Friday, January 30, 2009

Attack on speed cameras and automated tolling systems

This blog has been dormant for a long time, but I want to resurrect it for one post. I was once employed in a company which made automated tolling systems, so I have thought long and hard about the security of such systems. So far I have not found many attacks against such a system until now. Note: This is only a theoretical attack, no one should do illegal acts in practice.

The basic idea behind a toll road system is that you buy a tag from some company, you place the tag in your car. Then every time you drive through a toll collection system the tag is read and the money is automatically deducted from your account. If you do not have a tag then your licence plate is read and a ticket is sent to your home address.

This system works perfectly there are few ways to cheat the system. You cannot send a false message, as the data sent is authenticated. The key for the authentication is in the tag, and you would have to be an expert to get the key from the tag. The most obvious way to attack is to hide your number plate, but if you do not have a number plate then the police will arrest you and to make some kind of machine that flips down the number plate each time you pass is also impractical. There are also people who try to drive the wrong way through the toll collection system, and to find holes in the fence, if the toll collection system is around a town. But these attacks only saves the attacker some money and can easily be stopped.

Therefore so far I have found no good lo-tech solutions against having to pay the toll collection system. Until you start to attack (and question) the system itself. This system works because everyone who cheats have a licence plate, this plate is unique and in many instances this reading of the licence plate can be automatically read by a computer. So the whole process from collecting the picture all the way to your payment can be automated. Now what if your licence plate is not unique?

The attack is that a "victim" Bob has some friend Eve, which creates a fake licence plate to her car matching Bob's licence plate. She drives through the system a few times and probably Bob gets a ticket, which he complains about and gets the payments dropped because from the pictures one can easily see that it is not Bob's car. Now Eve gets another car which is preferably the same make and model as Bob's car and drives through again. This time Bob has an alibi for himself and his car so again the ticket will again be dropped when he complains. After this Bob is free to challenge any ticket he gets. He has already proven that someone is out to get him and that the attackers are getting better at imitating his make and model. In the end Eve can drive Bob's car through the toll collection system, when Bob is away from town.

The cost to Eve is small, She only has to drive through the toll collection system a few times for Bob to establish that someone is out to get him. The fake licence plate can be easily removed so the chance of getting caught with a fake licence plate is quite small.
The cost for Bob is small to he has to write a letter on his free time, and do some coordination with Eve so that he has an alibi for his car for when he is supposed to have driven through the toll collection system. If Eve drives Bob's car through the toll collection system in the end. Then Bob could be liable to criminal charges if he ever got caught in lying about not driving when he actually did drive through the toll collection system.
The cost to the toll collection system on the other hand is much greater. First off they loose the fake transactions, then they have to use time and pay an employee to handle the complaint, go through the evidence and formulate a reply. Now every passing by Bob has to be manually double checked if the problem persists.

The real kicker of this attack is if there are lots of Bob's and Eve's doing this. Then the cost of running the system goes sharply up for operator. (Currently only 10% of the collected amount goes to the administration of the system, and some operators pay out fat bonuses to the board of directors). To make up for this they either have to raise prices or extend the time the toll collection system is up, both of which are unpopular solutions. Also if the papers started writing about this problem, then this would undermine the whole confidence in the system, which would mean that more people would be more inclined to complain. If the loss of confidence in the system, loss of profit and political opposition from the public becomes too great, then a automatic toll collection system will be dismantled.

But make no mistake about it any attack on a toll collection system, will be fiercely resisted by the authorities. Just look at how the politicians tied to keep the toll collection system in Trondheim running longer than they had promised because it was such a good cash cow. The best way to stop toll collection systems is actually to stop driving, but this bring me to the question of how to use oil which will be another post some other time.

Labels: ,