How to prevent
toll hacks
by prioritizing
toll collection
security

Author: Sue Poremba

Across the United States, Departments of Transportation (DOT) are turning to electronic toll collection. DOT officials see plenty of upsides to this move: less congestion on busy roads, a decrease of carbon emissions when vehicles no longer have to start and stop, lower operating and staffing costs.

However, electronic toll collection has a dark side where cyber security concerns have to be addressed. Adding electronic transmissions to the collection process could result in toll hacks if cyber security is ignored or not prioritized.

Electronic toll collection and how it works

For drivers, electronic toll collection can help to take a lot of stress out of the road trip. Drivers don't have to worry about wasting time queuing up or finding exact change for the toll booth.

An electronic toll-collection system can use a vehicle-mounted transponder that is activated by an antenna and is most commonly operated by Radio Frequency Identification (RFID). There are other ways of electronically collecting tolls without a transponder on the windshield as some electronic toll systems are able to record the license plate and automatically send the toll bill to the registered vehicle owner.  Additionally, smartphone applications have been developed to help collect toll fees and provide new channels for toll collection. 

Security ramifications of toll hacks in electronic toll collection

Cyber risks for toll hacks can occur across any stage of the process, beginning with tag purchase and registration. This process typically happens online, with the user setting up an account with the state or company that authorizes the toll pass. Additionally, as this process is available at toll road rest stops, it's tempting for drivers to use the free on-site Wi-Fi to create the account, giving a hacker easy access to credit card and personal information, as well as to the tag details.

Tolls that use credit cards for collection will need to meet Payment Card Industry Data Security Standard (PCI DSS) compliance.  Electronic toll systems also depend on third parties to store the information held in their accounts and all networks are susceptible to data breaches. Your organization needs to keep current with PCI DSS audits and other cyber security systems to keep toll information secure. Because it can take months before a data breach or other cyber incident is discovered—which could result in identity theft and thousands of dollars in tolls for unsuspecting drivers—your organization should have a rapid response mechanism in place to monitor and mitigate electronic toll collection incidents.

Most tags are RFID transponders and encryption on these devices is questionable.  Drivers who use the passes daily often leave them attached to the windshield, leaving the device vulnerable to both physical and electronic theft.  Hackers that clone RFID toll passes can use them while the toll pass holder foots the bill.

Anyone using a mobile app for their toll system is also at risk. They're in danger of downloading a malicious or fake app that can steal information directly from the smartphone.

The more these electronic systems are adopted and utilized across the country, the greater the risk of drivers unfortunately becoming victims of toll hacks. Privacy concerns have risen with the adoption of license plate readers and data collection. Cyber security experts have warned about the risks of toll hacks since the technology came online. 

How organizations can offer security against toll hacks

Drivers are responsible for some level of security on their end—i.e., taking the pass out of the vehicle and using security best practices when they connect to electronic toll payment sites—however, government DOT agencies, companies, and third parties involved in electronic toll collections should adhere to security best practices. Your organization can do this by:

  • Preventing physical attacks: The information technology infrastructure used for electronic tolls is often visible and exposed along on- and off-ramp areas. Without people working in the toll booths, it may be easier for bad actors to physically access the infrastructure and download malware into the system, modify sections of the internet architecture, or exploit vulnerabilities or launch attacks designed to steal data or manipulate the system. Set up cameras and sensors in these areas to allow for 24/7 monitoring.
  • Preventing internet attacks: Threat actors can also wreak havoc through traditional internet attacks and hijacking control of the toll systems—they could prevent gates from rising to create traffic jams, for instance, or jam transmissions so drivers go through undetected. There's also a risk that threat actors could use poorly protected toll systems as an entry point to your organization's entire network, where much more damage can be done. To prevent that from happening, consider a private IP service that offers the toll system the network capabilities it needs but without connecting to your organizational network.

Like any system depending on internet connections and electronic devices, toll systems are at risk of being hacked. Knowing where the risks are and using the same cyber security best practices for any other type of system will keep both drivers and agencies secure from toll hacks.

Learn how Verizon's modernized DOT toll systems can help keep traffic flowing securely.