Author Topic: QR codes and speed cameras  (Read 2054 times)

0 Members and 1 Guest are viewing this topic.

Online CirclotronTopic starter

  • Super Contributor
  • ***
  • Posts: 3168
  • Country: au
QR codes and speed cameras
« on: January 16, 2019, 08:58:40 pm »
I wonder just how easy it would have been for someone that wrote the software for a roadside “safety”  ::) camera to include the ability to make it able to recognise a QR code on the back of a vehicle and consequently ignore that vehicle, or maybe allow it more margin than usual? Feeling cynical today.
 

Offline ataradov

  • Super Contributor
  • ***
  • Posts: 11228
  • Country: us
    • Personal site
Re: QR codes and speed cameras
« Reply #1 on: January 16, 2019, 09:25:05 pm »
No matter how bad the code culture is in the company, it would be very hard to include something like this if cameras already don't have code for QR recognition. If for whatever legitimate reason there is code like this, it would be possible to slip some additional test.

But the problem is that camera resolution is not that high to adequately capture small QR code.

And many such systems are just plain cameras, and all the calculations are done on the backend. Not sure if this makes easier or harder.

In Russia (and I guess in Europe too) there is a very popular style of such system where plain video cameras are placed at known intervals along the highways. And the speed measurement is done based on how long it takes for the vehicle to travel between two consecutive cameras. It would be hard to spoof thing like that, since all frames are time stamped.
« Last Edit: January 16, 2019, 09:28:02 pm by ataradov »
Alex
 

Offline janoc

  • Super Contributor
  • ***
  • Posts: 3781
  • Country: de
Re: QR codes and speed cameras
« Reply #2 on: January 16, 2019, 09:25:34 pm »
Pretty hard. Reading a license plate is already difficult and those use large symbols. Unless you wanted to plaster the car with a code the size of the door, it will be very hard to read that from a distance and on a moving car.

QR codes are robust but they are also fairly "dense" and not meant to be read from a large distance (they were designed as a replacement for a regular barcode). If you wanted to implement something like you are implying, it would be vastly simpler to enter my license plate into the database to make the system ignore it instead of adding an extra code scan.

And if you are talking about speed cameras, those actually don't do things in real time, the radar only triggers the camera to take a picture if it detects a vehicle going faster than a certain limit. So it would photograph your car regardless of any codes - the device is pretty "stupid" in this regard - the camera doesn't do anything else but take pictures for evidence purposes once the speeding has been detected.

At least here in France the data from these cameras are then downloaded periodically (the older ones require a guy to physically visit the installation and to retrieve the data, the newer ones send the data over GSM automatically) and then the photos are reviewed by actual people who generate the tickets, as appropriate. It isn't fully automated (and can't be, because the radars often generate unusable pictures for various reasons and such tickets would get overturned by the courts), so any "code" wouldn't help you there.
« Last Edit: January 16, 2019, 09:28:47 pm by janoc »
 

Offline cdev

  • Super Contributor
  • ***
  • !
  • Posts: 7350
  • Country: 00
Re: QR codes and speed cameras
« Reply #3 on: January 16, 2019, 09:53:04 pm »
They also use the MAC addresses of your digital devices. (To figure out how fast traffic is moving)
"What the large print giveth, the small print taketh away."
 

Offline ataradov

  • Super Contributor
  • ***
  • Posts: 11228
  • Country: us
    • Personal site
Re: QR codes and speed cameras
« Reply #4 on: January 16, 2019, 10:00:34 pm »
I think both iOS and Android spoof MACs while scanning.
Alex
 

Offline SiliconWizard

  • Super Contributor
  • ***
  • Posts: 14309
  • Country: fr
Re: QR codes and speed cameras
« Reply #5 on: January 17, 2019, 01:23:18 am »
The least dense standard QR code is 21x21 and yes, that would be pretty much impossible to analyze from a speed camera's shot if it had the size of a plate character or so (and bigger would definitely be impractical on a plate). But we could imagine a different way of coding information on a plate with a set of much bigger symbols spread over the whole surface. Problem is, vehicle plates are regulated in most countries, so putting weird symbols on it may get you fined even though nobody knows what they are for. In some countries, there is a reserved area on the plate you can put anything you like on, but it's a small area, not sure it would be big enough to put anything that could be automatically recognized in there. But let's assume it's possible.

Would that be possible in theory that some developers add some code for this on speed cameras? I guess so. We have seen weirder things in industrial devices... even in companies with very strict processes, it's rather rare that 100% of the code would be thoroughly inspected and reviewed, except maybe in aeronautics and related areas. So some chunk may get undetected by unaware humans as well as any automated test in use during development and validation.

Thing is, people/the police may end up finding it weird to see similar unusual symbols on some plates and eventually figure out what they are for... then the company selling those speed cameras would get in giant trouble probably. ;D Just remember what happened to VW not that long ago... ::)
« Last Edit: January 17, 2019, 01:25:39 am by SiliconWizard »
 

Offline ataradov

  • Super Contributor
  • ***
  • Posts: 11228
  • Country: us
    • Personal site
Re: QR codes and speed cameras
« Reply #6 on: January 17, 2019, 01:29:55 am »
It does not have to be on a plate. It can be a bumper sticker. And it can be much simpler than QR code. Like red circle in a blue square is a mark to not ticket the vehicle.
Alex
 

Offline cdev

  • Super Contributor
  • ***
  • !
  • Posts: 7350
  • Country: 00
Re: QR codes and speed cameras
« Reply #7 on: January 17, 2019, 01:47:57 am »
Some states already mark license plates that could potentially be an emergency vehicle in some meaningful way. But the widespread availability of the SQL database makes all that unnecessary as its easy now to have a procedure that looks up license plate numbers flagged for some violation and not ticket the ones for which a reason exists not to automatically.
"What the large print giveth, the small print taketh away."
 

Offline cdev

  • Super Contributor
  • ***
  • !
  • Posts: 7350
  • Country: 00
Re: QR codes and speed cameras
« Reply #8 on: January 17, 2019, 01:51:22 am »
But for the purpose of ascertaining traffic speed I think the data they need is there. Also I think I've read that the spoofing they do is ineffective in masking the information (the purpose they claim its done for).

I think both iOS and Android spoof MACs while scanning.
"What the large print giveth, the small print taketh away."
 

Offline ataradov

  • Super Contributor
  • ***
  • Posts: 11228
  • Country: us
    • Personal site
Re: QR codes and speed cameras
« Reply #9 on: January 17, 2019, 02:18:39 am »
But for the purpose of ascertaining traffic speed I think the data they need is there.
How? The device generates a random MAC for each scan request. Even if you are sitting in traffic under the same camera for 30 minutes and the phone constantly tries to join the network, all they will get is a lot of random MACs.

Also I think I've read that the spoofing they do is ineffective in masking the information (the purpose they claim its done for).
Again, this is untrue, unless you have some concrete evidence.
« Last Edit: January 17, 2019, 02:20:15 am by ataradov »
Alex
 

Offline cdev

  • Super Contributor
  • ***
  • !
  • Posts: 7350
  • Country: 00
Re: QR codes and speed cameras
« Reply #10 on: January 17, 2019, 04:19:05 am »
They probably don't tell people the 'anonymization' is ineffective for economic reasons.

Concerns about privacy might lead many people to not use cell phones, diminishing tracking's effectiveness.

Here is an article in the popular media..

https://www.theregister.co.uk/2017/03/10/mac_address_randomization

And here is a paper on the vulnerability.

https://arxiv.org/pdf/1703.02874v1.pdf


But for the purpose of ascertaining traffic speed I think the data they need is there.
How? The device generates a random MAC for each scan request. Even if you are sitting in traffic under the same camera for 30 minutes and the phone constantly tries to join the network, all they will get is a lot of random MACs.

Also I think I've read that the spoofing they do is ineffective in masking the information (the purpose they claim its done for).
Again, this is untrue, unless you have some concrete evidence.
« Last Edit: January 17, 2019, 04:39:03 am by cdev »
"What the large print giveth, the small print taketh away."
 

Offline ataradov

  • Super Contributor
  • ***
  • Posts: 11228
  • Country: us
    • Personal site
Re: QR codes and speed cameras
« Reply #11 on: January 17, 2019, 04:24:37 am »
That was almost two years ago. Sure, initial implementations suffered from some issues, but those things were fixed a long time ago.

And if your phone vendor does not enable this feature, well, consider another phone, or deal with possible tracking.

The important part is that once this technology was more or less widely available, at least one tracking company went out of business, which shows that is is somewhat effective.

And it is highly unlikely to be integrated into the traffic monitoring equipment, given that cameras and ground loops work just fine for that reason.
Alex
 

Offline cdev

  • Super Contributor
  • ***
  • !
  • Posts: 7350
  • Country: 00
Re: QR codes and speed cameras
« Reply #12 on: January 17, 2019, 04:53:56 am »

https://arxiv.org/pdf/1703.02874v1.pdf

Is the anonymization fail fixed?

Do you have proof?

The researchers said that they were able to successfully de-anonymize "100%" of all cell phones that used the 'feature'.

I see no push for privacy by US trans-national corporations.

Do you?

Actually, I know some folk who are experts on this issue and the way they frame it, we have no privacy any more. If you carry a cell phone you can be and are tracked. Even if you don't carry one, and don't drive a car, one's face is now a unique ID.
« Last Edit: January 18, 2019, 01:54:59 pm by cdev »
"What the large print giveth, the small print taketh away."
 

Offline janoc

  • Super Contributor
  • ***
  • Posts: 3781
  • Country: de
Re: QR codes and speed cameras
« Reply #13 on: January 18, 2019, 01:28:39 pm »
Its fixed?

Do you have proof?

The researchers said that they were able to successfully de-anonymize "100%" of all cell phones that used the 'feature'.

I see no push for privacy by US trans-national corporations.

Do you?

Actually, I know some folk who are experts on this issue and the way they frame it, we have no privacy any more. If you carry a cell phone you can be and are tracked. Even if you don't carry one, and don't drive a car, one's face is now a unique ID.

Please, not another off-topic conspiracy BS.

Since you are talking about MAC addresses, I assume you mean cellphone wifi and/or bluetooth. These MAC addresses are used to count/track shoppers in shopping malls and such but not cars. Ever heard of a car being an (imperfect) Faraday cage? That would kill any weak wifi or bluetooth signal pretty good.

You have maybe heard about (I believe) New York experiment where they use cell phone location data (or just individual IMEIs, which are likely simpler to get) to count vehicles and measure traffic flows. But cell phone signals are a lot stronger (up to 2W of radiated power) and you don't need to pick them up from the moving cars - you just get the data from the nearest cell tower (or rather the operator's datacenter).
 

Offline cdev

  • Super Contributor
  • ***
  • !
  • Posts: 7350
  • Country: 00
Re: QR codes and speed cameras
« Reply #14 on: January 18, 2019, 02:03:19 pm »
Yes, I know about the use of Mac addresses to track traffic but thats not what I was referring to.

It was discovered recently by that algorithms promoted as anonymizing cell phone Mac addresses were not effective and that 100% of them could be determined. 

See
https://arxiv.org/pdf/1703.02874v1.pdf

"7  Conclusions
We provide a detailed breakdown of the randomiza-
tion polices implemented, the associated device mod-
els, and the identification methods thereof.  This
granularly detailed decomposition allowed for fine-
tuned improvements to prior attempts at MAC address
derandomization as well as providing novel additions.

Our analysis illustrates that MAC address random-
ization policies are neither universally implemented
nor effective at eliminating privacy concerns. 

Table 7 depicts the diversity of presented attacks, across
the spectra of randomization schemes and OSs, high-
lighted by the RTS control frame attack targeting a
widespread low-level chipset vulnerability.
To be truly effective, randomization should be uni-
versally adopted. A continued lack of adoption, al-
lowing for simpler identification, effectively reduces
the problem set for an attacker. 

The more devices performing randomization within a test set, the
harder it will be to diffuse each device’s associated
traffic. This is particularly true if we can continue to
bin the various schemes, further reducing the problem set.

We propose the following best practices for MAC
address randomization. Firstly, mandate a universal
randomization policy to be used across the spectra of
802.11 client devices. We have illustrated that when
vendors implement unique MAC address randomiza-
tion schemes it becomes easier to identify and track
those devices.  A universal policy must include at
minimum, rules for randomized MAC address byte
structure, 802.11 IE usage, and sequence number be-
havior.

To reiterate, these best practices can only be truly
effective when enforced across the spectrum of de-
vices. Granular examples of such policy rules:

Randomize across the entire address, providing
2^46
bits of randomization.

Use a random address for every probe request
frame.

Remove sequence numbers from probe requests.

If sequence numbers are used, reset sequence
number when transmitting authentication and
association frames.

Never send probe requests using a global MAC
address.

Enforce a policy requiring a minimal and stan-
dard set of vendor IEs. Move any lost function-
ality to the authentication/association process,
or upon network establishment utilize discovery
protocols.

Specifically, the use of WPS attributes should
be removed except when performing P2P opera-
tions. Prohibit unique vendor tags such as those
introduced by Apple iOS 10.

Eliminate the use of directed probe requests for
cellular offloading.

Mandate that chipset firmware remove behavior
where RTS frames received while in State 1 elicit
a CTS response."
"What the large print giveth, the small print taketh away."
 

Offline SiliconWizard

  • Super Contributor
  • ***
  • Posts: 14309
  • Country: fr
Re: QR codes and speed cameras
« Reply #15 on: January 18, 2019, 05:44:02 pm »
With that kind of plates emerging, it will probably become a pointless question: https://www.theverge.com/2019/1/17/18187338/digital-license-plates-michigan-allowed-rules-legal-price

I'm sure those are 100% unhackable...  :-DD
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf