Can FASTag be Hacked ?
December 1st 2019, National Highway Authority of India announced that it is mandatory for all vehicles in India to use FASTag. FASTag is a technology used to automate the process of paying toll at a toll plaza on national highways.
One thing I knew for sure is that most windshield tags like FASTag work on RFID technology & I have worked on RFID projects during my college day so i started gathering information about FASTag.
You see RFID tags are passive devices, which means they do not have any battery or source of energy, they rely on a reader to provide the energy to operate and when a tag is in the vicinity of a reader it will start to send a signal with couple of bytes of information.RFID tags do not have a lot of storage as they are used only to identify an individual and nothing else. In fact most modern ATM cards have got RFID built in them too.
RFID tags are categorized based on the frequency range they operate on,
The higher the frequency the higher would be the read range of the tag. LF & HF tags cannot work beyond couple of cm off the reader which leaves UHF tags for an application like a Toll Plaza. UHF tags are fairly smaller and are inexpensive, the simplified version of Toll collection using RFID tag would look something like this.
I wanted to get my hands on FASTag so i got myself registered with the bank for FASTag and withing hours i had a tag for myself, I tried to study it without damaging the tag itself, here are some of the pictures i clicked.
The blacked out region had a barcode which seems to be only information on the tag that could be used to identify it.
The fancy FASTag metallic logo is the antenna, its a thin film of metal deposited on the plastic sticker which behaves as an antenna for the tag to receive power and send signals to the receiver. the black spec at the center of the tag is the actual chip which does all the magic, these are fairly inexpensive to produce and by the design i can make a guess that these tags operate on UHF although there is no information on the tag or the chip itself which can help me identify the operating frequency. My goal is to figure out what information is stored on the tag to find potential attack vectors using that knowledge, Its obvious that the tag can store only a few bytes of data, and as tags are assigned to a vehicle this data could possibly be an encoded form of one of these.
* License Plate Number
* Vehicle Registration Number
* Customer ID
* Tag Account Number
* Tag Serial Number
I have my bets on the Tag Serial Number , because its much easier to write the tag serial number while the manufacturing process as no other information would be available regarding the tag at that stage.
The final step would be to read the actual data on the Tag, so after doing a little bit of recon i got the manufacturer of these tags in India http://fastprorfid.com & found the specs for these tags.
FAST Squiggle Inlay UHF-9640
Antenna Size : 94.8mm x 8.15mm
Operating Frequency : UHF 960 Mhz
Higgs-3 IC with 800-bits of Non Volatile Memory
EPC Size: 96–480 Bits | User Memory: 512 Bits | TID: 32 Bits | Unique TID: 64 Bits | Access Password: 32 Bits | Kill Passwords: 32 Bits
with Standard: ISO/IEC 18000–6C EPC global Class 1 Gen 2
Each tag shall have a unique barcode and the encoded data shall contain the following elements of EPC ID
1. Issuer Identification Number [IIN] in decimal
2. Key Index [KI] in decimal
3. EPC ID’s serial number in decimal
4. ‘-’ as field separator as alphanumeric charter
The Tag variance is as per the vehicle classes defined for NETC project. Different color codes represent their respective vehicle class.
The color codes are defined as below:
Well going through the specs i see that the EPC GEN 2 tag has two separate passwords — an access password and a kill password; each are 32 bits, and are stored in the reserved bank (bank 00) of the tag memory.. These passwords are used to lock the state of the chip, which means without knowing the password there is no way to re-write these chips this should not be a problem for me though as all i want to do is read whats on the chip.
Now all we need is a UHF reader to read whats on the chip, these readers could be bought off of Ali Express for around 40 $.
Well as of now, i do not own an UHF reader so all i could do is think about the possibilities of attacks, assuming that the Tag Serial number is stored in the memory of the tag an attacker could go around town reading the tags of all the parked vehicles and write the the information he collected onto a blank tag which could be purchased off of Ali Express for less than 1$, by which means he will never have to pay toll ever. In fact the attacker need not get too close to the vehicle which might raise suspicion, he could in theory read the content of a chip from 30 ft away which makes sky-walks a perfect place for such readers to be placed to grab tag numbers.
I would like to learn more about how the entire system works and i hope that what i have assumed about FASTag is wrong & there is an encryption mechanism to prevent an attacker from understanding whats stored onto the chip.
Just a disclaimer: I do not support hacking into national systems or any systems for that matter without permission. The information i have posted here is publicly available, I just curated it and wrote my point of view.