

Road Tolls Vulnerable to Manipulation - jaydub
http://www.technologyreview.com/Infotech/21301/?a=f

======
tptacek
_"Every modern system requires a public security review to be sure there
aren't different but related problems," he says. Indeed, in recent weeks,
researchers announced flaws in another wireless identification system: the
Mifare Classic chip, which is used by commuters on transport systems in many
cities, including Boston and London._

Practical systems security, as practiced on/against web apps, operating
systems, server software, and network clients, has evolved to the point where
it is leading the entire discipline of information security. The work being
done to reverse engineer, break, reinforce, and refresh web browsers is --- at
a quick guess --- 4-5 years ahead of any other work being done in securing any
other information system --- tolls, building security, financial markets,
utilities, and large parts of the military.

So, of course someone as smart as Nate can bust up FasTrak. You'd be surprised
if he couldn't.

What's interesting and worrisome to me is that the efforts of just one company
(Microsoft) to engage the market to secure their own general-purpose code
probably singlehandedly boosted the bill rates of every security consultant by
20-30%. How is this work going to trickle down into the rest of industry? My
guess is, it won't. We should be more hesitant to wire things up that we
depend on.

~~~
tptacek
Oh, and on a less preachy and more relevant note: the way Nate did this is
pretty cool. He didn't break the RF protocol; he reversed the board, the
microcontroller (a very common one), and the firmware of the transponder. In
RF work, we don't have to get the radio details right if we can get the
existing equipment to do that job for us.

------
gojomo
FasTrak lanes already have license-plate cameras, and may already be
photographing every plate -- not just those whose transponder fails to
respond.

So it should be relatively easy to estimate how much fraud is occurring, and
invest more in enforcement if it is nontrivial.

(Unless of course fraudsters steal or counterfeit license plates to match
their make/model, too. But that puts the threat even further into the realm of
"anyone competent enough already has their time filled with more profitable
activities".)

