John Gilmore wrote:
It would be relatively easy to catch someone
doing this - just cross-correlate with other
information (address of home and work) and
then photograph the car at the on-ramp.
Am I missing something?
It seems to me that EZ Pass spoofing should become as popular as
cellphone cloning, until they change the protocol. You pick up a
tracking number by listening to other peoples' transmissions, then
impersonate them once so that their account gets charged for your toll
(or so that it looks like their car is traveling down a monitored
stretch of road). It should be easy to automate picking up dozens or
hundreds of tracking numbers while just driving around; and this can
foil both track-the-whole-populace surveillance, AND toll collection.
Miscreants would appear to be other cars; tracking them would not
Well, I am presuming that ... the EZ Pass
does have an account number, right? And
then, the car does have a licence place?
So, just correlate the account numbers
with the licence plates as they go through
The thing about phones is that they have
no licence plates and no toll gates. Oh,
and no cars.
The rewriteable parts of the chip (for recording the entry gate to
charge variable tolls) would also allow one miscreant to reprogram the
transponders on hundreds or thousands of cars, mischarging them when
they exit. Of course, the miscreant's misprogrammed transponder would
just look like one of the innocents who got munged.
What incentive does a miscreant have to
reprogram hundreds or thousands of other
[I believe, by the way, that the EZ Pass system works just like many
other chip-sized RFID systems. It seems like a good student project
to build some totally reprogrammable RFID chips that will respond to a
"ping" with any info statically or dynamically programmed into them by
the owner. That would allow these hypotheses to be experimentally tested.]
Phones are great for spoofing because the
value can be high. And, the risk of being
physically apprehended is low. Cars and
toll ways are a different matter.
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]