Has anyone tried wardriving past their tollbooths?

I will the next time I drive by them.

Re: Can we hack Big Brother on the highway?

I have been using FastTrack for a couple of years now to get to Riverside from Irvine using both toll lanes (at separate occasions) and never have gotten a speed ticket... also netstumbler does not find any ssid's for the way it is configured.

Though people will get tickets if they hit the second transponder before they hit the first transponder, this would likely indicate that they have somehow gone through their barriers.

Though lately they are getting lame about the transponders not working, and though they had always used the plate pictures to solve this, now they want to charge more for pictured plates if the transponder fails because of miplacement.... pretty weak. Mine is dead center on my windshield... and there are times i get 1 or 2 pictured plates in a 3 month time period..

I would be interested to see some documentation on their protocol usage of 802.11x... for example are they using a,b,g,FHSS, DSSS? Any encryption during handshaking, challenge response? I am not sure if their transponder units have collapsable circuits as part of their tamper proofing...

Searching for "Fast Track" and finding something to do with the transponder and its protocols suck, especially when I haven't slept in a long while.

I have gone through Fast Track using NetStumbler with nothing getting logged.. it would be neat to set up a laptop as an AP and trigger any car anywhere your laptop is and retrieve the info... store these in a database... and figure how to resend them when triggered by the Fast Track system... sort of like a man in the middle attack.. I wonder if they add logic to their system so that a user that goes through a gateway twice, is flagged or plated or something... i certainly wouldn't want to be the beta tester for those hacks though... ;)

I think astcell already volunteered for that... heheh

It's easy to play dumb, it's their network so they need to secure it. I believe the dash unit is passive (but it has a battery?), but maybe you can rip it open and find an FCC number and start form there.

If one can sniff the information from anyone's unit (you just see them sitting in cars at the parking lot) then recode yours, sort of like recoding a credit card's magnetic strip, you could spoof them.

Lots of potential.

The only problem I could see with this is that if, as Blackwave was saying, you get a plate picture in the mail and they do a little figuring out that your 'borrowed' Transponder got recieved at the middle beacon X amount of time after your picture was taken they could figure things out.

I'm not too sure about how that system is set up, it's just one thing I'd think of checking for and if I can think of it so can they.

-PoT

It is possible that there is some type of initiation sequence to start a challenge response, or some type of multi-frequency to trigger the "correct" serial to be spit out... also I think I read somewhere that if the unit is taken apart it zeroizes itself so from there on it is useless. (and under the TOA, the user is liable for the damages and needs to buy a new one before it can be used), and with the plating charges.. that just sucks.

...

my group worked on this a bit... we have reason to believe they randomly photograph your plates so even if you ran through the speed pass lanes when the person your spoofing didn't, they may notice the larger then normal bill from speed pass... and contest it, which would cause them to investigate any pictures they have on file for that transponder code... then they see your plate and go "hey, that's not a sedan, that's a SUV" then they have DMV run the plates... at this point you'll need to either have a stolen car or stolen plates to evade it...


so our groups determination was that this system wasn't worth the trouble. now if there was only way to regulate when the checkpoints took pictures and when they didn't ... THEN you'd have something.

Re: ...

Currently FastTrack charges for any car that is photographed because the transponder failed. This random thing would not work in this type of scenario.

hmm they charge when they have to take your picture... I appologize for the oversight, I was skimming.. we did notice those cameras...


ok if they charge when they take the picture they do that automaticly and you never knew they did it until you see the charge on your bill I immagine...

Quite a bit tricker then trying to by pass the old barcode toll roads on the east coast... (which can be fun if you know a supervisor at kinkos lol)

hmmm.. so I guess it boils down to how confident are you that they will only snap a pic when they don't get the transponder signal?

a battle of wills agenst big brother... now this is getting intresting..

Yes, and it is sometimes erratic, i think on my bill I have gotten one or two pictures taken out of a few thousand transponder hits.. i could have been driving too fast (i don't think so), or perhaps my signal collided with someone else who went through at the same time (again, unlikely)... but something caused my transponder not to recognize the beacon to shell out my data, or the data was somehow not received... I would like to know how that happened .. :)

Big Brother exposed ...

well this may sound paranoid, but it makes sense...

let's say we want to spy and make sure that the people using our speed pass system are only the people we have accounts for, but we don't want people to think that we just randomly take pictures when we want...

so we toss the customer a picture or two, even charge them for it, and tell them the transponder failed... brilliance powered by greed... ('try to lie to them and tell them it's for their own good')

*thinks he's right and that is too paranoid*

at any rate most of that 91 stretch is through some hills that would block a lot of radio interference (except for radio stations from LA because the pass is loosely a north south run so the radio waves bend in.. you'd have to ask yourself... what frequency are these things running at? Now I'm just getting into this 802.11 stuff (wardriving inspired me to learn more) so it would make sense that it's broadcasting at that frequency, anyone know what frequency that is? But you say you got nothing when you wardrive the 91's speed pass lanes... either it's not 802.11 or it's a, b, c or one of the other ones and you just weren't scanning all of them at the same time... OR they may have just found a low tech solution like pitching the broadcast frequency up or down a bit to throw things like that off... you know a "low-tech" solution if you will... Railroad companies LOVE stuff like that. Maybe road transits taking a lead from them.

Re: Big Brother exposed ...

It is very possible that they are simply not broadcasting any information that the current applications are written to detect... I have yet to take my frequency counter throught their gateways... even then they could be using lo-tek, or spread spectrum harmonics.. who knows... would be great to get some more docs on this.. google searching on this subject matter isn't too fun.

hmm how much is it to replace one of the speed pass transmitters? I mean can you tell them "ooops I lost it" and get another one??

if so, take it appart and reverse engineer the hell out of it..

hmmm now that I think about it they must charge some ungodly ammount... or else you would have already done this I'm sure.

as you can tell I don't have one :P but then I take the 91 about 4 to 8 times a year, I live closer to the 10.

more docs on this? I'll see what I can dig up, but I think this... much like my own personal traffic light project, has no documentation...