Tuesday, April 19, 2016

Final Social Engineering Task Presentation (Done)

My final social engineering projects involved the used of carefully placed phone inquiries to the company that runs all the SpeedPass systems for both this state and for many other states. I should note that when deploying social engineering or the use of a pretext, the hacker must have at least a basic understanding of the system the seek to hack, and a great deal of technical intelligence must be collected before even the very first steps of the social engineering are initiated. The goal of proper social engineering is the take the body of technical knowledge the hacker already has, and then to direct a serious of inquiries for information that is easier to tease out of a human, than a computer.

To initiate this social engineering project I performed reconnaissance and surveillance on two off ramps of the Tobin Bridge, two toll plaza's on the Mass Pike, the Toll booths in New Hampshire at the intersection of Rt 95 and Rt 101, and then at three similar plazas in Maine. I logged on to Google maps and downloaded in the overhead imagery, and download the GIS files the state maintains of each area to give me a better idea as to how the system worked.

I then visited each of these locations to photograph the "gantry" and the road mounted coils and to get tight photographs of the cameras they use, the strobes they use, and the physical elements which permit the system to operate. I mapped out each of these elements, then used a microwave spectrum analyzer to confirm the various operational frequencies.

I made some of these observations late at night, some during rush hour, and others at noon time. I only appeared in these areas for very short periods as I did not wish to have any hassles, and the operator of these systems are really big on video surveillance. I also wore a Guy Fawkes mask when approaching of departing the area on foot, which a change of exterior clothing so that they woudl not be able to identify me on video.

The system is operated in two modes. The first mode is interaction with a vehicle that has a SpeedPas or similar device on their vehicle. The serial number of this module is assigned to a vehicle owner and their tolls are drawn against their credit card on file when they purchased their SpeedPass.

The second mode is far more interesting from the perspective of a hacker, as it involves sensors in a 6 loop configuration to detect a vehicle over the loops, and to trigger a still series of frame cameras, with strobe, but the camera uses a complex prism and lens to aim the camera right at the front and rear licence plate, and at the driver of the vehicle.

Both modes of the system are vulnerable to a wide array of technical mischief, but the purpose of this essay is not to supply information that another person cold use to get into trouble, but rather to point out the use of social engineering to obtain information that COULD be used to wreak havoc with the system.

It is important to point out that those loops in the roadway can be easily severed with a narrow cold chisel and hammer, so this is not something someone would want to do, and it is very time consuming to repair this damage. These loops can also be extracted from the roadway by the use of either needle nose pliers of a fishhook. The loops are held in place with a rubber buffer, and a mixture of tar and rubber to allow repair over time, but also to cushion the loops from road traffic.  This is not so much a paper on the weak points, but rather the social engineering aspects. Please do not start ripping these loops out of the roadway as a protest about illegal tolls being collected on the Tobin Bridge of MassPike.

The second element of this systems is a gang of video cameras and still frame cameras mounted on a gantry that is elevated above the roadway. As mentioned before these still frame cameras use a special lens that allows it to see your license plates better, and to photograph the driver of the vehicle better. Ah, but this system has a great weakness involving spectrums of light, and this is where the social engineering aspect come into play.

A little background on photography needs to be brought up at this point. When a photograph is taken, the most important variable is light. Without light, the camera is useless, and when the light is favorable to the camera, or film, or digital sensor the images can be greatly enhanced. For example, in portrait photography, it is highly desirable to use a light that generates a great heat of infrared energy, and which emits a slightly reddish hue as this is very complementary to the skin in black and white photography, or when used with Tungsten corrected film. However, in fashion photography, or photography that uses a great deal of cosmetics on the model, a strobe is used, and most often there is a desire to use a great deal of ultraviolet light to add an extra color pop to the images.

When photographing motor vehicles, and most especially when trying to photograph the license plates of the vehicles you want to use flash, because license plates use a paint that has small reflective elements in the paint so that under ultraviolet light the license plates explode with reflected light. The strobes on these cameras, which are on these gantries over the roadway emit not merely a visible flash, but also one that is very high in ultraviolet light.

When a person views the photographs that this system takes, they will notice that the motor vehicle is quite dark, but the license play is quite bright, and this is due to the paint flakes into the paint of the license plate reacting strongly to the ultraviolet portion of the flash. The camera times its shutter so that as the motor vehicle is picked up by the magnetic loops in the road, which triggers the flash so that that both plates are captured. Other cameras are focused on the passenger compartment and also take a photograph of the driver, but due to the composition of the windshield, this leads to poor quality images. The real targets is the license plates, and they leverage the hyper UV reflectiveness of the light color or white in the plate.

Near one or more gantries there is a control point, or hut which controls the cameras, the strobes, and which uses the magnetic loops in the roadway to detect motor vehicles. For example, on the Tobin bridge there is one control hut, which controls gantry on the exit to Rutherford Ave, and then a second gantry on the ramps that leads to Rt 1/Rt 95 towards Boston. On the MassPike there are a half dozen camera and loop arrays with one control point.

I should also mention that on these gantries there is a large flat panel, with is the interogation system for the SpeedPass modules. If you wish to have any level of privacy in your movements the SpeedPass modules need to be removed from your motor vehicle as these are also used by the state for things other than toll collection, and are also used as a means of tracking the position of a specific motor vehicle on the (non-toll) highways system. If the SpeedPass module is opened, and a piezoelectric element placed inside the unit, attached to the activation circuit, then everything the module is polled the element will squeal with an alarm. A motor vehicle with a modified SpeedPass module such as this will sound an alarm when, for example, the drive passes under an underpass on Rt 128, Rt 95, Rt 495, Rt 90, and other major roads in and out of Boston. While no toll is being collected at these activation points, it in impossible to drive in or out of Boston or any other major East Coast city and not get polled at least a half dozen time. The best option in terms of privacy is to modify the module to add a kill switch that renders the module unable to respond to the non-toll related inquiries, or to remove it from your vehicle altogether.

I offer the above data, in preparation to the social engineering aspect of this project. A hacking project needs to establish a technical background first, and then to identify the ultimate end point, and then to bridge between the technical data on hand at present, define the means to build and then to cross the "bridge" and to define the need to move outside of a purely technical project and into the psychological manipulation.

In the case of this project, I exhausted my abilities to collect purely technical data at a certain point. My end goal was to understand the system well enough to define three vulnerabilities that could either render the system blind in regard to my motor vehicles, or to render it blind to all motor vehicles. My interests were purely academic in nature, as I did not wish to deprive the state of their tolls, or deprive the respective politicians of their slush money, or bribes, nor have a negative impact on the financial affairs of the one company who actually operates all of these systems on behalf of the states that use them, and the same company who makes and installs all the gantries and cameras, and the same company that sends state employees on lavish vacations, and so on. Nope, this was to strictly be a academic exploration of the attack surface of this system, and then to locate vulnerabilities, and then to run some controlled experiments to determine the efficacy of various countermeasures to the system, but to do it without defrauding the state coffers of the tolls, or actually sabotaging the system (wooden shoes notwithstanding), nor to actually hack into the system ;-) or siphon down several terabytes of data from the servers due to poor implementation of the means by which they perform customer service.

Once I was satisfied that I had compiled as much data and records as could be reasonably acquired before I needed to turn to social engineering to progress further, I laid out what documents and data I had been able to collect up to that point in regards to this system.

As the Tobin Bridge tolls are the closest to the school, I parked out at the far edge of parking lot A, walked twenty feet to the off ramp, swung over the jersey barriers, and then walked to the tolling point to take photographs of the gantry and cameras (quickly), and then photographs around the control hut that is slightly to the south of the gantry, once I had these images, I departed the area as I suspected that once the control center in Virgina detected movement around the control hut that they would call for the police to investigate. While taking these photographs I wore a dirty light gray T-Shirt, and a Guy Fawkes mask, and once I was certain I was out of camera range I pulled on a oversized black T-Shirt with silk screen, and hid the mask, got back into my (off camera) car, and moved from Lot 1 to Lot 3. To ensure that I did not have to deal with inquiries as to my activities I also concealed under my clothing a radio scanner set to all of the state police, Boston police, and MBTA police radio channels. As insurance against inquiry I also tuned a 2.4 GHz video receiver in my car to the same frequencies as the surveillance cameras at the top of the Tobin bridge, and then retransmitted those videos to a small monitor I kept with me. I also enlisted a confederate to sit in my car and to closely watch the video for any approach of police from the Tobin or from the Rutherford Ave side of the ramps. The confederate and I remained in constant phone contact to ensure there were to be no surprises, and the confederate and I devised a means of distraction of the inquiry in the event that things took an annoying turn. The key is to make multiple visits to the various sites, and to keep the exposure to the each site as short as possible, and lingering in the physical area increased the risk that I faced. As these systems are on public property, so long as I did not breach the fence, or obstruct traffic I would not be breaching the law as members of the public have the right to be present on state-controlled lands and to traverse roadways. I did not however, wish to argue this point with a State Trooper, so I limited my risk, by limiting my time.

I also visited the statehouse and acquired copies of records regarding the installation of these systems, blueprints in many cases, and obtained some rather curious technical details in the form of proprietary documents the state had in their possession and which I found mixed in with other documents. I doubt the company who runs these systems knowingly submitted these documents to a state agency who would then place them in a public archive, but there they were, so I made copies. The username for new installations is "root" or "su" and the password is either "root", "su", "admin", or "password" and were written or typed on these documents in the archive. The documents also included the TCP/IP address for each of the cameras, the huts, the loops, and so on, for all of the locations I sought information for.

I did not penetrate any of their systems by trying to log in with the newly found credentials, but I did confirm the credentials were functional through a few minutes of social engineering. I did perform a ping sweep across the range of TCP/IP addresses given in these documents to determine if the IP addresses were actually active, and then performed a port sweep to determine what services were active, and was quite amused to the volume of additional intelligence I was able to acquire without actual penetration of the system. For example, the control huts have ftp access open, and the passwords and user account I found in the state archives are for access into this active systems. While I did possess the login credentials, I did not use them, as it would have been unlawful to do so. But more on this later in the essay.

To assist me further, I contacted DigSafe and told them that "we would be doing a project that involved digging" and were needed then to mark cables and utilities in the area so as to limit data. I called from a burn phone that present a Google voice number, and actually was truthful in my request as I did intend to dig a hole nearby that was six inches deep and eight inches wide  in which to bury a wooden shoe and a Guy Fawkes mask. Three days later that had visited the site, and painted on the ground where all the cables were for the system, to include the concealed power cables, the conventional phone lines, and also the fiber optic lines, and DIgSafe traced these all the way back to the junction boxes (just to be safe). I revisited with a drone to copy these images from the air as I felt it unwise to hover around in person as there would be considerable interest in who was going to be working around the fiber optic cables, video cable, sensor cables and so on after DigSafe had painted lines for everything. A wooden shoe and a Guy Fawkes mask was indeed buried nearby, as a memorial for the project, absent fingerprints or other biological matter. This request to DigSafe was the very first stage of social engineering, as I had to get them to tag the lines into and out of the area to see if they match the blueprints I acquired in the state archives. It was fortunate that I did this, because what was in the state records, was not the same as what DigSafe marker on the ground. I did take the time to confirm that what DigSafe marked was accurate, and did trace power, phone, and data lines back to junction points. It would seem that paths given on the blueprints was different from that actually present. While I have no interest in engaging in technical mischief or sabotage (malicious use of a wooden shoe), it was useful to add these variations to my records of the project.

I also performed an inquiry with the FCC to obtain details on frequencies used by the various elements of the system, and was able to download from the FCC operators manuals for some parts of the system. These all lead back to one company in Virgina, and FCC inquiries made by that companies name revealed a treasure trove of technical documents on everything the company makes, to include products they have not yet deployed. I was also able to find on the FCC database a schematic and photograph of the SpeedPass I presently possess, and which I opened up to carefully examine and hacked to turn in into an alarm to alert me when the pass was being polled, but not tolled.

All of this is interesting, but I desired to test the effectiveness of the cameras, and to do this I had to hold some experiments, and to hold these experiments I would have to contact customer service and engage in some careful social engineering. I did not wish to step beyond the bound of inquiring on my own vehicles, or "fiddling with" any vehicles other than my own.

While I have a SpeedPass, I prefer to leave it in a disabled state so that it can hear the interrogation from the gantry and sound an alarm, but it does not transmit the response that is needed to identify the unit (I have installed a toggle switch to disable the SpeedPass from responding). Instead, the company that runs the system (Transcorp) on behalf of the state has to take a picture of the front and back of my motor vehicles and then send me an invoice in the mail. As a pass under the gantry 6 days a week, and sometimes seven days a week, and almost always at 8 AM, more or less, I can look at the invoice they send me and see the dates that their ability to see my plates did not work. As I have a video recording system in every motor vehicle (one forward and one rear) I can review the dates where they did not catch my plate and look for a common situation between them.

By doing this, I found that during period of heavy rain, or heavy snowfall, the system is blind as to camera capture of either license plate of whatever motor vehicle I was using that day. So unless my SpeedPass was its enabled mode, there was no toll collected due to visibility issues. I also noted that on days where there was no visibility issues, but where considerable snow or road conditions had obstructed the license plate that it also did not collect the toll. As a control measure, on several date I made it a point to clear and then clear the plate to see if it was billed, and then the day before and the day after I did not clear the plate, and there was no billing.

Thus, visibility of the plate is clearly a tremendous vulnerability in this system, and while there are all sorts of attack surfaces and vulnerabilities with this system, I desired to experiment with the photographic collection of license plate data. So, I called customer services that appears on my bill, and was connected to a call center in Virginia, who tried to social engineer me into thinking that they were sitting in Massachesstes and workers for the MassDOT, when in fact I already knew that they operate the tolling system and then send a small fraction of the funds they collect back to the state.

When I called the number, a pre-recorded announcement on the line said this "this call may be recorded or monitored..." so I did, as they had given me permission, and then I called right back with the recorder active to record the conversation they had just given me permission to record. When I eventually had a real human answer on the other end told him that I had received a bill, and that it appeared to be in error and I wished to see if an error was at play for a couple of those days. I was careful not to claim that I did not owe a toll which I infact owned, but I did notice several of the times were way off the video I had of my driving through the toll point, but I did not tell them that I had these video records. I also noted that there were several times where they billed me two and even three times for one passage. I knew why this double/triple billing has taken place, but I did not inform them of what took place. Generally, with so-called "Social Engineering" the less assertive you are, the more beneficial the activity will be for the hacker in the long run. An overly assertive position is more likely to raise suspicions, as will an overly informed position. Thus, I feigned ignorance of the system to the customer service representative, and feigned being confused as to why I was being sent these bills, and feigned how they knew I was on the Tobin Bridge, and so on. I then called a few days later and got the weekend crew, and then a few days later the evening crew, and in each case the query was about a different vehicle, registered to a different address (these sneaky bastards index your records by your mailing address, by the way). With each call, I also called from a different phone number because when I asked to speak to a supervisor, they refused a direct transfer and wanted a number I could be called back on.

There is a SQL database of every registered vehicle in every state where these systems are in use, then there is once database of toll events each time the loop in the roadway is activated, which can trigger between 1 and 10 photographs as the vehicle passes over the magnetic detection loops. So, one state provided database of every registered plate, and then the company pulls plate numbers out of the photographs, matches it to a plate in the state database, and they issue a bill to the registered owner. It seems like a fool-proof system, but there are weaknesses, such as the weakness is regards to a plate that is obstructed by snow or ice.

I asked the various customer service representatives the same series of questions in order to see if they were responding or reading from a script and found that they were, and that at the same point in the script they would escalate my call to a person who was not reading from the script or to their shift supervisor, depending on which fork in the script they were lead through during my call.

In general, customer service and levels 1 and level 2 all state that the tolling is done at the very top of the Tobin Bridge, when in fact it is not performed on the Tobin bridge at all, as the bridge legally ends several hundred feet AFTER the bridge ends, and certainly not at the position of the old (and much hated) manned toll booths. They actually go to tremendous effort in their scripts to claim the tolling point is at the top of the bridge, and not at a location well away from the bridge. They also went to claim that thier system is error proof (I tried not to laugh, while claiming ignorance of such matters), and that it is illegal to use the bridge without the vehicle having a SpeedPass (I have a recording of them saying this actually). The level one folks just read from a script, and professed ignorance of how the system worked, merely that it did, but the level two folks were able to walk me through how it worked.

According to the level two representatives, as vehicles pass under the gantry the system takes their photograph unless they have a SpeedPass, and that the computer finds the liscense plate in this photograph to automatically match it to the registration data they have for the vehicle. I mentioned that I have seen several bright flashes of light when I drive under the gantry and asked if they take more than one image, and they said they normally take at least two image of every vehicle. A bit of probing around with me asking about how to they know I was driving it as opposed to it being n a trailer behind my picked and they said that they also photograph the occupants of the vehicle, and that they can tell by the photographs is a vehicle is being towed or is on a trailer.

The ruse that I used was that I told them they the bills I had in front of me were inaccurate, which they were led to believe was I claimed not to have been present at the toll location, when they had photographs on me, my vehicle, and my license plate, and were keen to show be the pictures of this (hello SQL vulnerabilities). While they were having me log on to their systems in order to show me the images to prove the charges were legitimate I was packet capturing every bit of data they gave me access to for later analysis.

During each call I defined the information I was seeking ahead of time, or things I needed then to do, and then I wrote down an outline to follow so that as they worked through their script, I worked through mine.

The key piece of information I needed was for them to explain their internal process for capturing the liscense plate and how they matched it to the database the state supplied them with.

I did manage to turn the calls on their heads when several minutes in I told them that they were confused about the purpose of my call, because I was calling to dispute that I had gone over the bridge, but they these bridge crossing did not show on my bills, and they found it astonishing that someone would actually tell them this, but this was done for shock effect, and the moment they dropped their guard I introduced some carefully crafted questions to feel out what kind of an excited utterance I could get out of them.

For example, on one call I was complain thier I knew I went over the bridge three times on a single day, but only one of those crossings was on my bill, and then in the same breath I asked them if the fact that it was snowing really hard might have blocked the cameras, and other similar questions.

I also was able to gain an understanding of how to pull up records for my own vehicles, and tolling events, by accidentally entering the wrong query data I accidently pulled up the trolling records just before and just after mine. The error may have also happened more than once, were I was able to see the tolling records of all the cars in front of me, and behind me, hundreds of then in fact. The images or of high enough quality that you can even see what kind of school parking pass they have, and other things, like how may people are texting while driving, and so forth.

This is all very interesting trivia, and some very successful social engineering, but it needs to have an end result to have a practical applications. It would be a waste of time to merely collect several boxes of records, photographs of locations, map this out, get DigSafe come out to paint out cable locations, and to spend at least 7 hours on the phone with customer service.

So to apply the information into the form of a hack, there are a wide range of possible activities. With the new knowledge I possess, I could have sabotaged the magnetic roadway loops which with require several days to repair, and during this time deprive the company of a huge revenue stream. A sabotage of the control hub would render then inoperable for over a week so long that the hut was tipped over on its hide and the fiber optic cables severed. Of course, such sabotage should not be engaged in, as politicians need their well funded exotic vacations as a guest of the company who runs the toll systems. So no sabotage, especially do not wrap a 5/8 100 Proof chain around the hut three times, and then attach the other end to a concrete mixer truck. It is also not cool to take a pickaxe and shovel to the lines on the ground that say FO and dig around looking for buried wooden shoes and Guy Fawkes masks (with Kens name written on the inside of the mask and shoes).

At this point in my rambling essay, you are probably wishing I would just get to the point, so kind ready, that is what I will now presently do.

Because of my carefully planned out social engineering, I was able to identify a flaw in the way they read license plates for billing purposes. The secret is that it is all keyed on the reflective paint on your license plate and not the plate itself. This is not the actually lettering on the plate, but instead the background of the plate.

So here come the hacking goodness.

I have two identical plates, on in front and one in back. For the one in front, in order to remove it from the equations I  coated the plate with Fuller Earth and sprayed artists fixitive to the plate and photographed it with regular flash and UV flash to see at what point and what form of "dirt" could be passable in traffic, but not register on the tolling system. Instead of obstructing the entire plate, I instead fuzzed up portions of the plate.

Since I knew that I can call up the photographs by license plate, or by owners name, and duration of or point in time, or my other means it allowed my to roll through the tolls with one clear plate and one fuzzy plate and for be to see how each responded.

Road grime can be easily simulated by for spraying on a dulling spray that is more reactive to UV that the UV chits in the paint actually on the plate. To the naked eye this coating is invisible, but to the camera using UV flash the plate appears to be a black sheet. The obstrction in now visible to the naked eye. A second layer can be added to mask the true plate surface from UV light, but to admit visible light. Then a second layer they is clear to the naked eye, but is highly UV reactive and which appear white of camera, but clear to the naked eye. In top of this a false plate number can be painted, in a UV reactive paint that appear black under UV light, but clear to the naked eye.

So my experiment, after much social engineering was to obtain various paints and sealers that could be uses to add invisible layers of paint to my legitimate license plate, so that to the naked eye it appears to be my legitimate plate, but to a UV flash taken photograph it could be an entirely different plate. I converted the plate from one vehicle to be the covert plate of another vehicle. As these are both my vechiles, and the plate was not actually modified in the terms of what is visible, but rather what is invisible so the state was not being deprived of their tolls.

I initially experimented by placing 1cm dots of test materials near the plate, bu not on it, and then waited a few day to log into the online service to see whatthe camera saw. Then I tried different dots to dial in what I could use to provide a "clear to the eye" images, they had foreign things un the UV spectrum.

As I observed that the system flashed the from and rear of the vehicle, and defined the license plate as the most UV reflective element on the vehicle I look on of my trucks and mounted a 24x36 board that I painted with extremely high-performance green glitter paint and UV glass bead strips that would overload the camera as this board was 100's of times more reflective than the reflectiveness of the license plate. Thus, when the unmodified license plate was mounted to this board the board showed up in the pictures, but the plate as rendered black. I then repeated the same experiment by using a back one-inch wire around the plate, with the same effect to the camera, but this second method did not modify or obstruct the plate in any way.

My next hack as it were was done purely in my photo studio, and not with a vehicle on the roads. I proved out that I could covertly change the plates as they appeared to the camera as opposed as how they applied to the naked eye.

For the studio side of this project, I purchase 50 different license plays form a just yard, and used a Profoto studio strobes with no UV filtration, and a digital SLR camera which have a UVA and UVB band reject filter, and a rare earth color intensifier filter.

I connected a reflected light meter to the strobe to obtain a value of intensity of light from different parts each of the subject plates.

I then used paint stripper to remove all paint from the plates, then sprayed the steel with a zinc based spray and then a clear protective sealant, then painted this the exact shade of white used in the plate originally, but without anything that would react to UV light. I then used flat black paint applied to the characters already on the plate to replace where they were. I then photographed these plates in my studio to see how much suppression of UV reactivity I was able to achieve. Then I used laminated  what appears to be clear to the naked eye, but which presents a phantom image to a UV stimulated photograph.

In theory, I can take a perfectly legitimate license plate, strip it, repaint it with non-UV paint, and then use this two layer UV mask to trick the UV cameras into recording a false plate number. To the naked eye the plate looks one way, big if a strobe light is used to illuminate the plate a different plate number shows up.

I further experimented by taking my truck with the lime green/yellow refelctive paint panel to NH, Maine, New Jersey, and all over Mass in order to hit a large number of tolling point that i could access online. When the sun was out, and the plate was illuminated by the sun the images online were more clear, but at might when a greta deal of "fill flash" was needed the green panel blinded the cameras.

To push my luck a bit more, I took a some sheet metal and painted a high matte, and then used a sealend that woudl not allow UV light to pass through. I then applied paint and film to create a sign that was only availabel if you took the photograph with a flash, that was transmissive of a lot of UV. I then placed this on the back of the track, near the liscense plate and went through the tollign point and my message was visible on the tollign records when I checked all the records during the time frame I was in the tolling area, and it did not read my un-tampered with plate as the green panel blinded the cameras.

The social engineering period was used after by initial collection and study of document in order to form a carefully thought out list of information which I did not yet have, but which I could obtain from several phone calls.

A few notes:

If you put a white sandbag over the sureveillance camera, and zip-tie them closed, and then video tape the State Police arriving, and you do this several times, you can obtain a response time window, and end up with 8 or 9 cruisers on site trying to figure out why this Guy Fawkes guy is hoodign the cameras, but doing nothing else.

There is a hut number on the building, and if you call the 800 number next to it and let them know that the door to the building is open, and it looks like someone is welding inside the buildign, the service technician takes about 15-20 minutes to get to the hut, complete with several state police cruisers, who will comb the area, but not notice the drone overhead, and the operator sitting a short distance away, and the back of a van.

As the ground in the area is quite soft, used a disposable sole that is smaller that you actual shoe size. Plus, never linger on a project like this, and always keep in mind that there are many, many cameras, and most of them are too high to reach with a snap pole to place the hoods.

Interesting project, utilizing focus social engineering, but only after performing the proper amount of research in advance of the socila engineering activity. The data collected was them use to perform proof of concept activities, but not is such a was as to deliberately defraud the company of their tolls.

If you have a two lane exit, and you staddle the center line, it will toll you three times.

Snow and ice caked in the plate renders it invisible for the system.

Application of fake road grime in the form of fuller earth or Kaolin and aersol fixative will render the plate unreadable.

UV blocking and UV reactive clear plastics or paints may be used to display one plate number to the cameras, but the true plate number to the naked eye.














2 comments: