I travel the 91 freeway, and they have express lanes. These lanes allow you to proceed under a toll charge, paid for with a transponder in your car. Fees range from $.75 to $4.90. You just get in the far left lane and pass all that standing still traffic for the next ten miles.

Questions:

1. The transponder beeps to let you know that it works and you have been debited the amount of the toll. It also beeps again in the middle of the route. With this they can determine your average speed for that portion of the toll road. Since the average freeway speed is 80mph, but in this case the real freeway is doing 8mph instead, I wonder if we can get tickets in the mail one day. Or would this constitute a speed trap.

2. I read in Popular Science July 2002 that some of these companies use 802.11 to read your transponder. Now that opens up a whole range of possibilities! Could I use a laptop with 802.11b and snarf up transponder codes in cars around me? Can I then spoof these codes so I am never charged myself? Or can I make the computer see me as invisible?

Anyone who figures this out will be the new Capn Crunch of the toll road generation!

Has anyone tried wardriving past their tollbooths?

I will the next time I drive by them.

Originally posted by astcell
I wonder if we can get tickets in the mail one day

I have been using FastTrack for a couple of years now to get to Riverside from Irvine using both toll lanes (at separate occasions) and never have gotten a speed ticket... also netstumbler does not find any ssid's for the way it is configured.

Though people will get tickets if they hit the second transponder before they hit the first transponder, this would likely indicate that they have somehow gone through their barriers.

Though lately they are getting lame about the transponders not working, and though they had always used the plate pictures to solve this, now they want to charge more for pictured plates if the transponder fails because of miplacement.... pretty weak. Mine is dead center on my windshield... and there are times i get 1 or 2 pictured plates in a 3 month time period..

Originally posted by astcell

2. I read in Popular Science July 2002 that some of these companies use 802.11 to read your transponder. Now that opens up a whole range of possibilities! Could I use a laptop with 802.11b and snarf up transponder codes in cars around me? Can I then spoof these codes so I am never charged myself? Or can I make the computer see me as invisible?


I would be interested to see some documentation on their protocol usage of 802.11x... for example are they using a,b,g,FHSS, DSSS? Any encryption during handshaking, challenge response? I am not sure if their transponder units have collapsable circuits as part of their tamper proofing...

Searching for "Fast Track" and finding something to do with the transponder and its protocols suck, especially when I haven't slept in a long while.

I have gone through Fast Track using NetStumbler with nothing getting logged.. it would be neat to set up a laptop as an AP and trigger any car anywhere your laptop is and retrieve the info... store these in a database... and figure how to resend them when triggered by the Fast Track system... sort of like a man in the middle attack.. I wonder if they add logic to their system so that a user that goes through a gateway twice, is flagged or plated or something... i certainly wouldn't want to be the beta tester for those hacks though... ;)

I think astcell already volunteered for that... heheh

It's easy to play dumb, it's their network so they need to secure it. I believe the dash unit is passive (but it has a battery?), but maybe you can rip it open and find an FCC number and start form there.

If one can sniff the information from anyone's unit (you just see them sitting in cars at the parking lot) then recode yours, sort of like recoding a credit card's magnetic strip, you could spoof them.

Lots of potential.

Originally posted by astcell
It's easy to play dumb, it's their network so they need to secure it. I believe the dash unit is passive (but it has a battery?), but maybe you can rip it open and find an FCC number and start form there.

If one can sniff the information from anyone's unit (you just see them sitting in cars at the parking lot) then recode yours, sort of like recoding a credit card's magnetic strip, you could spoof them.

Lots of potential.

The only problem I could see with this is that if, as Blackwave was saying, you get a plate picture in the mail and they do a little figuring out that your 'borrowed' Transponder got recieved at the middle beacon X amount of time after your picture was taken they could figure things out.

I'm not too sure about how that system is set up, it's just one thing I'd think of checking for and if I can think of it so can they.

-PoT

Originally posted by astcell
but maybe you can rip it open and find an FCC number and start form there.


It is possible that there is some type of initiation sequence to start a challenge response, or some type of multi-frequency to trigger the "correct" serial to be spit out... also I think I read somewhere that if the unit is taken apart it zeroizes itself so from there on it is useless. (and under the TOA, the user is liable for the damages and needs to buy a new one before it can be used), and with the plating charges.. that just sucks.

my group worked on this a bit... we have reason to believe they randomly photograph your plates so even if you ran through the speed pass lanes when the person your spoofing didn't, they may notice the larger then normal bill from speed pass... and contest it, which would cause them to investigate any pictures they have on file for that transponder code... then they see your plate and go "hey, that's not a sedan, that's a SUV" then they have DMV run the plates... at this point you'll need to either have a stolen car or stolen plates to evade it...


so our groups determination was that this system wasn't worth the trouble. now if there was only way to regulate when the checkpoints took pictures and when they didn't ... THEN you'd have something.

Originally posted by 0ptik0n
we have reason to believe they randomly photograph your plates so even if you ran through the speed pass lanes

Currently FastTrack charges for any car that is photographed because the transponder failed. This random thing would not work in this type of scenario.

hmm they charge when they have to take your picture... I appologize for the oversight, I was skimming.. we did notice those cameras...


ok if they charge when they take the picture they do that automaticly and you never knew they did it until you see the charge on your bill I immagine...

Quite a bit tricker then trying to by pass the old barcode toll roads on the east coast... (which can be fun if you know a supervisor at kinkos lol)

hmmm.. so I guess it boils down to how confident are you that they will only snap a pic when they don't get the transponder signal?

a battle of wills agenst big brother... now this is getting intresting..

Originally posted by 0ptik0n
hmmm.. so I guess it boils down to how confident are you that they will only snap a pic when they don't get the transponder signal?

Yes, and it is sometimes erratic, i think on my bill I have gotten one or two pictures taken out of a few thousand transponder hits.. i could have been driving too fast (i don't think so), or perhaps my signal collided with someone else who went through at the same time (again, unlikely)... but something caused my transponder not to recognize the beacon to shell out my data, or the data was somehow not received... I would like to know how that happened .. :)

well this may sound paranoid, but it makes sense...

let's say we want to spy and make sure that the people using our speed pass system are only the people we have accounts for, but we don't want people to think that we just randomly take pictures when we want...

so we toss the customer a picture or two, even charge them for it, and tell them the transponder failed... brilliance powered by greed... ('try to lie to them and tell them it's for their own good')

*thinks he's right and that is too paranoid*

at any rate most of that 91 stretch is through some hills that would block a lot of radio interference (except for radio stations from LA because the pass is loosely a north south run so the radio waves bend in.. you'd have to ask yourself... what frequency are these things running at? Now I'm just getting into this 802.11 stuff (wardriving inspired me to learn more) so it would make sense that it's broadcasting at that frequency, anyone know what frequency that is? But you say you got nothing when you wardrive the 91's speed pass lanes... either it's not 802.11 or it's a, b, c or one of the other ones and you just weren't scanning all of them at the same time... OR they may have just found a low tech solution like pitching the broadcast frequency up or down a bit to throw things like that off... you know a "low-tech" solution if you will... Railroad companies LOVE stuff like that. Maybe road transits taking a lead from them.

Originally posted by 0ptik0n
But you say you got nothing when you wardrive the 91's speed pass lanes...

It is very possible that they are simply not broadcasting any information that the current applications are written to detect... I have yet to take my frequency counter throught their gateways... even then they could be using lo-tek, or spread spectrum harmonics.. who knows... would be great to get some more docs on this.. google searching on this subject matter isn't too fun.

hmm how much is it to replace one of the speed pass transmitters? I mean can you tell them "ooops I lost it" and get another one??

if so, take it appart and reverse engineer the hell out of it..

hmmm now that I think about it they must charge some ungodly ammount... or else you would have already done this I'm sure.

as you can tell I don't have one :P but then I take the 91 about 4 to 8 times a year, I live closer to the 10.

more docs on this? I'll see what I can dig up, but I think this... much like my own personal traffic light project, has no documentation...

Originally posted by 0ptik0n
hmmm now that I think about it they must charge some ungodly ammount... or else you would have already done this I'm sure.


I think it is like 35$USD... but for all I know it could be covered all in black goop... anyhow the tolls a pretty cheap, and with all the projects I am dealing with this one would be lo-priority. :) Hoping to find a group that can jump into this though.. :)

my friend came back on my request, he has one and says it's 150USD.... so this may stay on the back burner for a while...

Originally posted by 0ptik0n
so this may stay on the back burner for a while...
Yikes... I suspect there may be a collapsable circuit that will zeroize the unit anyway upon opening without the correct tools... so that would be a serious waste.

bleah... so much for that fun...

I'd better get back to preparing these warchalking stickers for printing er, I mean work over here doing tech support... lol multitasking, it's a beautifull thing.

Originally posted by 0ptik0n
bleah... so much for that fun...

I'd better get back to preparing these warchalking stickers for printing er, I mean work over here doing tech support... lol multitasking, it's a beautifull thing.

LOL, don't forget to print up some dc 0wn3d stickers to tag people with that you find sleeping in public... Muahaha

sounds like something to try on the way to vegas in a couple days.

Originally posted by Conundrum
sounds like something to try on the way to vegas in a couple days.

I think there is a newbie hunt going on around 3am... newbies beware... sharpies, stickers, and kodak... ;)

the transponder works similar to a mobil speed pass (only more hitec). the base unit sends out an authorization to transmit the units id code. the code is then read by the base unit and logged, charges, etc. There are some major differences. a speed pass base sends out a power resonating frequency, similar to the system on a rechargable waterproof electric razor or toothbrush. the speedpass then uses this "borrowed power" to send it's id code to the mobil reader. a fasttrak transponder works a similar way (i believe). the major difference is the introduction of battery power (probably just 2032's) and a stronger send/recieve capability to cover the distance. the transponder will not broadcast it's code unless it recieves the right authorization.
the cameras only take pictures when a vehicle passes and it recieved no transponder signal or a bad transponder signal. that does NOT mean that the cameras dont record each and every car anyways. for the same reason that a casino doesn't get rid of it's security videos, you never know when u will need them.
if you people want, i'll destroy a transponder after the con and give you an update on it's hardware and how to avoid mem scrubs (if any).

p.s. this is the convertable capital of the world! transponders are free!

Originally posted by KeLviN
if you people want, i'll destroy a transponder after the con and give you an update on it's hardware and how to avoid mem scrubs (if any).

Yes the people want, don't forget to include pictures ;) ... but if you get the silver bracelets, don't look this way ;) :)

computer? i don't even own a computer. this dude BlackWave said he'd give me a bawlz if i took apart this...thing...that HE gave to me.
jesus would never let me do anything bad......


:rolleyes:

yeah, i'll do it when we get back...
:)

Originally posted by KeLviN
computer? i don't even own a computer. this dude BlackWave said he'd give me a bawlz if i took apart this...thing...that HE gave to me.
jesus would never let me do anything bad......


Hey let go of me man, who the fuck is melvin? I don't know a goddamn melvin?! What?! Kelvin? I don't know a Kelvin either!... Ack let me go!...

Hmmm... could be a group effort? ;)

if i can get some good info out of it, maybe i'll do a demo at DC11.

if you want to know how it works,
if you want it taken apart,
if you want it put together,
i'm the man

i'm the hardware guy, my quiet skinny sidekick, petrOl, is the coder.

MUTINY!

:eek: :eek: :eek: :eek: :eek: :mad:


:p

Originally posted by KeLviN
if i can get some good info out of it, maybe i'll do a demo at DC11.

That would be something to attend for sure.. especially if you could get the demo working to do the response across a demo grid.. :)

is fasttrak big enough to get peoples attention?
out of state?

Originally posted by KeLviN
is fasttrak big enough to get peoples attention?
out of state?

Just like a few other "gray" demo's i am sure the FastTrack attorney's will be sitting in the front row... and may even give you a word of advice or two before doing the demo... be brave.

i was refering to "would people give a shit" and "do people from other states have fastrak".
but now that you reminded me of this legal thing.....!:eek:

no worries.
it's fastrak, what are they going to do, break my knee kaps with a wiffel ball bat?

i can see the headlines now..."free kelvin"
...wait, sounds familiar...

Maybe you will get to tak eon apart and reassemble it at DCXI as part of your plea agreement. :)

My wife tore one apart, she found one that was cancelled and called it in, the place told her to destroy it and that is was worthless. She crushed it and said the smell was toxic, almost acidic.

Where are the cameras? I happen to not have a front license plate....

they have front and rear cameras. they got u covered. i drive a harley. no front and i can reach back and cover the rear.
with a motorcycle i should be allowed on for free, no place for a transponder...

....velcro to the helmet...

Originally posted by KeLviN
no worries.
it's fastrak, what are they going to do, break my knee kaps with a wiffel ball bat?


Hmmm... maybe not break your knees, but there are certainly other uses for a wiffle bat bat... and less comfortable...

Hey Beastie Boys lyrics come to mind... Paul Revere...

hey, you cant park that there!!!

Originally posted by KeLviN
hey, you cant park that there!!!

haha, just do "the lock"... (martin lawerence comic skit reference)

so the short answer to this thread is;
maybe yes
maybe no
definitely not before con
likely next year.

Originally posted by blackwave


Hmmm... maybe not break your knees, but there are certainly other uses for a wiffle bat bat... and less comfortable...

Hey Beastie Boys lyrics come to mind... Paul Revere...

You know, as soon as he mentioned "wiffle ball bat" that's where my mind went too. Allthough, I started reciting lyrics in my office. People at work often look at me funny, hard to imagine why ;)

-PoT