AVI, ETTM, and E-ZPass: A Look at ITS Systems By Thomas Icom/IIRG ticom@sinister.com Introduction: What is ITS? "ITS" is the abbreviation for Intelligent Transportation Systems. ITS came about when Congress passed the Intermodal Surface Transportation Efficiency Act of 1991 (ISTEA). According to the literature of ITS America, a federal advisory committee to the U.S. Department of Transportation established to coordinate the development and deployment of ITS in the United States: "ISTEA calls for the creation of an economically efficient and environmentally sound transportation system that will move people and goods in an energy efficient manner, and will provide the foundation for a competitive American transportation industry. Among other services, ITS technologies: Collect and transmit information on traffic conditions and transit schedules for travelers before and during their trips. Alerted to hazards and delays, travelers can change their plans to minimize inconvenience and additional strain on the system. Decrease congestion by reducing the number of traffic incidents, clearing them more quickly when they occur, rerouting traffic flow around them, and automatically collecting tolls. Improve the productivity of commercial, transit, and public safety fleets by using automated tracking, dispatch and weigh-in-motion systems that speed vehicles through much of the red tape associated with interstate commerce. Assist drivers in reaching a desired destination with navigation systems enhanced with pathfinding, or route guidance." The full text of the ISTEA is available at http://www.mdot.state.mi.us/planning/policyad/istea.htm, and while pretty dull reading for the most part, does have some interesting sections. ITS is also linked to Presidential Executive Order 13010 - Critical Infrastructure Protection, signed by President Clinton July 15, 1996. The text of EO 13010 is available at http://www.pccip.gov/eo13010.html. Executive Order 13010 designates the United States' transportation system (including highways) as "critical infrastructure" and tasks a committee to, among other things: "assess the scope and nature of the vulnerabilities of, and threats to, critical infrastructures" "determine what legal and policy issues are raised by efforts to protect critical infrastructures and assess how these issues should be addressed" "recommend a comprehensive national policy and implementation strategy for protecting critical infrastructures from physical and cyber threats and assuring their continued operation" AVI and ETTM: The Front End The subsystem we will be concentrating on is ETTM, Electronic Tolls and Traffic Management, specifically AVI, Automatic Vehicle Identification. Automatic Vehicle Identification (AVI) refers to the various components and processes of the toll collection system with which the toll equipment is able to determine ownership of the vehicle for the purpose of charging the toll to the proper customer. AVI uses two main technologies: Laser and Radio Frequency (RF). Laser systems utilize a bar coded sticker attached to the vehicle which is read by a laser scanner as the vehicle passes through the toll lane. They operate in a similar manner to grocery store checkout scanners. RF systems utilize a transponder (tag) which is mounted either on the vehicle's bumper, windshield, or roof which is read by an RF reader. We will concentrate on AVI radio tags, as they the most common technology in use, and the system used by E-ZPass. AVI Radio Tags can operate on the 913 Mhz., 2.45 Ghz., and 5.8 Ghz. ISM bands. According to industry reports, currently systems are only operational on the 913 Mhz. Band, although several companies now offer systems at 2.45 Ghz., and are planning to offer 5.8 Ghz. Systems in the near future. There are several standards for AVI radio tags: Among them are: Crescent HELP ATA 5/16/90 ISO 10374.2 AAR S-918-92 ANSI MH5.1.9-1990 California Title 21 The specs for AVI radio tags are publicly available, and don't involve the use of technology that is too esoteric. The following is taken from California Title 21, which is representative of typical system specs. The full text of California Title 21 is available at http://www.ettm.com/title21.html. The Compatibility Specifications for automatic vehicle identification (AVI) equipment have been developed around two principal components: a Reader and a Transponder. The minimum role of the Reader is to: 1.trigger or activate a Transponder. 2.poll the Transponder for specific information, and 3.provide an acknowledge message to the Transponder after a valid response to the polling message has been received. A half-duplex communications system is envisioned where the Transponder takes its cues from the Reader. The specification is meant to define a standard two way communications protocol and to further define an initial set of data records. A summary of the key compatibility specifications found in this Chapter are set forth below: Reader Specifications: Reader Trigger Signal - 33 microseconds of unmodulated RF Reader Send Mode (Downlink) Carrier Frequency: 915 +/- 13 MHz (subject to FCC assignment) Carrier Modulation: Unipolar ASK (Manchester Encoded) Data Bit Rate: 300 kbps No. Data Bits: Application Specific Field Strength at Transponder Antenna: 500 mV/m (minimum) Transponder Specifications: Technology Type Modulated Backscatter Transponder Send Mode (Uplink) Carrier Frequency: Same as Reader Send Mode Carrier Modulation: Subcarrier AM Subcarrier Modulation: FSK Subcarrier Frequencies: 600 kHz +/- 10% and 1200 kHz +/- 10% Data Bit Rate: 300 kbps No. Data Bits: Application Specific Receiver Field-Strength Threshold: 500 mV/m +/- 50 mV/m (minimum) Transponder Antenna: Polarization: Horizontal Field-of-View: Operation within 90o conical angle Location: Front of Vehicle The original E-ZPass system used equipment from Amtech Systems Corporation. Amtech's equipment was California Title 21 compliant. Current equipment is from Mark IV Industries. The Mark IV system operates on 900 Mhz. The transponders have 256 bits of memory. This is used to store the unit's serial number. Assuming no checksum bits, this allows for a little over 1.157 x 10^77 possible combinations! This doesn't appear to be the case, however as California's Title 21 wonderfully informs us: Section 1703. Definitions for Data Codes. (a) Agency Code: This 16-bit code field identifies the Agency that has authority to conduct the transaction. (b) Byte Order: Numeric fields shall be transmitted most significant bit first. If a numeric field is represented as multiple bytes, the most significant bit of the most significant byte is transmitted first. This document represents the most significant and first transmitted to the left on a line and to the top of a multi line tabulation. (c) Error Detection Code: The error detection code utilized in the defined records is the CRC-16, with a generator polynomial of X1 6+X1 2+X5+1. This results in a 16-bit BCC transmitted with each data message. The data field protected by the CRC excludes any preceding header in every case. (d) Filler Bits: Filler bits are used to adjust the data message length to a desired length and shall be set to zero. (e) Header Code: The Header is the first field in each data message for either reader or transponder transmissions and consists of an 8-bit and a 4-fit word for a total of 12 bits. The Header provides a signal that may be used by a receiver to self-synchronize (selsyn) with the data being transmitted, thus the notation Selsyn. The Selsyn signal has binary and hexadecimal values: 10101010 and AA, respectively. The Header code also provides for a unique, 4 bit Flag that is recognized by a receiver decoder as the end of the Header with the data message to follow. The Flag signal has binary and hexadecimal values: 1100 and C respectively. (f) Reader ID Number: This 32-bit field is used to uniquely identify the reader conducting the transaction. (g) Transaction Record Type Code: This 16-bit code uniquely identified a specific type of valid transaction between a reader and a transponder. This code uniquely defines the transponder message fields and functions permissible with the transaction type specified by the Polling message as described in Section 1704.5(e)(1). Hexadecimal numbers 1 through 7FFF are set aside for transponder message structures and 8000 through FFFF are dedicated for reader-to-transponder message structures. (h) Transaction Status Code: Used to provide status information to the transponder. (i) Transponder ID Number: This 32-bit code uniquely identifies which transponder is responding to a polling request or is being acknowledged. Section 1705.5. Transponder Communications Protocol. (a) Subcarrier Modulation Scheme. The transponder-to-reader (uplink) modulation scheme shall be amplitude modulation of an RF carrier backscatter created by varying the reflecting crossection of the antenna as seen by the incident carrier signal. The antenna crossection shall be varied between upper and lower limits with a 50 percent duty cycle and rise and fall times of less than 75 nanoseconds. The transponder baseband message signal shall modulate the subcarrier using FSK modulation with a center frequency of 900 kHz and frequency deviation of +/- 300 kHz. The lower and upper subcarrier frequencies correspond to data bits `0' and `1' respectively. The message information is conveyed by the subcarrier modulation frequencies of the transponder backscattered signal and not by amplitude or phase. (b) Data Bit Rates. The data bit rate for transponder-to-reader data messages shall be 300 kbps. (c) Field Strength. The field strength at which a transponder data message is transmitted using backscatter technology is dependent upon the incident field strength from the reader, the transponder receive and transmit antenna gains, and any RF gain internal to the transponder. The transponder and antenna gain taken together shall effect a change in the backscattering cross section of between 45 and 100 square centimeters. (d) Standard Transponder Data Message Format. The standard portion of a Transponder data message shall consist of a header and transaction record type code. The subsequent length, data content, and error detection scheme shall then be established by the definition for that transaction record type. (e) Transponder Data Message Formats for AVI Toll Collection. There may be numerous transponder-to-reader data message formats. The format is determined by the Transaction Record Type code sent by the transponder. The following is the reader-to-transponder message format presently specified for AVI electronic toll collection applications: (1) Transponder Transaction Type 1 Data Message. Transponder Transaction Type 1 Data Message allows for unencrypted transponder ID numbers to be transmitted. Type 1 data messages shall be structured using the following ordered data bit fields: Field Definition No. Bits Hexadecimal Value Header Code - Selsyn 8 AA - Flag 4 C Transaction Record Type Code 16 1 Transponder ID Number 32 Error Detection Code 16 Total: 76 (f) Transponder End-of-Message Frame The End-of-Message signal for transponder data messages shall consist of a minimum of 10 microseconds of no modulation. Still, with 4,294,967,296 possible combinations, brute forcing an ID code seems out of the question. The nice thing is that at least they give you the whole rundown on how to monitor the system. The way the system works is pretty simple. The reader waits until it receives a signal from a vehicle presence sensor that a car is within range. Typically these are either IR (Infrared) light beams aimed across the toll-lane or an inductive sensor in the toll lane. Once the system detects a vehicle, it takes a picture of your license plate, the reader transmits an RF carrier, and waits for the response from the transponder. The transponder modulates the carrier and reflects it back to the reader. This is known as "modulated backscatter". The system gets the ID, verifies it's valid, and sends you on your way. Should your EZ-Pass be invalid or non-existent, they can use the picture of your license plate to send you a ticket. That's the overt use of the system, and pretty much the party line you're given when inquiries are made. EZ-Pass also has two other uses, which have nothing to do with toll collection. As part of ITS, systems have been implemented to "monitor traffic"; ostensibly to help authorities know when there is a traffic delay. The most obvious monitoring fixtures are those cameras you see on the sides of the highway (Yes, they can read license plates and identify the driver of a vehicle if they are so inclined, and want to put some effort into it. Some of the systems are wireless and somewhat easily monitored for the hacker who is so inclined to investigate for themselves). In addition to the cameras, EZ-Pass is also being used. This is how they do it: AVI readers are placed at points along the highway. The readers determine how long it takes for an EZ-Pass equipped vehicle to go from point A to point B. For example, at 60 MPH (just under the speed limit on most of the Thruway), it would take a vehicle one minute to pass by two AVI readers a mile apart (60 MPH is a mile a minute). During a traffic jam in which vehicles are going 30 MPH the time between AVI readers would increase to two minutes; thus indicating a problem. Now consider this: Let's say they detect an EZ-Pass transponder going from the same two readers (one mile apart) in 30 seconds. This would indicate a speed of 120 miles an hour (2 miles/minute). They log that EZ-Pass ID, and send the owner a speeding ticket in the mail. This isn't too insidious on a toll road such as the New York State Thruway, as the time you enter the highway is noted on your toll ticket, and reaching your destination exit too quickly will also result in receiving a fast driving award from the New York State Police. The interesting part is that they are putting EZ-Pass readers on non-toll roads, and making it very difficult for folks who wish to pay tolls with cash. I was on the Whitestone Bridge a couple months ago, and there was only one lane out of about ten that accepted cash. What this means is that they are making EZ-Pass pretty much a necessity for anyone who regularly travels on toll roads; meaning anyone who lives in or commutes to New York City. This universal service requirement is what will make EZ-Pass perfect for surveillance. Drive past an AVI transponder, and your location is pinpointed. So in the name of "better traffic conditions", big brother is brought to the highways of the New York metropolitian area. Despite all the statist assurances of "honest people don't have to worry", I'm an old-fashioned fellow who feels it's none of the government's business where I travel. As the histories of Nazi Germany and the former Soviet Union also proved, nothing good comes from a government that tries to control its people. Might I add this technology is in the hands of a government that continues to hold Kevin Mitnick in violation of habeus corpus. End rant. Unlike some other technologies used by big brother, AVI RF tags are relatively easy to countermeasure. Placing the transponder tag into a shielded enclosure such as a steel box (ammo box) will prevent it from being read. Simply take out the transponder just before you reach the toll booth, and replace it when you're done. The New York State Bridge Authority is, at the time of this writing, providing at toll booths shielded bags for people who had EZ-Pass, but occasionally want to pay cash to get a receipt for the single crossing. This service is for individuals who are traveling on employer business and getting reimbursed for travel expenses. An examination of the bag showed it to be similar in construction as an anti-static bag for handling electronic components. AVI Tags are just one part of the whole system. Look on the sides of most interstate highways these days, and you will notice more and more roadside boxes appearing these days. Some have phone lines running to them, and others have antennas on them. You will also see highway departments installing inductive loops in the pavement. New York State is in the process of implementing a neural net system in the Metropolitian area for the purpose of "traffic surveillance". According to the NYS DOT ITS Web site : "The Traffic Flow Visualization and Control (TFVC) System will enhance NYSDOT's ability to use video detectors to perform real-time traffic control through innovative video processing techniques and use of artificial neural networks to emulate human perception and decision making in the incident detection process. The five million dollar project is being jointly progressed by the Department, the FHWA, the U. S. Air Force's Rome Laboratory and KAMAN Sciences of Colorado Springs." That's right. Rome Labs and KAMAN. Makes you wonder, doesn't it? I hope this article got your brain gears moving. AVI RF-Tags are just one segment of the fascinating fields of ETTM and ITS. Thanks go to Frohike, Langly, and Byers for their assistance with this article, to "The Little People", and to Emmanuel Goldstein, our editor, for providing the vivisection subject. Also greetings and much love to my fiancee who challenged me to include the word "vivisection" in a coherent context. If I receive sufficient feedback to said effect, future articles will be forthcoming on other aspects of ETTM and ITS. Feel free to leave email at , or voice mail at the 2600 VMB Box 4266.