SlideShare a Scribd company logo
1 of 44
Download to read offline
Highway to Hell: Hacking Toll Systems




 Nate Lawson
 Blackhat USA
 2008/8/6
My background
• Root Labs founder
  – Design and analyze security components
  – Focused on:
     • Embedded and kernel security
     • Software protection
     • Crypto
• IBM/ISS
  – Original developer of RealSecure IDS
• Cryptography Research
  – Co-designed Blu-ray disc content protection layer, aka BD+




                                                                 2
How I got interested in toll passes
• I have never used FasTrak
  – Privacy concerns
     • Bridge
     • Freeways
  – Pay cash or take public transit
• How does it work?
  – Almost no analysis available online
  – Title 21 (protocol) is a standard though
• What’s really inside?
  – Buy transponder from Safeway without signing up ($26 cash)
• Perhaps privacy issues can be fixed?

                                                             3
What is electronic toll collection?
• Automatic debit of an account for use of a bridge
  or toll road
• Many possible implementations
  – RFID transponder
  – Image recognition of license plate
• Current systems
  – E-ZPass (East Coast)
  – TollTag, Sunpass, etc.
  – FasTrak (Bay Area + Southern California)




                                                      4
Electronic toll collection


                                   Readers


      “Lane pwned”


                              Windshield
                             Transponder




                               Screen grab courtesy of KTVU News
Tracking and privacy
• Few realize all freeway travel is also tracked
   – Transponders are queried by readers on signs to generate
     realtime traffic statistics (511.org)
   – Separate agency (and thus servers) from toll collection, but
     same transponder




                                                                                 6
                                             Screen grab courtesy of KTVU News
Tracking and privacy
• Toll transactions are logged
  – Indefinitely? No info in privacy policy
• Freeway travel is separately logged by 511.org
  – The transponder ID is “anonymous” and “only stored for 24
    hours” (KTVU news report)
  – “Users remain anonymous through … encryption software
    that scrambles each FasTrak toll tag ID” (privacy policy)
• Lawyers know this info is available
  – “FasTrak gets about one subpoena a month for toll records.”
    (KTVU news report)
  – Wouldn’t they stop bothering if this info wasn’t useful?



                                                                  7
Adding anonymity afterwards difficult
• Conventional approach (adding anonymity)
  – ID → Hash(ID)
     • Not anonymous, just exchanges one ID for another
     • Subject to correlation attacks
     • Ignores meta-information (timing, length, date)
• AOL anonymized search term scandal (2006)
  – Real names and addresses could be recovered by correlating
    info across multiple searches




                                                             8
Robust anonymity has to be built-in
• Reduce collection
   – Query based on a random timer, not all cars
   – Only one 1 out of 100 cars necessary to get average speed
• Limit distribution
   – Calculate speed and throw away original IDs after two readings
   – Limit the number of systems that touch it along the way
• Expire aggressively
   – Only statistic needed is sign-to-sign interval
   – Discard IDs after a few minutes
• Cryptography
   – “Untraceable RFID Tags via Insubvertible Encryption” (Ateniese,
     Camenisch, and de Medeiros)
   – quot;A Scalable, Delegatable Pseudonym Protocol Enabling Ownership
     Transfer of RFID Tagsquot; (Molnar, Soppera, and Wagner)
                                                                      9
Title 21 system history
• California legislature passed a technical law
  – Title 21, Chapter 16 (1992)
  – Developed mostly by Texas Instruments
• FasTrak
  – All Bay Area bridges (BATA)
  – Orange County toll highways
  – Airport parking lots
• Over one million transponders purchased




                                                  10
Title 21 standard
• Layer 1: modulation and frequency
  – Reader downlink
  – Transponder uplink
• Layer 2: packet framing
  – Start sequence, checksum
• Layer 3: packet types
  – Poll messages
  – Responses
• Layer 7: allocation of IDs among agencies



                                              11
Layer 1: modulation and frequency
• Downlink from reader
  – ~900 MHz carrier frequency
  – Square-wave AM
     • Unipolar ASK of the carrier using Manchester encoding
     • “1”: signal during first half, “0”: signal during second
• Uplink from transponder
  – Backscatter of carrier via antenna polarization
  – Dual-frequency AM
     • FSK of 1200 KHz/600 KHz (“1” and “0”, respectively)
• 300 Kbps data rate (both directions)



                                                                  12
Layer 1: reader modulation
• Downlink from reader
                 1              1         0




• 300 Kbps data rate
• 600 KHz square wave (ASK)
  – “1” = high in first half of period
  – “0” = high in second half of period


                                              13
Layer 1: transponder modulation
• Uplink from transponder
                 1           1     0




• 300 Kbps data rate
• 1200/600 KHz square wave (FSK)
  – “1” = higher frequency
  – “0” = lower frequency


                                       14
Layer 2: packet framing
• Wakeup signal before message
  – 33 µs burst of 1-bits
  – 100 µs no signal
• Packet start: 0xAAC
• Ends with 16-bit CRC
  – Standard says “CRC-CCITT”
  – Spec bug: initial value is 0, not 0xFFFF like CCITT says
     • If you actually implemented the Title 21 spec, you’d be
       incompatible




                                                                 15
Layer 3: standard messages

           Reader                        Transponder
Polling Message Type 1 (8000)
   – Requests the transponder to
     send its ID
   – Agency code, 16-bit
                                    Data Message Type 1 (0001)
                                       – Transponder ID, 32-bit

Acknowledge Message Type 2 (C000)
   – Confirms reception of the
     transponder ID
   – Transponder ID, 32-bit
   – Reader ID, 32-bit
   – Status, 16-bit

                                                              16
Enrollment process




                     17
Enrollment process
• Validation code is just toll tag serial number in hex
• Used as a checksum for typos




                                                          18
Diving into the transponder




                     “If a Toll Tag fails to operate for
                     reasons other than abuse… we will
                     replace it…”
                                                           19
Diving into the transponder


         Antenna (RCV)

                                            Demodulation
                                               circuit



                     Battery                     TI MSP430




                                             Buzzer




                           Antenna (XMIT)

                                                             20
Transponder operation
• Receive side
   • Signal is received and amplified (analog)
   • Demodulated and presented to pin 2.5 as a square
     wave
• Transmit side
   • Carrier reflected back by swapping pins 1.6 and 1.7
     quickly
• Buzzer
   • Timer interrupt + XOR (pins 2.0 and 2.1)



  Thanks go to Adam O’Donnell for the RF help
                                                           21
MSP430 basics
• Low-power 16-bit microcontroller
  – 2, 4, and 6-byte instructions
     • Kinda strange: MOV @R14+, R15
  – Von Neumann address space (shared code/data)
     • Helpful for stack/integer overflows (Travis Goodspeed)
  – Self-programmable flash memory
     • Persist that exploit
• MSP430F1111A
  –   Peripherals: timer, comparator, ports (address 0)
  –   128 bytes RAM (0x200)
  –   256 bytes data flash (0x1000)
  –   2 KB code flash (0xF800)

                                                                22
FasTrak MSP430 memory map

           Interrupt vectors (FFE0 - FFFF)

             Code flash (F800 - FFFF)




              Data flash (1000 - 10FF)
             Boot ROM (0C00 - 0FFF)



                RAM (0200 - 027F)
             Peripherals (0000 - 01FF)




                                             23
Dumping the firmware
• Internal firmware is protected by JTAG fuse
  – Normal programming method is via JTAG
• Bootstrap loader (BSL)
  – 256-bit password allows access to flash
     • Probably checked with memcmp()
     • Go see Travis Goodspeed’s talk on timing attacks in the
       BSL


• Rule 1: always try the front door




                                                                 24
Old transponders are not locked
• JTAG fuse is not set
  – Plug in microcontroller and read flash memory
  – Verified on a transponder from Southern California
• Newer transponders are locked
  – Need more magic to verify their contents




                                                         25
Bypassing the JTAG fuse
• Silicon magic courtesy of Chris Tarnovsky
   –   Depackage chip
   –   [Fuse magic happens here]
   –   Rebond to DIP package
   –   Read out flash
• Code was identical to unlocked
  transponder



If you make silicon, Fly Logic
does amazing analysis work.
http://flylogic.net/


                                              26
Monitoring transponder IO
• Add header and socket for DIP CPU




                                      27
Monitoring transponder IO
• FPGA tap board and socket on breadboard




                                            28
What’s inside?
• Load code with IDA MSP430 plugin
  – Full reply messages with checksum laid out in order
  – Main loop: switch (packetLen); dispatch handler
  – Timer interrupts, comparator trigger
• Build a modified msp430simu
  – Cycle-accurate simulator in python
  – Breakpoint/log support routines
     • Checksum
     • Memcpy
     • Receive (poll) for packet
     • Transmit packet
     • Beep

                                                          29
Reader request messages
• Standard
  – Request for ID (8000, 8 bytes)
• Reserved by spec but not supported by firmware
  – Encrypted ID request (80xx, 11 bytes)
     • Agency code (16 bits)
     • Proprietary TI encryption key (24 bits)
  – Encrypted unknown message (88xx, 13 bytes)
     • Transponder ID (32 bits)
     • Proprietary TI encryption key (24 bits)




                                                                               30
                   Lengths include “AAC” header, rounded up to nearest byte.
Reader request messages
• Supported by firmware but not specified
  – 11-byte requests
     • 00DE, 01DE, 02DE, 03DE, 0480, 04DE
  – 36-byte requests
     • 01DF, 05DF
  – 37-byte requests
     • 05DE




                                            31
Transponder reply messages
• Standard
  – ID response (0001, 10 bytes)
• Reserved and supported by firmware
  – ID and serial response (0007, 22 bytes)
     • “Block A data” (128 bits) which is actually:
         – Unknown (16 bits)
         – Transponder ID (32 bits)
         – Unknown (16 bits)
         – Transponder serial number (BCD, 48 bits)
         – Padding (08FF)
• Reserved by spec but unsupported
  – “Block A and B, C, or D data” (000x, 38 bytes)

                                                      32
Transponder reply messages
• Supported by firmware but not specified
  – Misc ID+serial messages
     • 0002, 38 bytes
         – 16 bytes empty
     • 0005, 38 bytes
         – Bits checked when processing other msgs
  – Empty messages (for future?)
     • 5F07, 30 bytes
     • 0003, 38 bytes
     • 0004, 38 bytes
     • 5F06, 38 bytes



                                                     33
Reader response messages
• Standard
  – Status reply (C000, 16 bytes)
     • Transponder ID (32 bits)
     • Reader ID (32 bits)
     • Status code (16 bits)
• Reserved but not supported by firmware
  – Unknown response 1 (C00x, 20 bytes)
  – Unknown response 2 (C00x, 36 bytes)
     • All the above + 128 bits “data”




                                           34
What’s not inside?
CRYPTO.
Cloning attacks
• Passive cloning
  – Set up a receiver near a freeway
  – Record IDs as they are transmitted to reader
• Active cloning
  – Drive past parking lots, shopping centers, etc.
  – Use portable reader to scan and log IDs of parked cars
• Missing cryptographic property: replay resistance
  – Reader proves itself to transponder
  – Transponder proves itself to reader




                                                             37
Monetizing cloning attacks
• Create a subscription service
  – Users get customized transponders or hack existing ones
  – Device downloads new IDs from PC over the air
  – Each ID is used only once, preventing pattern analysis
• Low risk
  – Failure to read transponder = $29 fine
  – Service can pay penalty for subscribers
• Potential customers
  – Trucking companies
  – Drug couriers




                                                              38
Digging still deeper…
• Does FasTrak write data to your transponder?
  – “FasTrak is a read-only device. There's no memory to write
    anything to.” (John Goodwin, BATA)
  – Best interpretation: “We only use it in a read-only manner and
    are not aware our vendor used a flash device”
• But there is memory and it is writeable
  – MSP430F1111A is flash-based, only the BSL is in ROM
  – Supports in-system erase/rewrite




                                                                39
Firmware has ID update routine
• Flash write subroutine is present in firmware
    mov   #0A550h, &FCTL2
    mov   #0A500h, &FCTL3
    mov.b @R14+, 0(R12)



• Called from multiple places in packet processing
  function
• Appears to be used to update the IDs of various
  message responses stored at 0x1000




                                                     40
IDs can be wiped/overwritten from remote
• Flash update can be triggered with a couple
  messages
  – Packet 1: prepare to flash
  – Packet 2: data to write
• Update routine
  – Calculates checksum of data from packet
  – Writes it to various locations of IDs within pre-computed
    response messages stored in flash
• Caveat: update routine only tested in simulator so
  far



                                                                41
Alibi attack
• Establish presence elsewhere during crime
  –   Read and save neighbor’s FasTrak ID from parked car
  –   Send message to update his transponder with your ID
  –   He goes to work at 9 am, you commit crime
  –   Subpoena records: you were on the bridge at 9 am!
• Questions
  – Is FasTrak data really considered so indisputable?
  – Will this alibi hold up in court?




                                                            42
Contacting the vendors
• FasTrak is:
  – A technical standard ratified as law by the California
    legislature
  – Administered by CalTrans
  – Locally run by Metropolitan Transportation Commission
    (MTC), Bay Area Toll Authority (BATA), Orange County
    Transportation Corridor Agencies (TCA), etc.
  – With devices potentially provided by multiple vendors, but in
    practice, mostly Sirit
• No response after …
  – Email contact form on bayareafastrak.org
  – Sending business card with reporter who later talked to BATA
  – Speaking to CalTrans consultant

                                                                    43
Conclusions
• Electronic toll collection needs improvement
  – Excessive loss of privacy in current usage
     • Please fix this before we move to license plate recognition
  – Clonable if no encryption
  – Untrustworthy for legal evidence
     • Transponder IDs can be overwritten over-the-air
• Found many surprises when opening the box,
  even with an established system
  – I’m happy to explain the details for free to any FasTrak
    authorities who contact me



Contact: nate@rootlabs.com          Info/blog: rootlabs.com

More Related Content

What's hot

E paiement (2)
E paiement (2)E paiement (2)
E paiement (2)Maeyy
 
ΔΗΛΩΣΗ ΑΡΝΗΣΗΣ ΓΙΑ ΥΠΟΧΡΕΩΤΙΚΟ ΕΜΒΟΛΙΑΣΜΟ - ΠΡΟΣΤΙΜΟ 100 ΕΥΡΩ ΣΤΟΥΣ ΑΝΕΜΒΟΛΙΑ...
ΔΗΛΩΣΗ ΑΡΝΗΣΗΣ ΓΙΑ ΥΠΟΧΡΕΩΤΙΚΟ ΕΜΒΟΛΙΑΣΜΟ - ΠΡΟΣΤΙΜΟ 100 ΕΥΡΩ ΣΤΟΥΣ ΑΝΕΜΒΟΛΙΑ...ΔΗΛΩΣΗ ΑΡΝΗΣΗΣ ΓΙΑ ΥΠΟΧΡΕΩΤΙΚΟ ΕΜΒΟΛΙΑΣΜΟ - ΠΡΟΣΤΙΜΟ 100 ΕΥΡΩ ΣΤΟΥΣ ΑΝΕΜΒΟΛΙΑ...
ΔΗΛΩΣΗ ΑΡΝΗΣΗΣ ΓΙΑ ΥΠΟΧΡΕΩΤΙΚΟ ΕΜΒΟΛΙΑΣΜΟ - ΠΡΟΣΤΙΜΟ 100 ΕΥΡΩ ΣΤΟΥΣ ΑΝΕΜΒΟΛΙΑ...Spyridon Voykalis
 
e-commerce et sécurié
e-commerce et sécuriée-commerce et sécurié
e-commerce et sécuriéBrahim Belghmi
 
Gestion de la relation client .
Gestion de la relation client .Gestion de la relation client .
Gestion de la relation client .mouna mannani
 
Implanter ses points de vente : géomarketing & méthodes d'optimisation
Implanter ses points de vente : géomarketing & méthodes d'optimisationImplanter ses points de vente : géomarketing & méthodes d'optimisation
Implanter ses points de vente : géomarketing & méthodes d'optimisationNP6
 
referat-spam
referat-spamreferat-spam
referat-spampix_inf
 
8.τα παιδικα χρονια του ιησου
8.τα παιδικα χρονια του ιησου8.τα παιδικα χρονια του ιησου
8.τα παιδικα χρονια του ιησουΕλενη Ζαχου
 
Tα μυστήρια του βαπτίσματος και του χρίσματος
Tα μυστήρια του βαπτίσματος και του χρίσματος Tα μυστήρια του βαπτίσματος και του χρίσματος
Tα μυστήρια του βαπτίσματος και του χρίσματος desphan
 
Fragmentation - Διάσπαση Αυτοδύναμου Πακέτου
Fragmentation - Διάσπαση Αυτοδύναμου ΠακέτουFragmentation - Διάσπαση Αυτοδύναμου Πακέτου
Fragmentation - Διάσπαση Αυτοδύναμου ΠακέτουIoannis Garidas
 
Β' γυμνασίου ενότητα 5 αρχεία-φάκελοι
Β' γυμνασίου ενότητα 5 αρχεία-φάκελοιΒ' γυμνασίου ενότητα 5 αρχεία-φάκελοι
Β' γυμνασίου ενότητα 5 αρχεία-φάκελοιAlex Kalaitzidis
 
Ασφάλεια υπολογιστικού συστήματος
Ασφάλεια υπολογιστικού συστήματοςΑσφάλεια υπολογιστικού συστήματος
Ασφάλεια υπολογιστικού συστήματοςGeorge Tzikas
 
Customer LifeTime Value en assurance
Customer LifeTime Value en assuranceCustomer LifeTime Value en assurance
Customer LifeTime Value en assuranceInsurance_Marketing
 
Ιδιωτικότητα και προσωπικά δεδομένα στο Διαδίκτυο
Ιδιωτικότητα και προσωπικά δεδομένα στο ΔιαδίκτυοΙδιωτικότητα και προσωπικά δεδομένα στο Διαδίκτυο
Ιδιωτικότητα και προσωπικά δεδομένα στο ΔιαδίκτυοGeorge Tzikas
 
du marketing opérationnel au marketing relationnel
du marketing opérationnel au marketing relationneldu marketing opérationnel au marketing relationnel
du marketing opérationnel au marketing relationnelAurore Emo
 
Θρησκευτικές Αναζητήσεις της μακρινής Ανατολής
Θρησκευτικές Αναζητήσεις της μακρινής ΑνατολήςΘρησκευτικές Αναζητήσεις της μακρινής Ανατολής
Θρησκευτικές Αναζητήσεις της μακρινής ΑνατολήςΔήμητρα Τζίνου
 
Ποιος είναι ο Ιησούς Χριστός
Ποιος είναι ο Ιησούς ΧριστόςΠοιος είναι ο Ιησούς Χριστός
Ποιος είναι ο Ιησούς ΧριστόςΔήμητρα Τζίνου
 
Εφαρμογές Υπολογιστών και άνθρωπος
Εφαρμογές Υπολογιστών και άνθρωποςΕφαρμογές Υπολογιστών και άνθρωπος
Εφαρμογές Υπολογιστών και άνθρωπος3lykgala
 
χρήσεις του υπολογιστή στην καθημερινή ζωή
χρήσεις του υπολογιστή στην καθημερινή ζωήχρήσεις του υπολογιστή στην καθημερινή ζωή
χρήσεις του υπολογιστή στην καθημερινή ζωήMichail Bastakis
 

What's hot (20)

E paiement (2)
E paiement (2)E paiement (2)
E paiement (2)
 
ΔΗΛΩΣΗ ΑΡΝΗΣΗΣ ΓΙΑ ΥΠΟΧΡΕΩΤΙΚΟ ΕΜΒΟΛΙΑΣΜΟ - ΠΡΟΣΤΙΜΟ 100 ΕΥΡΩ ΣΤΟΥΣ ΑΝΕΜΒΟΛΙΑ...
ΔΗΛΩΣΗ ΑΡΝΗΣΗΣ ΓΙΑ ΥΠΟΧΡΕΩΤΙΚΟ ΕΜΒΟΛΙΑΣΜΟ - ΠΡΟΣΤΙΜΟ 100 ΕΥΡΩ ΣΤΟΥΣ ΑΝΕΜΒΟΛΙΑ...ΔΗΛΩΣΗ ΑΡΝΗΣΗΣ ΓΙΑ ΥΠΟΧΡΕΩΤΙΚΟ ΕΜΒΟΛΙΑΣΜΟ - ΠΡΟΣΤΙΜΟ 100 ΕΥΡΩ ΣΤΟΥΣ ΑΝΕΜΒΟΛΙΑ...
ΔΗΛΩΣΗ ΑΡΝΗΣΗΣ ΓΙΑ ΥΠΟΧΡΕΩΤΙΚΟ ΕΜΒΟΛΙΑΣΜΟ - ΠΡΟΣΤΙΜΟ 100 ΕΥΡΩ ΣΤΟΥΣ ΑΝΕΜΒΟΛΙΑ...
 
e-commerce et sécurié
e-commerce et sécuriée-commerce et sécurié
e-commerce et sécurié
 
Gestion de la relation client .
Gestion de la relation client .Gestion de la relation client .
Gestion de la relation client .
 
Implanter ses points de vente : géomarketing & méthodes d'optimisation
Implanter ses points de vente : géomarketing & méthodes d'optimisationImplanter ses points de vente : géomarketing & méthodes d'optimisation
Implanter ses points de vente : géomarketing & méthodes d'optimisation
 
referat-spam
referat-spamreferat-spam
referat-spam
 
8.τα παιδικα χρονια του ιησου
8.τα παιδικα χρονια του ιησου8.τα παιδικα χρονια του ιησου
8.τα παιδικα χρονια του ιησου
 
Megali evdomada
Megali evdomadaMegali evdomada
Megali evdomada
 
Tα μυστήρια του βαπτίσματος και του χρίσματος
Tα μυστήρια του βαπτίσματος και του χρίσματος Tα μυστήρια του βαπτίσματος και του χρίσματος
Tα μυστήρια του βαπτίσματος και του χρίσματος
 
Fragmentation - Διάσπαση Αυτοδύναμου Πακέτου
Fragmentation - Διάσπαση Αυτοδύναμου ΠακέτουFragmentation - Διάσπαση Αυτοδύναμου Πακέτου
Fragmentation - Διάσπαση Αυτοδύναμου Πακέτου
 
Β' γυμνασίου ενότητα 5 αρχεία-φάκελοι
Β' γυμνασίου ενότητα 5 αρχεία-φάκελοιΒ' γυμνασίου ενότητα 5 αρχεία-φάκελοι
Β' γυμνασίου ενότητα 5 αρχεία-φάκελοι
 
Ασφάλεια υπολογιστικού συστήματος
Ασφάλεια υπολογιστικού συστήματοςΑσφάλεια υπολογιστικού συστήματος
Ασφάλεια υπολογιστικού συστήματος
 
Customer LifeTime Value en assurance
Customer LifeTime Value en assuranceCustomer LifeTime Value en assurance
Customer LifeTime Value en assurance
 
Ιδιωτικότητα και προσωπικά δεδομένα στο Διαδίκτυο
Ιδιωτικότητα και προσωπικά δεδομένα στο ΔιαδίκτυοΙδιωτικότητα και προσωπικά δεδομένα στο Διαδίκτυο
Ιδιωτικότητα και προσωπικά δεδομένα στο Διαδίκτυο
 
du marketing opérationnel au marketing relationnel
du marketing opérationnel au marketing relationneldu marketing opérationnel au marketing relationnel
du marketing opérationnel au marketing relationnel
 
Θρησκευτικές Αναζητήσεις της μακρινής Ανατολής
Θρησκευτικές Αναζητήσεις της μακρινής ΑνατολήςΘρησκευτικές Αναζητήσεις της μακρινής Ανατολής
Θρησκευτικές Αναζητήσεις της μακρινής Ανατολής
 
Ποιος είναι ο Ιησούς Χριστός
Ποιος είναι ο Ιησούς ΧριστόςΠοιος είναι ο Ιησούς Χριστός
Ποιος είναι ο Ιησούς Χριστός
 
Εφαρμογές Υπολογιστών και άνθρωπος
Εφαρμογές Υπολογιστών και άνθρωποςΕφαρμογές Υπολογιστών και άνθρωπος
Εφαρμογές Υπολογιστών και άνθρωπος
 
Etude d'image Sosh
Etude d'image SoshEtude d'image Sosh
Etude d'image Sosh
 
χρήσεις του υπολογιστή στην καθημερινή ζωή
χρήσεις του υπολογιστή στην καθημερινή ζωήχρήσεις του υπολογιστή στην καθημερινή ζωή
χρήσεις του υπολογιστή στην καθημερινή ζωή
 

Viewers also liked

Crypto Strikes Back! (Google 2009)
Crypto Strikes Back! (Google 2009)Crypto Strikes Back! (Google 2009)
Crypto Strikes Back! (Google 2009)Nate Lawson
 
Foundations of Platform Security
Foundations of Platform SecurityFoundations of Platform Security
Foundations of Platform SecurityNate Lawson
 
ACPI and FreeBSD (Part 2)
ACPI and FreeBSD (Part 2)ACPI and FreeBSD (Part 2)
ACPI and FreeBSD (Part 2)Nate Lawson
 
ACPI and FreeBSD (Part 1)
ACPI and FreeBSD (Part 1)ACPI and FreeBSD (Part 1)
ACPI and FreeBSD (Part 1)Nate Lawson
 
When Crypto Attacks! (Yahoo 2009)
When Crypto Attacks! (Yahoo 2009)When Crypto Attacks! (Yahoo 2009)
When Crypto Attacks! (Yahoo 2009)Nate Lawson
 
Using FreeBSD to Design a Secure Digital Cinema Server (Usenix 2004)
Using FreeBSD to Design a Secure Digital Cinema Server (Usenix 2004)Using FreeBSD to Design a Secure Digital Cinema Server (Usenix 2004)
Using FreeBSD to Design a Secure Digital Cinema Server (Usenix 2004)Nate Lawson
 
Copy Protection Wars: Analyzing Retro and Modern Schemes (RSA 2007)
Copy Protection Wars: Analyzing Retro and Modern Schemes (RSA 2007)Copy Protection Wars: Analyzing Retro and Modern Schemes (RSA 2007)
Copy Protection Wars: Analyzing Retro and Modern Schemes (RSA 2007)Nate Lawson
 
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)Nate Lawson
 
Designing and Attacking DRM (RSA 2008)
Designing and Attacking DRM (RSA 2008)Designing and Attacking DRM (RSA 2008)
Designing and Attacking DRM (RSA 2008)Nate Lawson
 
TLS Optimization
TLS OptimizationTLS Optimization
TLS OptimizationNate Lawson
 
TLS/SSL MAC security flaw
TLS/SSL MAC security flawTLS/SSL MAC security flaw
TLS/SSL MAC security flawNate Lawson
 
TLS/SSL Protocol Design 201006
TLS/SSL Protocol Design 201006TLS/SSL Protocol Design 201006
TLS/SSL Protocol Design 201006Nate Lawson
 
TLS/SSL Protocol Design
TLS/SSL Protocol DesignTLS/SSL Protocol Design
TLS/SSL Protocol DesignNate Lawson
 
Toll Management System, Toll Management Software
Toll Management System, Toll Management SoftwareToll Management System, Toll Management Software
Toll Management System, Toll Management SoftwareBE Software Solutions
 

Viewers also liked (14)

Crypto Strikes Back! (Google 2009)
Crypto Strikes Back! (Google 2009)Crypto Strikes Back! (Google 2009)
Crypto Strikes Back! (Google 2009)
 
Foundations of Platform Security
Foundations of Platform SecurityFoundations of Platform Security
Foundations of Platform Security
 
ACPI and FreeBSD (Part 2)
ACPI and FreeBSD (Part 2)ACPI and FreeBSD (Part 2)
ACPI and FreeBSD (Part 2)
 
ACPI and FreeBSD (Part 1)
ACPI and FreeBSD (Part 1)ACPI and FreeBSD (Part 1)
ACPI and FreeBSD (Part 1)
 
When Crypto Attacks! (Yahoo 2009)
When Crypto Attacks! (Yahoo 2009)When Crypto Attacks! (Yahoo 2009)
When Crypto Attacks! (Yahoo 2009)
 
Using FreeBSD to Design a Secure Digital Cinema Server (Usenix 2004)
Using FreeBSD to Design a Secure Digital Cinema Server (Usenix 2004)Using FreeBSD to Design a Secure Digital Cinema Server (Usenix 2004)
Using FreeBSD to Design a Secure Digital Cinema Server (Usenix 2004)
 
Copy Protection Wars: Analyzing Retro and Modern Schemes (RSA 2007)
Copy Protection Wars: Analyzing Retro and Modern Schemes (RSA 2007)Copy Protection Wars: Analyzing Retro and Modern Schemes (RSA 2007)
Copy Protection Wars: Analyzing Retro and Modern Schemes (RSA 2007)
 
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
 
Designing and Attacking DRM (RSA 2008)
Designing and Attacking DRM (RSA 2008)Designing and Attacking DRM (RSA 2008)
Designing and Attacking DRM (RSA 2008)
 
TLS Optimization
TLS OptimizationTLS Optimization
TLS Optimization
 
TLS/SSL MAC security flaw
TLS/SSL MAC security flawTLS/SSL MAC security flaw
TLS/SSL MAC security flaw
 
TLS/SSL Protocol Design 201006
TLS/SSL Protocol Design 201006TLS/SSL Protocol Design 201006
TLS/SSL Protocol Design 201006
 
TLS/SSL Protocol Design
TLS/SSL Protocol DesignTLS/SSL Protocol Design
TLS/SSL Protocol Design
 
Toll Management System, Toll Management Software
Toll Management System, Toll Management SoftwareToll Management System, Toll Management Software
Toll Management System, Toll Management Software
 

Similar to Highway to Hell: Hacking Toll Systems (Blackhat 2008)

Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBeeTravis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBeeSource Conference
 
Attacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchangeAttacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchangeP1Security
 
Telecom security from ss7 to all ip all-open-v3-zeronights
Telecom security from ss7 to all ip all-open-v3-zeronightsTelecom security from ss7 to all ip all-open-v3-zeronights
Telecom security from ss7 to all ip all-open-v3-zeronightsP1Security
 
Philippe Langlois - 3G and LTE insecurity from the radio to the core network ...
Philippe Langlois - 3G and LTE insecurity from the radio to the core network ...Philippe Langlois - 3G and LTE insecurity from the radio to the core network ...
Philippe Langlois - 3G and LTE insecurity from the radio to the core network ...DefconRussia
 
HIS 2015: Tom Chothia - Formal Security of Critical Infrastructure
HIS 2015: Tom Chothia - Formal Security of Critical InfrastructureHIS 2015: Tom Chothia - Formal Security of Critical Infrastructure
HIS 2015: Tom Chothia - Formal Security of Critical InfrastructureAdaCore
 
Scrambling For Video Surveillance
Scrambling For Video SurveillanceScrambling For Video Surveillance
Scrambling For Video SurveillanceKobi Magnezi
 
Security In Dect
Security In DectSecurity In Dect
Security In DectMarc Seeger
 
Layer 8 and Why People are the Most Important Security Tool
Layer 8 and Why People are the Most Important Security ToolLayer 8 and Why People are the Most Important Security Tool
Layer 8 and Why People are the Most Important Security ToolDamon Small
 
Binary Hash Tree based Certificate Access Management for Connected Vehicles (...
Binary Hash Tree based Certificate Access Management for Connected Vehicles (...Binary Hash Tree based Certificate Access Management for Connected Vehicles (...
Binary Hash Tree based Certificate Access Management for Connected Vehicles (...OnBoard Security, Inc. - a Qualcomm Company
 
kryptoCom crypto secure GSM
kryptoCom crypto secure GSMkryptoCom crypto secure GSM
kryptoCom crypto secure GSMadaliaholding
 
Ghl systems net matrix terminal line encryption 2009 2010
Ghl systems net matrix terminal line encryption 2009 2010Ghl systems net matrix terminal line encryption 2009 2010
Ghl systems net matrix terminal line encryption 2009 2010Alex Tan
 
UNIT-2 PPT Data link layer.pptx
UNIT-2 PPT Data link layer.pptxUNIT-2 PPT Data link layer.pptx
UNIT-2 PPT Data link layer.pptxdiptijilhare
 
A427 nic card
A427 nic cardA427 nic card
A427 nic cardsurajbhai
 
Automotive Electronics - Internals and Security Implications
Automotive Electronics - Internals and Security ImplicationsAutomotive Electronics - Internals and Security Implications
Automotive Electronics - Internals and Security ImplicationsAanjhan Ranganathan
 
Unidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxUnidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxmibuzondetrabajo
 
Presentation And Fault Localizer Interactive Disturbance Localisation 200...
Presentation And Fault Localizer   Interactive Disturbance Localisation   200...Presentation And Fault Localizer   Interactive Disturbance Localisation   200...
Presentation And Fault Localizer Interactive Disturbance Localisation 200...Carsten Steinmetz
 

Similar to Highway to Hell: Hacking Toll Systems (Blackhat 2008) (20)

Travis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBeeTravis Goodspeed - Not Quite ZigBee
Travis Goodspeed - Not Quite ZigBee
 
Attacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchangeAttacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchange
 
Telecom security from ss7 to all ip all-open-v3-zeronights
Telecom security from ss7 to all ip all-open-v3-zeronightsTelecom security from ss7 to all ip all-open-v3-zeronights
Telecom security from ss7 to all ip all-open-v3-zeronights
 
Philippe Langlois - 3G and LTE insecurity from the radio to the core network ...
Philippe Langlois - 3G and LTE insecurity from the radio to the core network ...Philippe Langlois - 3G and LTE insecurity from the radio to the core network ...
Philippe Langlois - 3G and LTE insecurity from the radio to the core network ...
 
Can overview
Can overviewCan overview
Can overview
 
HIS 2015: Tom Chothia - Formal Security of Critical Infrastructure
HIS 2015: Tom Chothia - Formal Security of Critical InfrastructureHIS 2015: Tom Chothia - Formal Security of Critical Infrastructure
HIS 2015: Tom Chothia - Formal Security of Critical Infrastructure
 
Scrambling For Video Surveillance
Scrambling For Video SurveillanceScrambling For Video Surveillance
Scrambling For Video Surveillance
 
Security In Dect
Security In DectSecurity In Dect
Security In Dect
 
Layer 8 and Why People are the Most Important Security Tool
Layer 8 and Why People are the Most Important Security ToolLayer 8 and Why People are the Most Important Security Tool
Layer 8 and Why People are the Most Important Security Tool
 
Binary Hash Tree based Certificate Access Management for Connected Vehicles (...
Binary Hash Tree based Certificate Access Management for Connected Vehicles (...Binary Hash Tree based Certificate Access Management for Connected Vehicles (...
Binary Hash Tree based Certificate Access Management for Connected Vehicles (...
 
kryptoCom crypto secure GSM
kryptoCom crypto secure GSMkryptoCom crypto secure GSM
kryptoCom crypto secure GSM
 
Ghl systems net matrix terminal line encryption 2009 2010
Ghl systems net matrix terminal line encryption 2009 2010Ghl systems net matrix terminal line encryption 2009 2010
Ghl systems net matrix terminal line encryption 2009 2010
 
UNIT-2 PPT Data link layer.pptx
UNIT-2 PPT Data link layer.pptxUNIT-2 PPT Data link layer.pptx
UNIT-2 PPT Data link layer.pptx
 
A427 nic card
A427 nic cardA427 nic card
A427 nic card
 
Automotive Electronics - Internals and Security Implications
Automotive Electronics - Internals and Security ImplicationsAutomotive Electronics - Internals and Security Implications
Automotive Electronics - Internals and Security Implications
 
Atm presentation M.TECH ( PPT FILE )
Atm presentation M.TECH ( PPT FILE )Atm presentation M.TECH ( PPT FILE )
Atm presentation M.TECH ( PPT FILE )
 
3 rd sem atm M.TCH ( PPT FILE )
3 rd sem atm M.TCH ( PPT FILE )3 rd sem atm M.TCH ( PPT FILE )
3 rd sem atm M.TCH ( PPT FILE )
 
Gold Duo Servo Drive | ElmoMC
Gold Duo Servo Drive | ElmoMCGold Duo Servo Drive | ElmoMC
Gold Duo Servo Drive | ElmoMC
 
Unidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxUnidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptx
 
Presentation And Fault Localizer Interactive Disturbance Localisation 200...
Presentation And Fault Localizer   Interactive Disturbance Localisation   200...Presentation And Fault Localizer   Interactive Disturbance Localisation   200...
Presentation And Fault Localizer Interactive Disturbance Localisation 200...
 

Recently uploaded

So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...panagenda
 
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...itnewsafrica
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
Kuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialKuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialJoão Esperancinha
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sectoritnewsafrica
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Digital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentDigital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentMahmoud Rabie
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfAarwolf Industries LLC
 
Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Karmanjay Verma
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 

Recently uploaded (20)

So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
 
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
Kuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialKuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorial
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Digital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentDigital Tools & AI in Career Development
Digital Tools & AI in Career Development
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdf
 
Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 

Highway to Hell: Hacking Toll Systems (Blackhat 2008)

  • 1. Highway to Hell: Hacking Toll Systems Nate Lawson Blackhat USA 2008/8/6
  • 2. My background • Root Labs founder – Design and analyze security components – Focused on: • Embedded and kernel security • Software protection • Crypto • IBM/ISS – Original developer of RealSecure IDS • Cryptography Research – Co-designed Blu-ray disc content protection layer, aka BD+ 2
  • 3. How I got interested in toll passes • I have never used FasTrak – Privacy concerns • Bridge • Freeways – Pay cash or take public transit • How does it work? – Almost no analysis available online – Title 21 (protocol) is a standard though • What’s really inside? – Buy transponder from Safeway without signing up ($26 cash) • Perhaps privacy issues can be fixed? 3
  • 4. What is electronic toll collection? • Automatic debit of an account for use of a bridge or toll road • Many possible implementations – RFID transponder – Image recognition of license plate • Current systems – E-ZPass (East Coast) – TollTag, Sunpass, etc. – FasTrak (Bay Area + Southern California) 4
  • 5. Electronic toll collection Readers “Lane pwned” Windshield Transponder Screen grab courtesy of KTVU News
  • 6. Tracking and privacy • Few realize all freeway travel is also tracked – Transponders are queried by readers on signs to generate realtime traffic statistics (511.org) – Separate agency (and thus servers) from toll collection, but same transponder 6 Screen grab courtesy of KTVU News
  • 7. Tracking and privacy • Toll transactions are logged – Indefinitely? No info in privacy policy • Freeway travel is separately logged by 511.org – The transponder ID is “anonymous” and “only stored for 24 hours” (KTVU news report) – “Users remain anonymous through … encryption software that scrambles each FasTrak toll tag ID” (privacy policy) • Lawyers know this info is available – “FasTrak gets about one subpoena a month for toll records.” (KTVU news report) – Wouldn’t they stop bothering if this info wasn’t useful? 7
  • 8. Adding anonymity afterwards difficult • Conventional approach (adding anonymity) – ID → Hash(ID) • Not anonymous, just exchanges one ID for another • Subject to correlation attacks • Ignores meta-information (timing, length, date) • AOL anonymized search term scandal (2006) – Real names and addresses could be recovered by correlating info across multiple searches 8
  • 9. Robust anonymity has to be built-in • Reduce collection – Query based on a random timer, not all cars – Only one 1 out of 100 cars necessary to get average speed • Limit distribution – Calculate speed and throw away original IDs after two readings – Limit the number of systems that touch it along the way • Expire aggressively – Only statistic needed is sign-to-sign interval – Discard IDs after a few minutes • Cryptography – “Untraceable RFID Tags via Insubvertible Encryption” (Ateniese, Camenisch, and de Medeiros) – quot;A Scalable, Delegatable Pseudonym Protocol Enabling Ownership Transfer of RFID Tagsquot; (Molnar, Soppera, and Wagner) 9
  • 10. Title 21 system history • California legislature passed a technical law – Title 21, Chapter 16 (1992) – Developed mostly by Texas Instruments • FasTrak – All Bay Area bridges (BATA) – Orange County toll highways – Airport parking lots • Over one million transponders purchased 10
  • 11. Title 21 standard • Layer 1: modulation and frequency – Reader downlink – Transponder uplink • Layer 2: packet framing – Start sequence, checksum • Layer 3: packet types – Poll messages – Responses • Layer 7: allocation of IDs among agencies 11
  • 12. Layer 1: modulation and frequency • Downlink from reader – ~900 MHz carrier frequency – Square-wave AM • Unipolar ASK of the carrier using Manchester encoding • “1”: signal during first half, “0”: signal during second • Uplink from transponder – Backscatter of carrier via antenna polarization – Dual-frequency AM • FSK of 1200 KHz/600 KHz (“1” and “0”, respectively) • 300 Kbps data rate (both directions) 12
  • 13. Layer 1: reader modulation • Downlink from reader 1 1 0 • 300 Kbps data rate • 600 KHz square wave (ASK) – “1” = high in first half of period – “0” = high in second half of period 13
  • 14. Layer 1: transponder modulation • Uplink from transponder 1 1 0 • 300 Kbps data rate • 1200/600 KHz square wave (FSK) – “1” = higher frequency – “0” = lower frequency 14
  • 15. Layer 2: packet framing • Wakeup signal before message – 33 µs burst of 1-bits – 100 µs no signal • Packet start: 0xAAC • Ends with 16-bit CRC – Standard says “CRC-CCITT” – Spec bug: initial value is 0, not 0xFFFF like CCITT says • If you actually implemented the Title 21 spec, you’d be incompatible 15
  • 16. Layer 3: standard messages Reader Transponder Polling Message Type 1 (8000) – Requests the transponder to send its ID – Agency code, 16-bit Data Message Type 1 (0001) – Transponder ID, 32-bit Acknowledge Message Type 2 (C000) – Confirms reception of the transponder ID – Transponder ID, 32-bit – Reader ID, 32-bit – Status, 16-bit 16
  • 18. Enrollment process • Validation code is just toll tag serial number in hex • Used as a checksum for typos 18
  • 19. Diving into the transponder “If a Toll Tag fails to operate for reasons other than abuse… we will replace it…” 19
  • 20. Diving into the transponder Antenna (RCV) Demodulation circuit Battery TI MSP430 Buzzer Antenna (XMIT) 20
  • 21. Transponder operation • Receive side • Signal is received and amplified (analog) • Demodulated and presented to pin 2.5 as a square wave • Transmit side • Carrier reflected back by swapping pins 1.6 and 1.7 quickly • Buzzer • Timer interrupt + XOR (pins 2.0 and 2.1) Thanks go to Adam O’Donnell for the RF help 21
  • 22. MSP430 basics • Low-power 16-bit microcontroller – 2, 4, and 6-byte instructions • Kinda strange: MOV @R14+, R15 – Von Neumann address space (shared code/data) • Helpful for stack/integer overflows (Travis Goodspeed) – Self-programmable flash memory • Persist that exploit • MSP430F1111A – Peripherals: timer, comparator, ports (address 0) – 128 bytes RAM (0x200) – 256 bytes data flash (0x1000) – 2 KB code flash (0xF800) 22
  • 23. FasTrak MSP430 memory map Interrupt vectors (FFE0 - FFFF) Code flash (F800 - FFFF) Data flash (1000 - 10FF) Boot ROM (0C00 - 0FFF) RAM (0200 - 027F) Peripherals (0000 - 01FF) 23
  • 24. Dumping the firmware • Internal firmware is protected by JTAG fuse – Normal programming method is via JTAG • Bootstrap loader (BSL) – 256-bit password allows access to flash • Probably checked with memcmp() • Go see Travis Goodspeed’s talk on timing attacks in the BSL • Rule 1: always try the front door 24
  • 25. Old transponders are not locked • JTAG fuse is not set – Plug in microcontroller and read flash memory – Verified on a transponder from Southern California • Newer transponders are locked – Need more magic to verify their contents 25
  • 26. Bypassing the JTAG fuse • Silicon magic courtesy of Chris Tarnovsky – Depackage chip – [Fuse magic happens here] – Rebond to DIP package – Read out flash • Code was identical to unlocked transponder If you make silicon, Fly Logic does amazing analysis work. http://flylogic.net/ 26
  • 27. Monitoring transponder IO • Add header and socket for DIP CPU 27
  • 28. Monitoring transponder IO • FPGA tap board and socket on breadboard 28
  • 29. What’s inside? • Load code with IDA MSP430 plugin – Full reply messages with checksum laid out in order – Main loop: switch (packetLen); dispatch handler – Timer interrupts, comparator trigger • Build a modified msp430simu – Cycle-accurate simulator in python – Breakpoint/log support routines • Checksum • Memcpy • Receive (poll) for packet • Transmit packet • Beep 29
  • 30. Reader request messages • Standard – Request for ID (8000, 8 bytes) • Reserved by spec but not supported by firmware – Encrypted ID request (80xx, 11 bytes) • Agency code (16 bits) • Proprietary TI encryption key (24 bits) – Encrypted unknown message (88xx, 13 bytes) • Transponder ID (32 bits) • Proprietary TI encryption key (24 bits) 30 Lengths include “AAC” header, rounded up to nearest byte.
  • 31. Reader request messages • Supported by firmware but not specified – 11-byte requests • 00DE, 01DE, 02DE, 03DE, 0480, 04DE – 36-byte requests • 01DF, 05DF – 37-byte requests • 05DE 31
  • 32. Transponder reply messages • Standard – ID response (0001, 10 bytes) • Reserved and supported by firmware – ID and serial response (0007, 22 bytes) • “Block A data” (128 bits) which is actually: – Unknown (16 bits) – Transponder ID (32 bits) – Unknown (16 bits) – Transponder serial number (BCD, 48 bits) – Padding (08FF) • Reserved by spec but unsupported – “Block A and B, C, or D data” (000x, 38 bytes) 32
  • 33. Transponder reply messages • Supported by firmware but not specified – Misc ID+serial messages • 0002, 38 bytes – 16 bytes empty • 0005, 38 bytes – Bits checked when processing other msgs – Empty messages (for future?) • 5F07, 30 bytes • 0003, 38 bytes • 0004, 38 bytes • 5F06, 38 bytes 33
  • 34. Reader response messages • Standard – Status reply (C000, 16 bytes) • Transponder ID (32 bits) • Reader ID (32 bits) • Status code (16 bits) • Reserved but not supported by firmware – Unknown response 1 (C00x, 20 bytes) – Unknown response 2 (C00x, 36 bytes) • All the above + 128 bits “data” 34
  • 37. Cloning attacks • Passive cloning – Set up a receiver near a freeway – Record IDs as they are transmitted to reader • Active cloning – Drive past parking lots, shopping centers, etc. – Use portable reader to scan and log IDs of parked cars • Missing cryptographic property: replay resistance – Reader proves itself to transponder – Transponder proves itself to reader 37
  • 38. Monetizing cloning attacks • Create a subscription service – Users get customized transponders or hack existing ones – Device downloads new IDs from PC over the air – Each ID is used only once, preventing pattern analysis • Low risk – Failure to read transponder = $29 fine – Service can pay penalty for subscribers • Potential customers – Trucking companies – Drug couriers 38
  • 39. Digging still deeper… • Does FasTrak write data to your transponder? – “FasTrak is a read-only device. There's no memory to write anything to.” (John Goodwin, BATA) – Best interpretation: “We only use it in a read-only manner and are not aware our vendor used a flash device” • But there is memory and it is writeable – MSP430F1111A is flash-based, only the BSL is in ROM – Supports in-system erase/rewrite 39
  • 40. Firmware has ID update routine • Flash write subroutine is present in firmware mov #0A550h, &FCTL2 mov #0A500h, &FCTL3 mov.b @R14+, 0(R12) • Called from multiple places in packet processing function • Appears to be used to update the IDs of various message responses stored at 0x1000 40
  • 41. IDs can be wiped/overwritten from remote • Flash update can be triggered with a couple messages – Packet 1: prepare to flash – Packet 2: data to write • Update routine – Calculates checksum of data from packet – Writes it to various locations of IDs within pre-computed response messages stored in flash • Caveat: update routine only tested in simulator so far 41
  • 42. Alibi attack • Establish presence elsewhere during crime – Read and save neighbor’s FasTrak ID from parked car – Send message to update his transponder with your ID – He goes to work at 9 am, you commit crime – Subpoena records: you were on the bridge at 9 am! • Questions – Is FasTrak data really considered so indisputable? – Will this alibi hold up in court? 42
  • 43. Contacting the vendors • FasTrak is: – A technical standard ratified as law by the California legislature – Administered by CalTrans – Locally run by Metropolitan Transportation Commission (MTC), Bay Area Toll Authority (BATA), Orange County Transportation Corridor Agencies (TCA), etc. – With devices potentially provided by multiple vendors, but in practice, mostly Sirit • No response after … – Email contact form on bayareafastrak.org – Sending business card with reporter who later talked to BATA – Speaking to CalTrans consultant 43
  • 44. Conclusions • Electronic toll collection needs improvement – Excessive loss of privacy in current usage • Please fix this before we move to license plate recognition – Clonable if no encryption – Untrustworthy for legal evidence • Transponder IDs can be overwritten over-the-air • Found many surprises when opening the box, even with an established system – I’m happy to explain the details for free to any FasTrak authorities who contact me Contact: nate@rootlabs.com Info/blog: rootlabs.com