As more states, municipalities and agencies deploy electronic tolling solutions to help generate new funds and reduce congestion at tollbooths, there have been increased calls for standardization in the industry. While a handful of tolling solutions have dominated the market in the United States, most employ proprietary or otherwise non-interoperable technologies. This means that drivers who frequently pass through different states or cities may require multiple transponders to navigate each system.
The call for nationwide interoperability has risen to the level of the U.S. Congress. In fact, the federal government had called for electronic tolling interoperability by October 2016 as part of the Moving Ahead for Progress in the 21st Century Act (MAP-21). While that deadline has come and gone, industry groups such as the International Bridge, Tunnel and Turnpike Association (IBTTA) have been working diligently toward a final design for interoperability in the United States. These groups are working closely with the Federal Highway Administration, and have secured funding to conduct ongoing testing that will ultimately lead to a formal recommendation to the Congress. This is expected to happen in late 2017.
A relative newcomer in the tolling space is the ISO 18000-6C RFID air-interface protocol. ISO 18000-6C, often referred to as 6C, is an open-standard communications protocol based on the EPC Gen 2 standard for passive UHF RFID tags. (The latest version of ISO 18000-6C is officially known as ISO 18000-63.) It was originally developed for supply chain applications (inventory management, asset tracking and so forth), but has established itself as a reliable, robust and cost-effective technology for electronic toll collection applications.
Since the tolling market’s initial adoption of 6C, the protocol has steadily spread across the United States and around the world. To date, agencies in Colorado, Georgia, Louisiana, Ohio, Utah and Washington have adopted 6C as their primary tolling protocol. Furthermore, the state of California has begun legislative action to transition its statewide protocol to 6C. Outside of the United States, 6C has been adopted as the primary tolling standard in Argentina, Colombia, the Dominican Republic, Ecuador, India, Malaysia, Panama, Paraguay, Peru, the Philippines, Taiwan, Turkey, Uruguay and Vietnam. The 6C specification is open and evolving, and not only provides a basis for a nationwide tolling standard, but also addresses the increasing need for security and privacy as a growing number of drivers participate in electronic toll collection.
A Living Standard
RFID tags and readers complying with 6C can be sourced from a variety of suppliers. This competitive commercial market brings costs down and promotes innovation—both of which are a benefit to customers. In addition, 6C is reliable and accurate even at very high speeds, making it ideal for vehicle-identification applications. In 2010, the E-470 toll road in Denver, Colorado, and the Utah Department of Transportation were leaders in the adoption of 6C technology for electronic toll collection. Since then, other U.S. agencies and departments, such as WSDOT and SRTA, have implemented 6C solutions with great results.
As a “living standard,” 6C is continuously evolving to meet the market’s needs. The ISO standards-development process maintains full backward compatibility with previous versions of the technology, while simultaneously allowing new innovations and features to be rolled out to customers.
Several of those innovations have involved transponder and data security. In countries like Taiwan, security has been mandated for electronic tolling solutions. In the United States, however, agencies that use electronic toll collection have exhibited less concern about potential security issues with their transponders.
However, the move toward a national tolling standard in the United States has already raised issues with regard to personal data and privacy. Open standards are critical for increasing adoption of a technology and encouraging innovation, but they also present some challenges. For example, anyone can purchase a relatively inexpensive 6C RFID reader and use it to access information stored on a transponder. This availability of products makes it easier for potential malicious users to study the technology and potentially exploit any weaknesses that were not properly secured by the installer. With proprietary technology, those products are not as easy to procure.
When it comes to the security of any over-the-air communications protocol, there are two key areas of concern. First is the possibility that someone could use a device that can intercept communications between an authentic reader and an authentic transponder. This could potentially allow a malicious user to obtain identifying information from a toll tag in order to clone or emulate that tag. In so doing, a malicious user could conceivably commit fraud by using the counterfeit tag to pay tolls at the authentic transponder owner’s expense.
A second threat is unauthorized access to driver data. Tolling transponders do not generally contain personal information. However, RFID is increasingly being used for other applications (electronic vehicle registration, for instance) that could potentially encode personal information into a transponder.
If a malicious user can simply purchase a 6C-based reader from a website, for example, how can agencies and other legitimate users protect their data? This is where 6C’s continuously evolving nature can adapt to meet the needs of the industry and users.
In 2013, the EPC Gen 2 RFID standard was updated, introducing several security features that help secure 6C communications and increase privacy (see GS1 Ratifies EPC Gen2v2, Adds Security Features, More Memory). This includes an open-standard encryption algorithm that allows users to authenticate tags and ensure that authentic users only provide information to authorized readers. Furthermore, an “untraceable” function can be employed to hide portions of data and restrict access privileges, while cryptographic authentication verifies identity, reducing the risk of counterfeiting.
One critical improvement is the standard’s over-the-air encryption between the transponder and the reader. In earlier versions of the specification, the plain-text communication between the tag and the reader could be intercepted using a portable reader. With such a device, malicious users could potentially view transponder data even at some distance. However, if the communications channel between the tag and reader is encrypted, then the data is rendered unreadable, even if the communication is detected by unauthorized equipment.
The other key innovation is the transponder’s ability to protect data unless the reader presents the correct security key information. If an unauthorized reader attempts to access the tag’s stored data, certain sections of transponder memory would be inaccessible.
The 6C development process refrained from specifying exactly how these authentication and encryption safeguards should be implemented. Instead, a framework was established enabling vendors to offer different types of cryptographic approaches. This allows greater freedom with respect to the strength, speed and innovation of the security implementation.
The specification was also designed so that, even though there are different security approaches in place, any new 6C-compliant solution must be backward-compatible with any previous version of 6C. Readers simply need a firmware update so that they can recognize newer, secure transponders in order to take advantage of specific security features, while at the same time reading legacy transponders.
The living nature of the 6C specification means that these security improvements are not static. The process of enhancing the specification will continue as long as the market needs it to.
Electronic tolling systems collect information linked to thousands of license plates and user accounts daily. Governments will require—and consumers are likely to demand—that those transactions be intrinsically secure. ISO 18000-6C/63 offers a robust toolset for securing transponder data, while providing a framework for future innovation.
Stephen Lockhart is the chief technology officer at Star Systems International (SSI).