14 comments

[ 3.1 ms ] story [ 43.9 ms ] thread
The lack of encryption in these things is just astonishing. Sure, encryption isn't a magic bullet, but it's the first line of defense, and most programming languages make it so damn easy to use.
Yeah. The fact that these things are being found -- things that deal with people's actual money -- indicates just how incompetent the average ITer is when it comes to security.

I wonder how long hackers have been exploiting these things _without_ announcing them.

Somehow, I'm guessing they're not running a JVM on an TI MSP4xx microcontroller. It's actually not damn easy to get encryption working on controller boards.

What's more, for many of these kinds of systems, encryption that is anything more than a speed bump is very hard to get right, because of key management and round trip limits.

Even in a controller card, it's very easy to at least do some Caesar cipher or anything simple like that. They could even do something a little more complex without much troble.
I'm not sure what the security advantage of ROT13 is.
I didn't say ROT13, it could be ROTx, or it could have a variable x (as with a big key), whatever... the advantage would be to make it slightly more difficult to find the meaning of the numbers in the card. I know security by obscurity doesn't work, but it's better than nothing.
I think it would have been even worse for FasTrak if Nate had got up on stage and said that they tried to pass XOR off as encryption. Then the story would not only be negligence, but also incompetence. There's a plausible story you can tell for why FasTrak isn't secured at all.
You are right.
A lot of controllers have builtin encryption hardware. If you put encryption in the original spec, its not that hard to include.
I can see it being easy to add encryption to a 32 bit part deployed in a pizza box form factor on the bottom of a telephone pole or alongside a train track right of way.

I'm not sure it's that easy when you're constrained to a 16 bit part that can't big bigger than a wallet, has almost no power available, needs to be distributed in volumes of hundreds of thousands or more, needs to cost almost nothing per part, and needs to be one of the vendors that plays well with RF.

Again, this also misses the point that key management and protocol design are more important than the algorithm; it's not necessarily an easy problem to provision keys to 1,000,000 floating devices, nor is it necessarily easy to design a secure protocol that has to run in 1 round trip at 45MPH.

Just some thoughts. Obviously we can agree that this system needs to be more secure. I'm not sticking up for FasTrak; I'm just trying to respect the problem.

Until there's evidence someone is actually exploiting this at an economically relevant level, I wouldn't agree the "system needs to be more secure".

And if it is being exploited, using the existing license-plate cameras may be a more effective means of securing the system than upgrading the transponder behavior.

I think the first point is sensible, even though I disagree with it.

I'm not sure I understand how license plate cameras solve the problem, though. How many tens of thousands of license plates would need to be processed per day, and for what pattern?

Also note that the economics are just part of the problem. Other problems include privacy, chain of evidence, and personal fraud damages.

They already take photos of, at the very least, those who slip through without paying or with a missing/faulty/dead transponder.

So step one is just to take a sample: for X thousand FasTrak transactions, for how many did the license plate and transponder disagree? If it's trivial, there's no economic rationale for fixing the system. Just make a note that transponder logs have a Y% fraud/error rate, for when disputes arise.

If still concerned about the other aspects, save the photo log for exactly as long as the transponder log. That reduces all the issues to the same as those with using counterfeit plates, which we've lived with for over a century, without major problems.

(In fact, I suspect they're already keeping the photo logs, but time will tell.)

It's an interesting point. Obviously, if they had you working for the toll system, they'd be able to come up with some interesting countermeasures. Of course, they don't have anyone like you or I working there.