RFID security flaws are found in FasTrak

August 13, 2008 12:00:00 AM PDT
An East Bay computer security expert is revealing vulnerabilities within the FasTrak program. He says flaws with its technology mean easy access for hackers.

The security flaws can be found inside the transponders themselves, which means the hundreds of thousands who use them are potentially at risk.

When Nate Lawson opened up his FasTrak transponder to take a peek at the software inside, he discovered the device lacked major security features. He says he could identify the problem, since he works as a security consultant, hired by companies to find flaws in their products.

"I expected to find at least some sort of encryption in the toll tag, to prevent people from at least cloning, but there's none of that there," said Lawson.

Which means anyone with an FRID reader, could clone the information on the transponders and start racking up toll charges to the rightful account holder. It's a prospect that could potentially affect many Bay Area residents. Nearly a million people have FasTrak accounts including Vic Sung of Alameda.

"I guess with the state of technology, you're vulnerable to any type of cloning or where they can steal your information somehow," said Sung.

The second security flaw is the information on the transponders can be overwritten. That could pose problems, considering some FasTrak account records end up being subpoenaed to help establish one's whereabouts.

"You could actually take your own ID from your own transponder, program it into someone else's car without ever breaking into their car and then if they drive around they could establish a record saying you were someplace you weren't," said Lawson.

Is this alarming? Perhaps. However, the Metropolitan Transportation Commission that runs the FasTrak program says they know not one case of cloning or overwriting.

"I think for most folks, I would choose to worry about something else," said Randy Rentschler.

Rentschler is with the Metropolitan Transportation Commission and he says while money could be spent to upgrade the system, there's no reason to yet.

"I think practically speaking, there's very little value in trying to take someone's FasTrak account because we're going to get you very soon and you don't get very much. It's not like taking a credit card account where you can actually go buy something with it," said Rentschler.

So at this point, there aren't any plans to revamp the transponders. They are the industry standard used all over the country. Transportation officials say there have not been any problems.


Load Comments