After spotting a police car with two huge boxes on its trunk — that turned out to be license-plate-reading cameras — a man in New Jersey became obsessed with the loss of privacy for vehicles on American roads. (He’s not the only one.) The man, who goes by the Internet handle “Puking Monkey,” did an analysis of the many ways his car could be tracked and stumbled upon something rather interesting: his E-ZPass, which he obtained for the purpose of paying tolls, was being used to track his car in unexpected places, far away from any toll booths.
Puking Monkey is an electronics tinkerer, so he hacked his RFID-enabled E-ZPass to set off a light and a “moo cow” every time it was being read. Then he drove around New York. His tag got milked multiple times on the short drive from Times Square to Madison Square Garden in mid-town Manhattan…
… and also on his way out of New York through Lincoln Tunnel, again in a place with no toll plaza.
At Defcon, where he presented his findings, Puking Monkey said he found the reading of the E-ZPass outside of where he thought it would be read when he put it in his car “intrusive and unsettling,” quoting from Sen. Chuck Schumer’s remarks about retailers tracking people who come into their stores using their cell phones.
This isn’t a part of the Lower Manhattan Security Initiative, the millions-dollar project emulating London’s Ring of Steel with extreme surveillance. It’s part of Midtown in Motion, an initiative to feed information fromlots of sensors into New York’s traffic management center. A spokesperson for the New York Department of Transportation, Scott Gastel, says the E-Z Pass readers are on highways across the city, and on streets in Manhattan, Brooklyn and Staten Island, and have been in use for years. The city uses the data from the readers to provide real-time traffic information, as for this tool. The DoT was not forthcoming about what exactly was read from the passes or how long geolocation information from the passes was kept. Notably, the fact that E-ZPasses will be used as a tracking device outside of toll payment, is not disclosed anywhere that I could see in the terms and conditions.
When I talked to the E-ZPass Inter-agency Group — the umbrella association that oversees the use of the pay-toll-paying tags in 15 different states — it said New York is the only state that is employing this inventive re-use of the tags. (That statement will be tested: Puking Monkey lent his hacked pass to a friend going on a road trip to see if it went off unexpectedly in any other states.)
TransCore, a company that makes the RFID readers that New York is using to pick up on E-ZPasses, was more forthcoming. A 2013 case study from the company notes that the $50 million project to improve traffic congestion in New York also involved the installation of a network of traffic microwave sensors, and has been successful enough that the city plans to expand it another 270 blocks.
“The tag ID is scrambled to make it anonymous. The scrambled ID is held in dynamic memory for several minutes to compare with other sightings from other readers strategically placed for the purpose of measuring travel times which are then averaged to develop an understanding of traffic conditions,” says TransCore spokesperson Barbara Catlin by email. “Travel times are used to estimate average speeds for general traveler information and performance metrics. Tag sightings (reads) age off the system after several minutes or after they are paired and are not stored because they are of no value. Hence the system cannot identify the tag user and does not keep any record of the tag sightings.”
In other words, reading of the E-ZPasses won’t be very useful for uniquely tracking you or your speed, but it’s a reminder once again that if you accept some kind of tracking device, it may be used in ways you wouldn’t expect.
As for blocking that tracking, if you’re not excited about it, Puking Monkey recommends that you “bag the tag, and only bring it out when you want to pay a toll.” Most tags come with a “Faraday cage” type bag through which it can’t be read.
“If NYDOT can put up readers,” says Puking Monkey, “other agencies could as well.”