The FASTag Project in India: A long way to go with many Cyber and Physical threats to plug
New Delhi (CSI): On 01 December 2019, India will migrate to the Electronic Toll Collection (ETC) Systems and will be among the developed countries to implement the FASTag project for the vehicles that ply on Indian Roads. The long queues, the problems of tendering exact change, the collection of the balance change, the quarrel on the booth, the hassles of delay, cost of storage and transportation of cash, the misconduct of booth staff/commuters, the loss of the printed slip, the manning problems of the booth, the misappropriation of the booth staffing service provider, and many more such problems will be long gone.
The FASTag is an RFID (Radio-frequency identification) tag, that is unique to the vehicle and which is linked to an account (prepaid/postpaid), from which the toll charges will be deducted. It will be a mandatory instruction and even the exemption class at the toll booth will now be provided with the tag that is usable and track-able. At the core of all this is the technology that drives this project.
The FASTag is a sticker containing an embedded chip and antenna (Transponder) with a reader to capture the Tag ID (supposedly, which can be read from about 80 feet distance from the vehicle by the reader). It is affixed on a vehicle’s windscreen to enable automatic collection of toll charges when the vehicle passes through a toll plaza, without the need to stop at the toll booth. At the front-end, the FASTag employs RFID technology to help recognise the passing of a vehicle along with details such as the vehicle class and the status of the tag. At the back-end, it is connected to your bank account or wallet to enable automatic deduction of charges, as also the credentials of the vehicle to which the Tag belongs.
All such projects guided by technology to include the FASTag project also comes with vulnerabilities. The modalities of the FASTag project is simple and workable, yet will encounter issues related to Implementation, Privacy, Security, Threats, Crime, etc.
The Physical Challenges are as below:
- Theft of the Tag.
- The use of Tag on vehicles that do not have a windscreen.
- Management of those vehicles and enforcing mandatory tags on them that never cross a toll booth.
- The multiple deductions by the unique reader of the multiple by more than one reader in the vicinity.
- The planning failure of redundancy at the booths for electronic reading.
- Integrity and Non-Disclosure attributes of the staff and vendors having access to information.
- Replacement nuances of a defective tag.
- Indian toll plazas are designed in a way that even after the stabilisation of FASTag program, we may still see that we are not able to take the advantage of the FASTag and provide the promised free-flow tolling due to Density of Vehicles and Paucity of Skills.
- Digital due to Denial-of-Services, challenges due to internet problems of fetching of the database from the central server (or network issues)
(These physical issues are addressable through proper means, yet they are challenges that cannot be ignored)
The Digital Challenges:
- RFID is a small electronic device consisting of a chip on which data can be encoded, and an antenna used to transmit that data. However, there is a concern that these RFID chips could easily be hacked and cloned, and the information on these chips could easily be stolen by hackers.
- Overall encryption adopted in the Indian FASTag Project, is probably as per the open ISO standard 18000-6C standard; this is hackable and has its own security issues.
The tag used is of open ISO standard 18000-6C UHF RFID, which does not have or support Encryption of data in transit, thus allowing eavesdropping of over-the-air RFID transactions.
- The Tag being without a “kill switch” is 24×7 emitting the Tag ID, and is explicitly on the Windscreen, hence is beyond user control to switch it off.
- Thief’s and unscrupulous elements with the correct transponder-reader can capture the ID that is readable from the visible Tag on the Windscreen even from a parking lot, then this data can be spoofed the culprit can put the data on their devices and pass through the tolls for free, with the victim paying the bill.
- The Passive transponder IDs, with weak encryption, could be wiped and switched with that of a tag from a different car, and then the culprit will execute a crime; thereby resulting in a wrong ID being captured into the system while being used in the crime.
- The FASTag System has an inherent tracker property, hence the driver’s movement is traceable on real-time; the fear is that the same data is privy to the operators/handlers at all level and thus the fear of being misused or the data being bartered for monetary gains.
- This FASTag data, that is being captured, can be directly linked to PII (Personally Identifiable Information) of the Tag owner, hence we see that the details like Owner Profile, Blood Group, Home Address, Bank Details, Credit/Debit Card Details, Other Vehicles Owned, Driving License Number/Details, Aadhaar Details, etc, is all no-more private and is public at the hands of Government/Vendor/Operator/Handler. Now, this data is sell-able for monetary gains.
- While the implementation of the FASTag project was underway in India from the year 2014, a proper mature model is still not claimable. The challenges are too many. the Database is huge with over 25 Crore vehicles on Indian roads that need to come on board. Due to its magnitude, the implementation of the FASTag Project is a humongous task. The Cyber Threats and vulnerabilities cannot be alienated from even this seemingly small project. Both Digital and Non-Digital security is where effort still needs to be concentrated to ensure that the Criminals do not sabotage or take advantage to target the Government and Common Man. Concerns of Privacy, the Security and Safety of the Financial Linkages, threats of terrorism is also a food for thought.
Another area of concern is the ownership of the project: India should have adopted an indigenous approach, developing its own ISO standards and based on the indigenous framework, also the Tags and the System should have been manufactured in India rather than importing from FEIG ELECTRONIC, Germany (as reported in the media). All the more important were the used encryption algorithm, as it should have been India’s own with sole IPR.
Source: Cyber Secure India