Hack Your E-ZPass So It Alerts You Whenever It's Scanned

Car tags like E-ZPass aren’t only read at tollbooths. Follow these instructions to sound the alarm whenever (and wherever) yours is scanned.

E-ZPass Toll Road

E-ZPass Toll Road

E-ZPass Toll RoadBobby Hidy/Flickr (CC BY-SA 2.0)

Tollbooth plazas aren't the only locations that scan car tags like the E-ZPass. One wary driver in New York City, known to the Web as Puking Monkey, recently modified his car tag to moo like a cow when activated.

“I drove around [Manhattan] and realized, Wow, this is being read everywhere!” says the man, an engineer who works in the healthcare industry. He asked Popular Science not to disclose his identity for fear of reprisal by his employer, plus the risk of being banned by E-ZPass.

E-ZPass is a device that drivers can buy in 15 states to zip through tollbooths across the country, usually without stopping. More than 24 million tags—and growing—exist in the U.S. alone. Each "listens" for a wireless signal broadcast by an electronic reader. When that signal is strong enough, a tag draws power from an onboard battery to broadcast its serial number back to the reader. The reader then relays the information to a computer server to bill the customer linked to the tag.

Unbeknownst to most E-ZPass users, however, the tags can be activated and read almost anywhere. As noted by Kashmir Hill at Forbes, and confirmed by Nicholas Mosquera, a spokesmen for the New York State Department of Transportation (NYSDOT), the agency has silently scanned tags for years to monitor the flow of New York City traffic. But Mosquera also says the agency scrambles the serial numbers to anonymize vehicles and their owners.

“[The data] are the basis for the thousands of routine traffic reports broadcast daily on the news,” Mosquera wrote in an email to Popular Science. “This technology…allows engineers to identify traffic issues and respond with signal changes.”

However useful or noble the intent, as Hill points out, the fact "that E-ZPasses will be used as a tracking device outside of toll payment, is not disclosed anywhere…in the terms and conditions."

Puking Monkey’s interest in vehicle tracking was sparked by the license plate readers that police use, whose scrutiny drivers cannot opt out of. But he says E-ZPass somehow hits a nerve. “Everybody has it,” he says. “People think, I use E-ZPass to pay my tolls, not to be tracked.”

The lone engineer hopes his project raises awareness that cars are monitored a little more closely than one might think. To that end, he’s teamed up with the New York Civil Liberties Union (NYCLU), which says it is filing a Freedom of Information Act with New York’s DOT to gain a clearer understanding of how the E-ZPass data is used.

“The public has a right to know what happens with information that the government collects about them,” says Nathan Vogel, legislative counsel for the NYCLU. “It would be important to make sure that this information can’t be re-identified. It’s important to know if law enforcement is ever using this information, and how this information is being shared with other agencies.” (A spokesperson from the New York City Police Department told Popular Science that the agency does not use data collected from E-ZPass.)

Like Puking Monkey, the NYCLU’s chief goal is to make more people conscious of how data are collected from their car tags. “We hope that, by working with Puking Monkey on this E-ZPass issue, we can help people understand how everyday technologies like this can also expose information that they don’t want to share,” Vogel says.

Questions of surveillance aside, Puking Monkey’s hacked E-ZPass isn’t too difficult to replicate if you’ve ever wielded a soldering iron. Use the following directions to make your own E-ZHack: a modified car tag that reveals when it’s scanned via a slight draw of power from its battery.

WARNING: This project could ruin your transponder and violate your car tag service provider's terms of service. Rotary tools and soldering irons can seriously maim or injure if used incorrectly and without adequate safety gear. Don’t say we didn’t warn you!

The E-ZHack

Instructions courtesy @pukingmonkey and adapted for voice, clarity, and length.

Time: About 3 hours
Cost: About $55 (including the $25 price of an E-ZPass unit)
Difficulty: 3 out of 5

Materials

Barring a few items, almost everything below can be purchased at an electronics hobby store (Puking Monkey says he boughthis at RadioShack):

  • C1: 10 uF capacitor 272-1025 - $1.49
  • C2 : 0.01 uF capacitor 272-1065 - $1.49
  • L1: rectangular red LED 276-0008 (optional) - $2.49
  • L2 : rectangular green LED 276-0009 (optional) - $2.49
  • R1 : 100 ohm resistor 271-005 - $1.49
  • R2 : 470 ohm resistor 271-009 - $1.49
  • R3 : 470K ohm resistor 271-1133 - $1.49
  • R4 : 220 ohm resistor 271-011 - $1.49
  • R5 : 100K ohm resistor 271-1347 - $1.49
  • R6 : 330 ohm resistor 271-012 - $1.49
  • R7 : 570 ohm resistor 271-1116 - $1.49 (optional)
  • S1 : toggle switch 275-0634 - $3.49 (optional)
  • U1 : LM324 quad operational amplifier 276-1711 - $2.49 (Note: RadioShack sells operational amplifiers made by both Texas Instruments and National Semiconductor. The LM741, by National Semiconductor, is not sensitive enough. Go with the Texas Instruments LM324.)
  • U2 : LM555 timer 276-1723 - $1.99
  • piezoelectric buzzer 273-059 - $3.99
  • 3 AAA battery holder 270-095 - $2.49
  • small perf board
  • 3 AAA batteries
  • plastic glasses case (optional)

Schematic

E-ZHack Schematic
E-ZHack Schematic@PukingMonkey

Instructions

1. Case. Carefully cut through the seam of a car tag's plastic case with a rotary tool (this could take an hour). Clip the internal battery's negative lead once it's opened up.

2. Circuit bypass. Wire the shunt resistors R1 (100 ohm) and R2 (470 ohm) to the severed leads from the battery. These resistors will allow the current to pass into the circuit from your E-ZPass.

Schematic
Schematic@PukingMonkey

3. Amplifier. Attach the resistors to the negative input (−) from an operational amplifier, U1. The operational amplifier reads the voltage drop across the resistors when your tag is transmitting. The higher the voltage drop, the more power the tag is using.

4. Timer. Now you're ready to hook up a 555 timer (U2) to the positive input (+) of the operational amplifier. When your tag transmits using battery power, the voltage drop will trigger the timer. The shunt resistors R3 and R4 set the reference voltage—i.e. the output from your E-ZPass when it is not transmitting (the output drops below the reference voltage when the tag is active). "I figured it out by going through tolls and measuring the voltage drop across the shunt resistor," says Puking Monkey.

E-ZHack Perf Board

E-ZHack Perf Board

What the circuit should look like when it is attached to a perf board.@PukingMonkey

5. Sound. A piezoelectric buzzer will sound the alarm when a scan drops the voltage. Set your 555 timer to ensure the buzzer goes off for the amount of time you want. You'll be using a capacitor (which stores electric charge), C1, and another shunt resistor, R5, to control how long the tone is. Increasing the resistance in R5 causes your capacitor to charge more slowly, says Puking Monkey, which makes the buzzer stay on longer. "If you just want it for one second use a 100K ohm resistor," says Puking Monkey. "If you want it to go off for about 5 seconds, replace R5 with a 470K ohm resistor." The other capacitor, C2, sits on the 555 timer's control voltage pin to make sure the buzzer stays on for a consistent amount of time.

6. Light. Connect your piezoelectric buzzer to the output of the timer and to the red LED, L1. Use shunt resistor R6 to limit the current from the buzzer so your LED doesn't burn out.

7. Power. The internal E-ZPass battery is 3.6 volts, and the buzzer needs 3 to 20 volts—but it can't hinder the E-ZPass's circuit or else it won't work. So use three AAA batteries to power your circuit. (This way, you can avoid wearing down the E-ZPass battery and can keep paying your tolls.)

E-ZHack Layout

E-ZHack Layout

The complete custom circuit attached to an E-ZPass circuit board. The extra batteries keep the purple E-ZPass battery from wearing down.@PukingMonkey

8. Extra light (optional). You can add a green LED, L2, to light when the battery is working. Use shunt resistor R7 to keep the LED from burning out. The toggle switch, S1, can turn the LED off when you are not driving, and connects to the positive lead of the AAA batteries. With this additional LED you can tell when the AAA batteries have worn down, but it will also drain your them faster according to Puking Monkey:

“Without R7 and L2 and you left the device turned on constantly the typical AAA batteries would last about two weeks. With R7 and L2 this drops to about 5 days. With the switch, if you only turn it on when you drive, even with R7 and L2, if you drive for 1 hour in the morning [and] 1 hour in the evening, then your batteries should last you two months. S1 only turns off the alerting circuit, NOT the E-ZPass itself, it will still operate at a toll even is S1 is off.”

9. Final circuit. Close up your tag: solder the wires and use electrical tape to hold the case together.

Puking Monkey explains:

The positive lead of the 3 AAA batteries connects to: S1 (a) The negative lead connects to: negative end of L2 negative lead of the buzzer negative end of L1 pin 1 of the 555 C2 (a) negative end of C1 pin 11 of the 324 R4 (a) R2 (a) R1 (a) negative end of E-ZPass battery Solder all of the above plus: S1 (b) to R7 (a) S1 (b) to pin 4 of the 555 S1 (b) to pin 8 of the 555 S1 (b) to R5 (a) S1 (b) to pin 4 of the 324 S1 (b) to R3 (a) wire from the e-zpass circuit board to R1 (b) R1 (b) to R2 (b) R2 (b) to pin 2 of the 324 R3 (b) to pin 3 of the 324 R3 (b) to R4 (b) pin 1 of the 324 to pin 2 of the 555 R5 (b) to pin 7 of the 555 R5 (b) to pin 6 of the 555 R5 (b) to the positive end of C1 pin 5 of the 555 to C2 (b) pin 3 of the 555 to R6 (a) R6 (b) to the positive lead of the buzzer R6 (b) to the positive end of L1 R7 (b) to positive end of L2

10. Placement. You can stick the modified E-ZPass to the windshield, or on the dashboard standing up. It will not work if you place it with the battery pack facing up on the dashboard (the battery pack and new circuit cover the internal antenna). Alternatively, if you don't want to bother with the E-ZPass case, just move your circuit, E-ZPass tag and batteries into a plastic glasses case. The glasses case can rest on the dashboard or be Velcroed onto the windshield.

Incorrect Placement

Incorrect Placement

Don’t put a modified E-ZPass in this position, as the batteries will block the transponder.@PukingMonkey
Correct Placement

Correct Placement

The proper way to position a modified E-ZPass on a dashboard.@PukingMonkey

11. Test. Drive through a tollbooth lane that accepts cash or electronic tags to test your hack. If the transponder doesn't work, pay with cash—and inspect your circuit for defects against the schematic.

E-ZHack In A Glasses Case

E-ZHack In A Glasses Case

It may be easier to ditch the E-ZPass case and place the circuitry in a plastic glasses case. Drill holes for the switch, the LEDs, and for the piezoelectric buzzer to sound off. Use velcro to secure everything inside the case.@PukingMonkey

12. Hide. If it works a little too well everywhere, you can prevent unwanted scans by stowing your tag in its original anti-static foil bag and pull it out only at tollbooth plazas.