

Transportation Hack 2.0: Flaw Found Calif.'s FasTrak System - acesamped
http://blogs.pcworld.com/staffblog/archives/007585.html

======
MicahWedemeyer
The lack of encryption in these things is just astonishing. Sure, encryption
isn't a magic bullet, but it's the first line of defense, and most programming
languages make it _so damn easy_ to use.

~~~
tptacek
Somehow, I'm guessing they're not running a JVM on an TI MSP4xx
microcontroller. It's actually not damn easy to get encryption working on
controller boards.

What's more, for many of these kinds of systems, encryption that is anything
more than a speed bump is very hard to get right, because of key management
and round trip limits.

~~~
maximilian
A lot of controllers have builtin encryption hardware. If you put encryption
in the original spec, its not that hard to include.

~~~
tptacek
I can see it being easy to add encryption to a 32 bit part deployed in a pizza
box form factor on the bottom of a telephone pole or alongside a train track
right of way.

I'm not sure it's that easy when you're constrained to a 16 bit part that
can't big bigger than a wallet, has almost no power available, needs to be
distributed in volumes of hundreds of thousands or more, needs to cost almost
nothing per part, and needs to be one of the vendors that plays well with RF.

Again, this also misses the point that key management and protocol design are
more important than the algorithm; it's not necessarily an easy problem to
provision keys to 1,000,000 floating devices, nor is it necessarily easy to
design a secure protocol that has to run in 1 round trip at 45MPH.

Just some thoughts. Obviously we can agree that this system needs to be more
secure. I'm not sticking up for FasTrak; I'm just trying to respect the
problem.

~~~
gojomo
Until there's evidence someone is actually exploiting this at an economically
relevant level, I wouldn't agree the "system needs to be more secure".

And if it is being exploited, using the existing license-plate cameras may be
a more effective means of securing the system than upgrading the transponder
behavior.

~~~
tptacek
I think the first point is sensible, even though I disagree with it.

I'm not sure I understand how license plate cameras solve the problem, though.
How many tens of thousands of license plates would need to be processed per
day, and for what pattern?

Also note that the economics are just part of the problem. Other problems
include privacy, chain of evidence, and personal fraud damages.

~~~
gojomo
They already take photos of, at the very least, those who slip through without
paying or with a missing/faulty/dead transponder.

So step one is just to take a sample: for X thousand FasTrak transactions, for
how many did the license plate and transponder disagree? If it's trivial,
there's no economic rationale for fixing the system. Just make a note that
transponder logs have a Y% fraud/error rate, for when disputes arise.

If still concerned about the other aspects, save the photo log for exactly as
long as the transponder log. That reduces all the issues to the same as those
with using counterfeit plates, which we've lived with for over a century,
without major problems.

(In fact, I suspect they're already keeping the photo logs, but time will
tell.)

~~~
tptacek
It's an interesting point. Obviously, if they had you working for the toll
system, they'd be able to come up with some interesting countermeasures. Of
course, they don't have anyone like you or I working there.

