Traffic > Appraisal

LTO: No, the RFID sticker on your car is not a security risk

The land transport agency says influencer’s post is wrong

New cars are now issued an RFID sticker that needs to be put on the windshield. PHOTO BY VERNON B. SARNE

Earlier today, we got a call from the Department of Transportation’s Goddes Hope Oliveros-Libiran—who handles DOTr’s communications and commuter affairs—regarding a post by an influencer that’s now going viral. Said post refers to the radio-frequency identification (or “RFID plates,” according to the above-mentioned influencer) issued by the Land Transportation Office to vehicle owners, and how anyone can somehow walk up to a random car, point a mobile phone with a scanner app on it, and then gain access to what the influencer claims is the vehicle’s sensitive data.

Libiran categorically labeled the post as “fake news.”

The QR code on your plates does not contain sensitive data. SCREENSHOT FROM BARCODE SCANNER

Naturally, we went to see who was telling the truth. We walked to a nearby parking lot, whipped out our smartphone, and started scanning the license plates of random vehicles. Nothing happened. Even using a mix of scanner apps—and iOS and Android phones—we got the same result (or nonresult, to be exact).

We called up the DOTr official and asked for clarification about how these plates worked. It turns out that the license plates themselves do not have RFID tags on them, and that the QR codes you see at the bottom-right corner of your plates only serve as trackers (printed during the plates’ manufacturing process). Scanning these QR codes doesn’t do anything, which is exactly what happened during our experiment.

The author scans an RFID sticker’s QR code. PHOTO BY VERNON B. SARNE

According to Libiran, it appears that the data in the screenshot posted by the influencer came from scanning the QR code on the RFID sticker that is issued with the license plates. We grabbed our phone again, pointed it at this specific QR code, and finally got the same stream of data as shown in the influencer’s screenshot.

LTO executive director Romeo Vera Cruz, through a statement sent to us, says the QR code on the RFID sticker is readable by any device in order to allow easy access to the vehicle’s basic data by any interested party—especially law enforcement personnel. In an accident, for example, the authorities can conveniently scan the code with their own devices without requesting any assistance from the LTO. These details, which include the car’s make, color and chassis and engine numbers, are anything but sensitive.

Furthermore, Vera Cruz mentions that this sticker does indeed have an RFID chip embedded in it. But while this chip contains the owner’s personal data and the vehicle’s history, the LTO official maintains that this can only be read by his agency’s “authorized gadgets.” To that end, we gave it a shot with a popular RFID scanner app. The result? A blank screen.

Both the DOTr and the LTO assure the public that the RFID sticker in question “abides by Republic Act No. 10173, or the Data Privacy Act.”

Miggi Solidum

Professionally speaking, Miggi is a software engineering dude who happens to like cars a lot. And as an automotive enthusiast, he wants a platform from which he can share his motoring thoughts with fellow petrolheads. He pens the column ‘G-Force’.