Like some of us, researcher Nate Lawson was concerned about the privacy implications of the popular RFID-based FasTrak toll tags used for prepaying highway tolls in the San Francisco Bay Area.  He decided to rip apart one of the tags in order to study its innards – and discovered that they do not incorporate any form of encryption whatsoever.

The security implications are severe; the lack of encryption renders the tags completely vulnerable to sniffing and cloning.  And while it appears that the actual monetary value of the card is kept in backend servers, this in fact exacerbates the plight of victims.  Hackers can cruise around sniffing for RFID identifiers in order to clone their own FasTrak cards.  Such fraud would be impossible to catch, and the only avenue that a victimized driver would have is to discard their FasTrak for a new one.

Now, there was insufficient information to determine whether the RFID tags use the Mifare Classic technology, which has been successfully compromised earlier this year.  What I wanted to note however, was the comment by Lawson, who said: “There’s a placeholder of sorts for an encryption key, but no sign of encryption.”

So even though the framework exists for implementing some kind of encryption on the FasTrak, they were not used.  In short, this is a classic case of insecurity by design.

The Problem

The cold hard fact is that designing and implementing secure solutions cost money.  In the absence of a validation body or clear legislation, the onus of security often falls upon a few decision makers or even the vendor of a certain project – both of who might be hard-pressed to keep costs down.

While a closed design might pass unnoticed pre-Internet, the knowledge economy brought on by the advent and proliferation of the Internet means that it often takes just one person to expose security weaknesses and bring the whole house crashing down.  In the Mifare Classic crack, even though the mathematics of cracking its algorithm is beyond the knowledge of most, it proved a scant deterrent: once the proof-of-concept code was published, the base of people with the ability to implement a working attack rose exponentially.  It wasn’t long before additional instructions appeared which lowered the barrier to practically anyone who has a good knowledge of computers.

Another example would be the public libraries in Singapore – which have just wonderful facilities by the way.  In fact, steady improvements over the years meant that it is easy to find some of the latest books and multimedia materials in the library.  It has been possible for a long time now to do self-serviced checkout of books, which is the area that I have a gripe with.

You see, Singapore citizens are issued with an identification card (IC), much like the Social Security card in the United States.  What the public libraries did was to incorporate the IC as part of the self-serviced checkout system.  To borrow books, you insert your IC into a stipulated slot in the checkout machine.  Items to be borrowed are then placed one at a time onto an RFID reader which de-activates the RFID tags – which will otherwise trigger the alarm placed at every entrance – embedded into the spines of books, or pasted onto DVDs and CDs.

The problem is that the IC number is scanned via a standard barcode reader.  As you can imagine, there is nothing to stop a prankster from obtaining – or simply guessing, the IC number and creating a bar code for the nefarious purpose of stealing books.

Despite the ramifications to tax payers, one can argue that any losses resulting from such an insecure system will ultimately be borne by the institution.  Yet it doesn’t take a rocket scientist to figure out that the onus is on the victims to prove their innocence.  Beyond the time and hassle of doing so, victims could also find their own library borrowing privileges revoked.  Because it is also possible to renew books online with just the IC number and name; it could be many months before the victim even realizes he has been defrauded.

In conclusion

In every case, solutions exist for better security.  The question is whether organizations decide to bite the bullet and pay more for technology for solutions that are actually robust.  Even in the case of Mifare Classic, a more robust design was quickly made available.

The question though, is what would it take for organizations to focus on security from the get go?