the toll plaza could affect the reading of the tag, hence leaving some with nothing due to be paid. Adding two toll gates instead of just one to maintain the gap can probably mitigate this issue. Possible security cons in FASTag are:

• Intermittent technical glitches in RFID scanner occasionally when it ceases to read the tags of passing vehicles,
• Cloning attacks,
• Privacy issues related to government being able to track a certain person as their target (can possibly be used against protesters),
• Overheat of car due to sunlight affects RFID card data occasionally.

Phew! It finally ends…

I am more happy than you all that it finally came to a halt, LOL!

As a concluding statement (just one tiny para I promise!), governments all over the world should post how their toll systems work publicly so that people out there can help contribute to its security and mitigate possible security risks. And the first step towards making something secure is to acknowledge that “nothing is fully secure”. And mind you, if you have doubts about a system and the officials are exclaiming that it is foolproof — DO NOT TRUST! Do not trust them naively until unless you have tried it for yourself.

Be Curious, Be Dubious!