First publishedin ITS International
6C can facilitate the interoperability of electronic tolling without compromising security
Star Systems International’s Stephen Lockhart, explains how ISO 18000-6C can boost both interoperability and data security in RFID tolling applications.
As more states, municipalities and agencies deploy electronic tolling solutions to generate funds and reduce congestion at tollbooths, there have been increased calls for standardisation in the industry. While a handful of tolling solutions has dominated the market in the US, most of them employ proprietary or otherwise non-interoperable technology. This means drivers who frequently pass through different states or cities may require multiple transponders.
This situation is in contrast to countries that have developed their electronic toll collection infrastructure with interoperability in mind from the outset. For example, the EU has standardised around specifications developed by the European Committee for Standardization (CEN).
In the US the call for nationwide interoperability has risen to the level of Congress. In fact, the federal government called for electronic tolling interoperability by October 2016 as part of the Moving Ahead for Progress in the 21st Century Act (MAP21). While that deadline has come and gone, industry groups such as the International Bridge, Tunnel and Turnpike Association (IBTTA) have been working toward a final design for interoperability in the US. Working closely with the Federal Highway Administration, these groups have secured funding to conduct testing that will ultimately lead to a formal recommendation to Congress. This is expected to happen in late 2017.
A relative newcomer in the tolling arena is the ISO 18000-6C/63 (6C) communications protocol. Introduced in 2004, ‘6C’ is an open-standard RFID communication specification originally developed for supply chain applications (inventory management, asset tracking and the like). Not only was 6C designed specifically for passive UHF RFID, but it is also an open and evolving specification that provides a basis for a nationwide tolling standard while addressing the increasing need for security and privacy as more drivers participate in electronic toll collection.
Following that initial release, 6C has become established as a reliable, robust and cost-effective technology for high-speed electronic toll collection applications with the first production deployments taking place in the US in 2010.
Since that initial tolling adoption, 6C has spread steadily across the US (and around the world) with agencies in Colorado, Georgia, Louisiana, Washington, Ohio and Utah adopting it as their primary tolling protocol. Furthermore, California has begun legislative action to transition its statewide protocol to 6C. Outside of the US, 6C has been adopted as the primary tolling standard in India, Taiwan, Turkey, Vietnam, Philippines, Malaysia, Argentina, Paraguay, Uruguay, Panama, Ecuador, Dominican Republic, Colombia and Peru.
Equipment using the 6C protocol can be sourced from a variety of suppliers. This competitive commercial market brings costs down and promotes innovation, both of which are a benefit to all users of the technology. In vehicle tolling applications, the transition to 6C from a legacy protocol can be achieved with the use of multi-protocol readers thereby allowing agencies to continue reading legacy transponders during their transition to 6C. Depending on the size of the transponder population, this transition may take years to complete.
A living standard
As a ‘living standard’, 6C is continually evolving to meet the needs of the market. However, the ISO standards development process maintains full backwards compatibility with previous versions of the technology, while at the same time allowing new innovations and features to be added. Several of those innovations have involved transponder and data security. In countries like Taiwan, security for electronic tolling solutions is mandated; in the US, agencies using electronic toll collection have exhibited less concern about potential security issues with their transponders.
New versions of 6C can be accommodated with a firmware update
That said, the move toward a national tolling standard has highlighted issues about personal data and privacy. While open standards are critical for increasing adoption of a technology and encouraging creativity, they also present some security challenges. For example, it is possible to purchase relatively inexpensive 6C RFID readers from an online retailer that can access information stored in a transponder. This product availability makes it easier for potential malicious users to examine the technology and possibly exploit weaknesses that were not properly secured by the installer.
When it comes to the security of any over-the-air communications protocol, there are two key areas of concern, the first of which is the possibility that someone could use a device that can intercept communications between an authentic reader and an authentic transponder. Potentially, this could enable a malicious user to obtain identifying information from a toll tag in order to clone or emulate the tag. By doing so, such a person could conceivably commit fraud by using the counterfeit tag to pay tolls at the authentic transponder owner’s expense.
In most tolling systems, secondary identification methods such as Automatic Number Plate Recognition (ANPR), are primarily used to collect funds as opposed to detecting counterfeit transponders. Typically, if a valid transponder is successfully captured by the reader, the ANPR image is discarded, meaning that a counterfeit transponder has the potential to go undetected unless the account holder reports erroneous charges.
A second threat is unauthorised access to personal data. While tolling transponders do not generally contain personal information, RFID is increasingly being used for other applications (such as electronic vehicle registration) where personal information could potentially be encoded in the transponder.
Techniques such as tokenisation or encryption of data stored in the transponder can overcome this problem but have to be implemented by the installer of a particular system. As these techniques are not within the protocol specification, interoperability between systems becomes cumbersome and challenging which reduces the benefits of using open-standard solutions.
If a malign user can purchase a 6C reader from a website, how do agencies and other legitimate users protect their data? This is where 6C’s continuously evolving nature can adapt to meet the needs of industry and users.
In 2013, several security features were added to 6C to help secure communications and increase privacy. This includes an open-standard encryption algorithm that allows users to authenticate tags and ensure that genuine users are only providing information to authorised readers. Furthermore, an ‘untraceable’ function can be used to hide portions of data and restrict access privileges while cryptographic authentication verifies identity, reducing the risk of counterfeiting.
One critical improvement is the standard’s over-the-air encryption between the transponder and the reader. Previously, the plain text communications between the tag and reader were vulnerable to interception by a malign operator using a portable device to view the transponder’s data - even at some distance. It is worth mentioning that this weakness also applies to the majority of proprietary tolling solutions in the US which continue to transmit plain text communications.
However, if the communications channel between the tag and reader is encrypted, then the data is rendered unreadable even if the communication is detected by unauthorised equipment.
The other key innovation incorporated in the revised 6C specification is the ability of the transponder to protect data unless the reader presents the correct security key credentials. So, if an unauthorised reader attempts to access the data on the tag, some or all sections of the transponder’s memory would be unreadable.
Throughout the 6C development process, the standard has not specified exactly how authentication and encryption safeguards should be implemented. Instead, a framework has been established that allows vendors to offer different types of cryptographic approaches. This provides greater freedom with respect to the strength, speed and innovation of the security implementation.
As previously mentioned, the 6C specification is designed so that even where there are different security approaches in place, any new compliant solution must be backward-compatible with previous versions. A simple firmware update enables readers to recognise the latest transponders and take advantage of specific security features, while continuing to read transponders that are compliant with previous versions of 6C.
The ‘living' nature of the specification means that these security improvements are not static and the process of enhancing 6C’s security (and other areas) will continue as long as needed.
With electronic tolling systems collecting information linked to many thousands of licence plates and user accounts every day, governments are increasingly requiring – and consumers demanding – that those transactions are intrinsically secure. ISO 18000-6C/63 offers a robust toolset for securing data transfers between transponder and reader while protecting the transponder data itself and also providing a framework for future innovation.
ABOUT THE AUTHOR: Stephen Lockhart is chief technology officer at Star Systems International and has been involved with the testing and deployment of ISO 18000-63/6C technology for 13 years. He has designed and installed passive UHF RFID systems all over the world.