Hacking Marathon Races

Truly bizarre story of someone who seems to have figured out how to successfully cheat at marathons. The evidence of his cheating is overwhelming, but no one knows how he does it.

Posted on September 7, 2012 at 7:10 AM • 81 Comments

Comments

Bob P. in Fort Walton Beach, FLSeptember 7, 2012 8:09 AM

Most interesting. I know a few folks who do marathons (and half marathons, triathlons, etc) - wonder if they've heard about this.

SevenThreeOneSeptember 7, 2012 8:54 AM

"Had Litton figured out how to hack the timing system? According to professional race timers, this was impossible."

Copying RFID tags is not impossible.

LanceSeptember 7, 2012 9:03 AM

“A common mistake that people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools.” --DNA

kingsnakeSeptember 7, 2012 9:56 AM

Sometimes when someone cheats on such a massive scale, it is hard to believe someone would be so bold as to cheat so blatantly, so often. So, people look for evidence of wily chicanery, rather than what was: blatant cheating on a massive scale.

abadideaSeptember 7, 2012 10:05 AM

Since it says that his appearance was calculatedly nondistinct, my guess would be lookalike + cloned tokens.

GarySeptember 7, 2012 10:32 AM

Typical New Yorker style, make 10,000 words out of a 1000-word story.

tl;dr: marathoner/pathological liar covers his bib and bicycles between timing mats.

Maybe he can join Paul Ryan's campaign staff.

ChristianOSeptember 7, 2012 10:48 AM

Another simpler explanation for the lack of pictures in the middle of the race would be the distribution of photographers may be leaning towards the end.

Without more evidence I wouldn't bet on that he really cheated the system.

NathanSeptember 7, 2012 10:56 AM

It's worth mentioning that the article seems to overlook one possibility. On page 2, we see that Litton was not suspected of cheating on one particular race because there were few racers, and he and the runner-up had ran together for most of that race. Rather than being an average marathon runner, or non-runner, cheating to be exceptional, he could well be a great runner who cheats to appear exceptional in some races (when he can get away with it) but not in others.

HarrySeptember 7, 2012 10:56 AM

Lesson #3 of Bruce's Blog: don't trust those who make the system, to determine if the system can be hacked.

@ChristianO - photographers are distributed throughout a race at places that are likely to yield nice photos. What is going unsaid is that there are photos from the middle of the race, the investigators looked at them, and saw other people but not Litton.

TSSeptember 7, 2012 11:11 AM

@ChristianO

"Another simpler explanation for the lack of pictures in the middle of the race would be the distribution of photographers may be leaning towards the end."

Unless you're a pro with credentials, you're not going to get anywhere near the start or the end of a major course. Thus a lot pros set up along the route at interesting spots and stay there. Some may move to various spots along the route to catch the leaders, others will stay in one spot. In any case, you'd have dozens, hundreds, thousands of pro and semi-pro photographers along the course at a major event. Not to mention the tens of thousands of amateurs.

That you can be missed by every one of those photographers in every race seems extremely unlikely.

AliceSeptember 7, 2012 11:20 AM

@Nathan

He made the entire race up. According to him he was the only one in the race. See page 6.

SevenThreeOneSeptember 7, 2012 11:21 AM

@Nathan: Read the whole article. This particular run has a jaw dropping gimmick on its own.

PaulSeptember 7, 2012 11:25 AM

If he was really innocent, he simply would have agreed to run a marathon alongside one of his detractors, or with a gps enabled device.

Clive RobinsonSeptember 7, 2012 11:27 AM

@ TS

That you can be missed by every one of those photographers in every race seems extremely unlikely.

That's not quite true,

We know that it's "only" the pictures that have been posted online AND looked at by one person.

If as you say,

In any case, you'd have dozens, hundreds, thousands of pro and semi-pro photographers along the course at a major event. Not to mention the tens of thousands of amateurs

I doubt if any one person even a self admited "serious slaker" "goofing off on his employers dime" could look through them all.

I'm not saying he was not cheating some how but the evidence is so slim that I certainly would not make a "guilty verdict" if on the jury.

Or look at it another way, what if he was found on the photos it would kill the story and that would turn the "goofing off" into a serious waste of time...

NathanSeptember 7, 2012 11:34 AM

Thanks Seven and Alice. I did see that a few minutes ago, but neglected to post again.

At this point, my best guess is that he's switching off with a brother or other look-alike, which would explain his changes of clothing as well (no reason to change clothes if he's using a vehicle, and changing back to his outfit from the start of the race would be a rather sensible precaution if he were cutting switchbacks).

That said, the picture of him jogging in a sweatsuit seems a bit damning for that theory. I'd believe that Litton and his brother can each run 6-7 minute miles, so that one of them is running most or all of the distance, before I would believe that they could do that in a sweatsuit (or would want to); that said, I'm not a serious runner.

Perhaps he wanted to wear warm clothing in order to appear flushed and sweaty at the finish?

Greg CarsonSeptember 7, 2012 11:44 AM

As a runner in hundreds of races, including the Boston Marathon, and a tech wonk it is very clear how he did it. He didn't need an accomplice, which would have been too difficult to keep secret. He simply needed a bike, stop watch and a map(gps would make it even eaiser)...and a lot of nerve.

With all the activity going on, no one one even notice a person in sweats or track suit without a bib number showing to walk out of the crowd, across the mat and walk back into the crowd. He simply could hop on his bike, head to the next timing mat, and repeat the process at the right time according to his stop watch.

He's not smart, he's not tricky he's just a cheat. I'm guess he has always been a cheat and those earlier races times were not legit either, the just occured before the use of RFID timing devices making it that much easier to cheat...I bet there's no pictures of him in the middle of those races either.

boogSeptember 7, 2012 11:49 AM

@Paul

If he was really innocent, he simply would have agreed to run a marathon alongside one of his detractors, or with a gps enabled device.
That doesn't prove he's guilty, but I like where you're going. If all the runners wore GPS devices, we could track their racing habits and make sure* nobody is cutting corners or teleporting.

Don't we have this technology? This is the 21st century, isn't it?


* Until someone figures out how to cheat such a system. I'm sure there are ways, but the cheater would surely need a bit more sophisticated method than "hey nobody's looking, lemme take this shortcut".

NathanSeptember 7, 2012 11:55 AM

Hmm, yeah. The fact that, as mentioned earlier, he has a non descript face (like Gerald Ford, and several famous spies) would make switching in and out of the race that much easier.

time flies like a bananaSeptember 7, 2012 12:34 PM

@TS "Thus a lot pros set up along the route at interesting spots and stay there. Some may move to various spots along the route to catch the leaders"

So could it be that he poses as a photographer, cycles from place to place in this disguise that doesn't arouse suspicion, casually wanders over the timing mats, and then changes clothes for the finish?

Could be why he is never in the photographs.

Eric Thomas BlackSeptember 7, 2012 1:03 PM

We need to get Monk on the case. After all he cracked a similar fraud in "Mr. Monk and the Marathon Man".

Wang-LoSeptember 7, 2012 1:10 PM

From his own site: "...My teammates and I never ran as far as the coach told us to or thought we had."


He still doesn't.


-Wang-Lo.

Joe BuckSeptember 7, 2012 1:31 PM

@time flies like a banana: I like the photographer on a bike idea. It wouldn't arouse suspicion, a photographer would want to jump from point to point to take pictures of the leaders.

ChrisSeptember 7, 2012 1:38 PM

@time flies: That makes a lot of sense. I like it.

My only complaint is that it's almost too elaborate of a plot.

FigureitoutSeptember 7, 2012 1:41 PM

Surprised there were no satellites overhead or drones/blimps...

More tech. isn't needed, just have a "trusted" person run with him (I'd run with him); he shouldn't have agreed to run and then bailed, then the story where he ran a marathon by himself in Wyoming, then disqualifying himself because he was hurt and cutting corners (why do that?).

He gets sympathy by "using his son", and anyone who suggests that looks pretty cold, and he can lash out at that.

He would have to scout the running site before hand to cheat, and when your changing clothes, maybe run off to the side and look like you're crying and hug someone because you can't run anymore; people will eventually look away. Take advantage of the chaos and crowds, and do it with confidence, ie look people in the eyes who look at you.

Now he can never run again, add to the mystique, and get attention that every human wants (the obsessive thinking kind).

FigureitoutSeptember 7, 2012 1:57 PM

As a matter of fact this reminds me of when I was a kid doing a triathlon in Chicago. I was in the lead group, and it was backwards so we ran, biked, then swam. On the biking part, instead of following a poorly marked path, we ended up close to downtown Chicago. Cops had to get us, and bring us back (I remember thinking what a long bike ride it was :)

What's interesting is the lack of organizers on the exterior of the course, even with kids involved in a big city. So, cheating could have easily happened.

I was so sad, I remember getting in the water with a whole other group and finishing the triathlon; I really wanted the Timex watch prize. To my surprise, a week or so later, one was mailed to me along with an apology for what happened. :)

Runs with SnailsSeptember 7, 2012 2:15 PM

@Figureitout: "then disqualifying himself because he was hurt and cutting corners (why do that?)."

If the allegations are true, my guess is that he thought that someone may have caught on... so he ratted on himself to show what an honest person he was rather than run the risk of getting caught.

It's the follow-up e-mail where he asked about awards that confuses me. Unless he knew somehow that his self-disqualification did not get into the official record.

Wang-LoSeptember 7, 2012 2:50 PM

At ten pages, this article is a marathon read. To finish an article of this size, with reasonable comprehension, in 25 minutes or less would be considered a world-class performance. I am a national class reader with certified 365 WPM results on several documents in the 0.5K-word class. Yet I was able to post a document perusal time of 17.24 minutes on this 9480-word tome, for an incredible 550 WPM.

Here's how I did it.

After reading the first page, it was clear that I needed to maintain about 1:42 per page to hit my target speed. Since the New Yorker's server can only detect if the served page is rendered, but cannot tell if anyone is actually reading it, all I had to do is to hit the page advance approximately once every one and three-quarters minutes.

I did read the entire last page, though, just in case Condé Nast wants to ask me about it. If Kyle Strode e-mails me about pages two thru eight, I'll just have to make something up.

-Wang-Lo.

James SutherlandSeptember 7, 2012 3:13 PM

"If all the runners wore GPS devices, we could track their racing habits and make sure* nobody is cutting corners or teleporting."

You could be fairly sure the GPS device did the course. You may, however, find it spend most of the journey in another runner's pocket, then was retrieved near the finish line - trivial with an accomplice, not impossible without. (Or you both register; person A runs the first half-marathon flat out, passes both sensors to person B just before collapsing, who is now fresh and rested for the second half-marathon.)

RandomPunditSeptember 7, 2012 3:43 PM

I think there's a whole universe of people who are so obsessed with success and fame that they will create elaborate worlds of lies, false characters, faux documentation, websites, etc. Just to keep their lie going. Ultimately, for what? I don't know.

Back in the day on USENET, the OS/2 user groups were rattled for years by someone on par with this guy Kip from the article. His name was "The OS2Guy", though he went by more than a dozen aliases. He would have fake conversations with himself, Set up fake corporate websites, even going so far as setting up a fake family history for his main fake persona.
Oh I almost forgot he also had his own auction site where he'd list basically his own outdated junk and fake users would "buy" it and comment on how great his site was.

Every time someone caught him, he'd invent these elaborate explanations... just like this Kip guy. It ended up becoming pretty disturbing. Yet people kept on feeding the Beast.

Wow, I just found from a quick google search he's still around. And he's still putting on the facade. *sigh*

Henning MakholmSeptember 7, 2012 3:54 PM

You could be somewhat sure that the GPS device THINKS it did the course. Hand the device to an accomplice somewhere along the route; the accomplice quietly slips it into a Faraday bag together with the sending end of a GPS simulator. Now you can decide where to be when.

kingsnakeSeptember 7, 2012 4:32 PM

I wouldn't trust him to work on my body (teeth), if I couldn't trust him with something inconsequential like an athletic contest.

TSSeptember 7, 2012 4:41 PM

@Time Flies
"So could it be that he poses as a photographer, cycles from place to place in this disguise that doesn't arouse suspicion"

He wouldn't need to pose as a photographer, runners often leave the course to run behind a building to take a leak and then hop back onto the course.

There's a 250 page thread at LetsRun... you can wade through that to see all the images discovered and the various theories... but I think the simple "slip out, bike, slip in over the checkpoint and repeat" is the most logical.

Tusselhan DoverfaceSeptember 7, 2012 8:02 PM

Sounds like we need Darpa to the rescue on this one.

I'm sure he would be loathe to cheat if he knew he were being followed by an armed autonomous Obama 2nd term stimulus project.

PaulSeptember 8, 2012 4:32 AM

Not long after seeing a psychotic teen safely into a mental hospital, temporarily, for her own safety, I checked her twitter feed (she still had her phone). It was full of the usual mindless obsessions and txtspeak. Inanities and banalities in and out. Then in the middle of it all a message in saying "I swear they are giving twitter to people in mental hospitals now". It was not a reply or a comment on anything received by anyone in particular as far as I could see. "If only you knew" I thought. But for all I knew it was tweeted from another hospital.

As the OS/2guy story above suggests, the mentally ill get their hands on technology and use it to help them be who they want be. The teen mentioned above had a list of identities and passwords a page long taped up beside her computer.

The spectrum runs from hoaxer to cheat (just a motivational difference?) to pathological liar to
mentally ill person. I haven't seen any acknowledgment of the last possibility. If writing the story I'd have tried to get a take on the importance of it all from someone who knows
him.

I'm no psychologist but some things stand out. He feels like an underachiever compared to classmates and wishes to have some things to brag about. Is his income inflated too? His son not being able to compete athletically is part of his neurosis and need to overcompensate for his own inadequacy. It's pitiful but hardly evil.

Then again, he's a dentist -- the profession said to have the highest suicide rate. Who could not sympathise with a Walter Mitty dentist? Just imagine spending your life drilling teeth!

SamSeptember 8, 2012 3:30 PM

If you just need the sensor near the mat, why not use a UAV? A small kids toy... Just how heavy is the sensor, and how close does it have to be?

Or clone the tag, and set up the clones in advance near the mats to go active at some particular point in time. Those tags sound like something about the size and thickness of a small piece of paper. Something that could easily be concealed in a book of matches or other trash. Would anyone notice a discarded coffee cup nearby?

Ari E-BSeptember 9, 2012 3:35 PM

The most bizarre thing in his scheme seems to be the clothing changes. I feel like if we could figure that out, the whole thing would come apart. I can't think of a rational reason for the costume changes. The only thing I can think of is that it's two people wearing different clothes. (They didn't wear identical clothes because they didn't think they'd be caught).

A simple "one guy runs out, one runs back" plot doesn't work - you still need two excellent half marathon runners, and it doesn't explain why he's trying to avoid the cameras or skipping a lot of checkpoints. It's got to be something else, but I don't know what.

GuSSeptember 10, 2012 4:36 AM

I'm still puzzled.

If I decided to cheat, if I managed to get someone else to help me to cheat, and if I wanted to do this without getting caught...

The first thing that would come to my mind would be to make sure the two of us would not be seen together, but definitively to wear identical clothes.

time flies like a bananaSeptember 10, 2012 5:13 AM

@ GuS, Ari E-B

The way I see it he is acting alone. He:

1) starts the race
2) slips off course, changes clothes to look like something other than a runner and picks up his bike that he has previously hidden.
3) he travels the course on his bike, in disguise, making sure to casually wander near to or over timing mats and record split times
4) near the end of the race he goes off course again, stashes his bike, changes back to his runner clothes and runs to the finish

Previous comments by posters who have experience of marathons (I don't), suggest to me this is quite feasible.

RogerSeptember 10, 2012 7:39 AM

@Sam:
" Just how heavy is the sensor, and how close does it have to be?"

The chip is only a couple of grams.

There seem to be two types in common use. One is attached to the bib with your number on it, and so works from a couple of feet away. It seems to have an antenna embedded in the bib, hence the longer range. However the more common type needs to be within about 18" of the mat. In fact it isn't completely reliable if attached anywhere higher than your shoe.

Also, the processor attached to each reader sensor is always staffed, and usually set up to loudly chirp when it detects a chip (this gets pretty annoying at the start, when you have 50 people crossing the line each second.) If it chirped when there wasn't a runner crossing, someone might notice.

Incidentally, the reader sensor is actually a long cable. (They call it a "mat" because they cover them with mats to avoid tripping up runners.) The relevant point here is that the sensing zone does usually extend several metres either side of the track.

RogerSeptember 10, 2012 8:09 AM

@Clive:
> I doubt if any one person even a self admited "serious slaker" "goofing off on his employers dime" could look through them all.

It's not one person searching them: it's thousands. Kip has become the bête noire of the distance running community, and websites have been set up to co-ordinate the Kip hunting.

It's not that runners are usually that obsessive *. While 99.9% put in an honest effort, you usually spot one or two cheats at every race -- and no-one cares. Unless they are way up the front passing the Kenyans, they quite literally are only cheating themselves.

Cheating is far worse than failure. They will spend the same hours of pain under the burning sun, but while we're reliving the emotional roller-coaster at the pub, they slink off home knowing that they didn't do it, that when they had to reach deep down inside all they found was tawdry.

The difference with Kip is the charity fraud. I emphasise that it has not been proven, but there is a widespread suspicion that he has been using this ruse to steal money from a charity.

____
* That's a joke, I say, that's a joke, son.

boogSeptember 10, 2012 10:08 AM

@James Sutherland

You could be fairly sure the GPS device did the course. You may, however, find it spend most of the journey in another runner's pocket, then was retrieved near the finish line...
I thought of this, but GPS records would show the two runners ran together most of the race, easily disputed with eyewitness testimony and photographic evidence.

I never said cheating such a system would be impossible (in fact, quite the opposite), nor that it could replace all other controls in the marathon. I only offered it as an idea to mitigate the issue of shortcuts.

LukeSeptember 10, 2012 11:22 AM

@Paul

I have to agree. My feelings after reading the whole story were a mix of pity and admiration for the guy. If Bullshit and Cheating were Olympic events, this guy would be a gold medalist. In some ways, it's more impressive than actually running a 3-hr marathon -- but still mostly crazy and sad.

My favorite bit of the article:

Moreover, whatever category of abnormal psychology Litton might belong to, it didn’t seem to be “evil genius.”

Which is of course, exactly what an Evil Genius would want you to think!

Thanks, Bruce, for sharing this.

Toby SpeightSeptember 10, 2012 11:50 AM

"The article is 10 pages long."

Not if you read the one-page version. :-p

I don't know much about RFID, but I speculate that you could forward the protocol over a wireless link to avoid having to to take the tag to all the checkpoints. If you can secrete the forwarding devices near enough to the checkpoints in advance, you can even avoid the need for accomplices.

Someone who knows more about RFID may jump in at this point and tell me that the increased latency would stop this working - would it?

WaelSeptember 10, 2012 1:22 PM

@ Toby Speight

Someone who knows more about RFID may jump in at this point and tell me that the increased latency would stop this working - would it?

I guess it depends on the latency requirements of the system. Theoretically doable, you are not messing with the challenge/response part. Latency normally comes from the time needed to calculate a crypto operation for the challenge/response. If you add a few Microseconds, it may work. I think this guy does not have the skill to do that, though.

There will be other challenges in addition to surmounting the latency issue. But all depends on the setup.

bitmongerSeptember 10, 2012 3:41 PM


I'd guess you could do this with a directional antenna a transmitter and a telescope ... "look" at each matt with the telescope + antenna and send you rfid signal there.

It work well as a two-person team .. One person spotting when to emerge and been seen and hit each RF receiver and another to run the race.

Alternatively, If one had to do it by oneself. One could just bury a one transmitter near each mat and have them timed to go off an an exact time (or use a cellphone to trigger each transmission). This kind of thing isn't that hard to build and each unit device would be cheap.

ThunderbirdSeptember 10, 2012 4:11 PM

He gets sympathy by "using his son", and anyone who suggests that looks pretty cold, and he can lash out at that.
Something I wondered that was never answered in the article--at least I didn't notice it skimming--was whether there WAS any son with cystic fibrosis or not. It sounded like the writer just took it for granted, even though the guy was spawning sock puppets right, left, and sideways. Maybe I'm just too cynical.

Bruce ClementSeptember 10, 2012 9:22 PM

Why attack the timing mats? This just increases the chance of being noticed. Why not just attack the central server and feed it false reports that his rfid has passed over the mat?

We know from the photos that he apparently did visit each mat and I'm not disputing that, just saying that it seems a very low-tech way of cheating.

Give a man a fish and he's hungry tomorrow. Teach a man to hack the supermarket's computer and you've fed him for life.

bobSeptember 11, 2012 5:34 AM

There was an episode of "Monk" the TV show where they put the electronic tracking device on a dog that ran with the runners.

JonadabSeptember 11, 2012 6:42 AM

I can think of several ways to do this, but the most obvious is the way Cecil Turtle did it.

The second most obvious method, which might be easier for most people to pull off (because you don't have to worry about the RFID badge), involves strategic surreptitious use of vehicular transportation.

Presumably it could also be done purely white-collar, if the race organizers all use a similar software setup (which is likely, but I don't happen to know): once you figure out how to break into the software, you can give yourself any time you want. However, this method of cheating would not explain the lack of photographs of the runner along the course.

RogerSeptember 11, 2012 7:14 AM


@boog:

... but GPS records would show the two runners ran together most of the race, easily disputed with eyewitness testimony and photographic evidence.

A certain celebrity recently completed her debut marathon to much fanfare ... and the regular timing chips revealed that she crossed every mat at exactly the same time as her personal trainer. It didn't help suspicions that very soon after the race she was walking around in high-heels without difficulty. Race organisers do not accept such circumstantial evidence.

I only offered it as an idea to mitigate the issue of shortcuts.
As I mentioned above, most of the time it isn't worth the trouble. Kip is a special case because he may also be stealing money.

@Toby Speight:

... I speculate that you could forward the protocol over a wireless link to avoid having to to take the tag to all the checkpoints. If you can secrete the forwarding devices near enough to the checkpoints in advance, you can even avoid the need for accomplices.

I think that is technically quite challenging. It is readily possible to receive the signal from the reader at much greater than the design range. It is more difficult, but possible, to receive the signal from the chip at a longer range -- say reading a 50 cm chip from 5 - 10 metres away, not from miles off. This requires a quite large antenna, big enough that you will need to be inventive with camouflage.

However I suspect it is extremely difficult, perhaps impossible, to inject a signal from any significant distance. The reason is that the chip doesn't actually emit any radio waves; rather, the reader "hears" the chip's signal by the amount of power the chip sucks out of the reader's near field. Once you're more than a few metres away you physically can't intercept enough of the field to absorb detectable amounts of power. (But I'd be fascinated to be proved wrong!)

@Bruce Clement:

Why attack the timing mats? This just increases the chance of being noticed. Why not just attack the central server and feed it false reports that his rfid has passed over the mat?

Two reasons come to mind: deniability, and consequences. Several times he was caught with his technique but weasled out of it. Whereas if someone noticed that central server logs didn't match logs at the actual mats, there would be no doubt that some serious malfeasance has occurred.

Which brings us to consequences. The penalty for cheating in a marathon is public ridicule. The penalty for hacking a computer is at least a substantial fine, and possibly prison time.

@bob:

There was an episode of "Monk" the TV show where they put the electronic tracking device on a dog that ran with the runners.

It's an interesting plot device. In reality, while fit dogs are much faster than a man over middle distances, it's a very rare dog that can keep up with a human athlete over distances of more than about 10 miles. They overheat faster.

brendanSeptember 11, 2012 9:44 AM

someone needs to put this guys whole life under a pocket microscope, not just his running. he is a fraud, a pathological liar, and a sociopath. he get's off on manipulating and controlling people, and most likely is funding his adventure with money meant for research into a disease he cares nothing about ($20). we shouldn't be surprised if we find out he does unsavory things to patients who are under.

FigureitoutSeptember 11, 2012 11:40 AM

@Thunderbird

even though the guy was spawning sock puppets right, left, and sideways.

Nice phrase lol. Yeah, I won't go to his house and verify it myself; but the trust issue..I feel that with a lot of things :(

@brendan

Easy there, pervasive surveillance is something I wouldn't wish on anyone; it will have severe psychological effect. The article states he liked to do funny things for attention, like eat all the food at a party. However, if he did cheat a charity out of money then that is a morally bankrupt thing to do and perhaps some investigation in that small realm is warranted.

boogSeptember 11, 2012 12:16 PM

@Roger

A certain celebrity recently completed her debut marathon to much fanfare ... and the regular timing chips revealed that she crossed every mat at exactly the same time as her personal trainer. It didn't help suspicions that very soon after the race she was walking around in high-heels without difficulty. Race organisers do not accept such circumstantial evidence.
I'm not sure what to make of your comment. I was refuting the suggestion that runner A could cheat by putting her GPS tracker on runner B and then retrieving it near the finish line, as photographs would easily show the two did not run together. Do you disagree with that? And what does that have to do with a runner wearing high heels after a race?

As I mentioned above, most of the time it isn't worth the trouble.
You may be right; it was, after all, only a suggestion. I admit with the size of some of these marathons (20,000 people), it could be very costly.

WaelSeptember 11, 2012 12:40 PM

@ Roger

However I suspect it is extremely difficult, perhaps impossible, to inject a signal from any significant distance. The reason is that the chip doesn't actually emit any radio waves; rather, the reader "hears" the chip's signal by the amount of power the chip sucks out of the reader's near field. Once you're more than a few metres away you physically can't intercept enough of the field to absorb detectable amounts of power. (But I'd be fascinated to be proved wrong!)


Fascinated to be "proved" wrong, eh? Well, one does not "prove" anything wrong -- one "shows" something is wrong [1]. Oh! Semantics, semantics :)

The reason is that the chip doesn't actually emit any radio waves; rather, the reader "hears" the chip's signal by the amount of power the chip sucks out of the reader's near field.

That is not correct. The chip does emmit radio waves through it's antenna. It is a passively powered device; it gets the power necessary for operation from the reader.

the reader "hears" the chip's signal by the amount of power the chip sucks out of the reader's near field.

You’ve gotta be kidding me!!! I saw a lot of RFID readers, and NONE of them had freakin' "ears", man! How could they hear? :)

One way is to "extend the signal range" by adding a repeater. The RFID tag will be located remotely; beyond it's nominal range of operation from the reader. What you will need is to have another RFID (maybe with a strobe timer that turns it on/off at a suitable frequency to simulate RFID tags getting in and out of range) tag that takes the signal and transmits it to a "remote reader" carried by the runner. That remote reader simply relays the original readers' transmissions. Then the real RFID tag responds to the mobile reader, which in turn transmits the signal to the real stationary reader, through an RFID antenna. This is a first order model, which is by no means novel.

[1] I learned the hard way that you never prove an argument or a proposition "wrong" - You simply give a counter example that shows the argument or proposition is wrong. This effectively proves your point. On the other hand, to prove some argument or proposition is true, you don't give examples, but rigorously prove that the argument or proposition holds true under the "proposed" conditions.

abpSeptember 11, 2012 3:56 PM

On the photos. Professional companies take race photos along the course, with the intent of selling them to participants. They have a VERY strong drive to find every single participant in the race at every possible point, so they can get them to buy a $20 photo.

So, being missed by photographers everywhere but the start and finish -- impossible? No. Unlikely? Yes. At several races? Unlikely^N.

RogerSeptember 12, 2012 9:27 AM

@Wael:

That is not correct. The chip does emmit radio waves through it's antenna. It is a passively powered device; it gets the power necessary for operation from the reader.
Ahem. That is not correct for near field communication devices, which includes most passive RFID chips. I suggest you read Resonant inductive coupling or NFC Antennas for an explanation of how these devices work. Notably, the chip is not a radio transmitter and does not transmit energy [1], it only varies how much it absorbs.

Having said that: I see that there are now some models of passive RFID chip on the market that do not use near field coupling for communication, and are transmitters. However they are not common in this application. There is also one model of RFID chip used for sports timing that is actually a disposable active chip, with a very small embedded battery. It is also less common. Most sports timing chips are passive, inductively coupled chips which do not contain radio transmitters.

You’ve gotta be kidding me!!! I saw a lot of RFID readers, and NONE of them had freakin' "ears", man! How could they hear? :)
I take it that you haven't read much of the literature on this? Terms like "listen", "mute", and "reply" are in common use, because "transmit" and "receive" are misleading and confusing.
One way is to "extend the signal range" by adding a repeater.
I understand how a repeater works. It is unnecessary to use one here. These chips have no computational power; they simply reply to queries with a fixed string of bits. Hence they are trivial to clone. The challenge is not the data, but emulating the signal of chip without placing a device on the mat. (If you can leave a remote-controlled fake chip emulator on the mat without getting caught, then your problems are solved.)

My point was that in this case, such tag emulation will be extremely difficult if the emulator cannot be placed extremely close to the mat. Eavesdropping on the protocol can be done at a range considerably greater than the design range (which is a couple of feet); injecting a signal from a distance seems much more challenging.

Simply tuning a radio transmitter to the same frequency and aiming a directional antenna at the reader, is just not going to work as that's not the kind of signal the reader "hears". You might as well say that you will inject data into a computer by beaming a microwave signal at it. It's not impossible, in the "against the laws of physics" sense, but it is a difficult engineering challenge.

To the best of my knowledge, current records are:


  1. Eavesdropping on a passive chip: 21 m, unreliably; quite reliably at 10 m

  2. Eavesdropping on a reader: I forget the exact distance, but it was around a km. (It was a pretty powerful reader, intended to operate at about 3 - 4 m from tags.)

  3. Injecting a spurious signal: has been done, but no-one has done it from further than the normal read range.


I would still be fascinated to be proven wrong about point 3. (Proven, as in actual counter-examples, rather than sarcasm.)

___
1. Technically, any device which contains varying electric currents must always transmit radio waves. In that sense, even an AC light bulb is a "radio transmitter." However in most cases -- including this -- the transmitted power is completely negligible and not relevant to operation.

RogerSeptember 12, 2012 9:36 AM

@boog:

I'm not sure what to make of your comment. I was refuting the suggestion that runner A could cheat by putting her GPS tracker on runner B and then retrieving it near the finish line, as photographs would easily show the two did not run together. Do you disagree with that?

Yes, I was disagreeing with that. Not because I fault your logic, but because it has actually already happened, and the evidence was simply ignored. (The incident I referred to occurred with conventional timing chips rather than a GPS tracker; but on a 1-dimensional course with many mats, there isn't much practical difference.)

And what does that have to do with a runner wearing high heels after a race?
It was just additional circumstantial evidence of cheating. It is moderately unlikely that a debut marathoner could do this. I'll explain why if you're really interested, but experience indicates that most non-runners don't want to hear running stories 8^)

WaelSeptember 12, 2012 10:55 AM

@ Roger

Before I comment further, I would like to know the kind of setup used at the race. I could not find definitive information in the article.

I take it that you haven't read much of the literature on this?

Don't take it that way ;)

The reason is that the chip doesn't actually emit any radio waves; rather, the reader "hears" the chip's signal by the amount of power the chip sucks out of the reader's near field.

You are implying the reader reads a string by measuring the amount of power "sucked" by the tag, and translating the power sucked into the string. I am not aware of technology that works this way. The Wiki link you sent talks about something different that I am also familiar with.

Clive RobinsonSeptember 12, 2012 12:10 PM

@ Wael,

You are implying the reader reads a string by measuring the amount of power "sucked" by the tag

Some of the older chips (Dallas Semi used to make 16bit versions back in the late 1980's if my brain serves me correctly) have a tuned circuit at approximatly resonance, as it enters the field of the reader it gets some power from the field that it uses to change the Q of it's tuned circuit. This has the effect of changing the field around the reader that behaves like an old fashioned Q meter (some store alarms work a similar way).

There are two basic ways it can measure the change in the field the first is by measuring the current into the readers tuned circuit, the second is to measure the voltage across it. Other ways involve various types of spectral measurment.

For the simplest way the field is effectivly AM demodulated and thus in theory you could some how generate an add subtract field by PRK modulating a synthetic carrier that is phase adjusted to the readers carrier, I,m aware that some people have experimented in this area for spoofing more complex systems, however I've not seen anything other than "viewfoils"...

boogSeptember 12, 2012 12:44 PM

@Roger:

Yes, I was disagreeing with that. Not because I fault your logic, but because it has actually already happened, and the evidence was simply ignored.
I think you misunderstand me. In my example I'm not saying that photographic evidence would prove runner A was cheating, just that it would invalidate the GPS tracker. True, circumstantial evidence isn't enough to prove guilt, but it can certainly help build a case.

...experience indicates that most non-runners don't want to hear running stories 8^)
Bah, sure they do; I would much rather read a story about running than go running myself ;)

WaelSeptember 12, 2012 1:03 PM

@ Clive Robinson

Yes, true! But these are used for identical tags that could be used for theft alarms. My question is how do they provision the tags used in the race with say an 8-bit unique identifier? The tags cannot be identical. Then the other part of the question is how does the reader decode this unique 8-bit identifier by the amount of power "sucked" by the tag. This is the technology I am asking about, and my comment about "hearing" ;)

chrisSeptember 12, 2012 3:38 PM

I suspect that Gary got it right early in the thread. A friend of mine read this a week or so ago and we've been talking about it for a while. Both of us do various forms of racing (tri, bicycle, inline skate) and I've promoted a lot of bicycle races (track cycling). I've looked at chip systems and while they look like a nice backup for picking places 17 and 18 (which don't generally matter at all) in a 24 rider race, they're far from foolproof. The easy spoof is to give your chip to a friend and have them run with theirs on one foot and yours on the other...

Most likely he just stashes a bicycle near the course with some spare clothes in a bag and then goes off course, gets on the bike, and pedals. He might get off the bike and change back to run across the timing mats or not-- some marathons allow people at the back to have cyclists riding along pacing them. Otherwise he just rides parallel to the course (along with the family members of many riders), gets onto the course to cross the mats (with or without the bike) then gets on the bike and goes to the next one. Easy, and doesn't depend on access to anything special (like the computers). Most marathons have tons of runners and it would go generally unnoticed.

There are systems that could prevent it-- there's at least one photofinish system available at reasonable cost that uses a linescan camera (the standard for photofinish) across the line combined with a regular video camera from the front that reads and OCRs bib numbers and matches them to the timing on the linescan. A few of those along the course would get images of how he crossed the line. A promoter willing to put in the time and money could probably tie a camera to a chip system (it may have already been done) to photograph each mat each time an athlete crosses. It would be straightforward to do, though not entirely trivial depending on the software and hardware hooks available.

Clive RobinsonSeptember 12, 2012 4:25 PM

@ Wael,

The original Dallas Semiconductors devices had sequential number built in and it was this number pushed out serialy that drove the circuit controling the Q of the tuned circuit. In the simplest case it was like simple AM by "loose coupling" "reactance modulation.

Think of the receiver as the parallel tuned output stage of a class C amp, the chip as another tuned circuit inductivly couppled to the class C tuned circuit and a high impeadance AC "valve voltmeter" connected at the hot end of the class C tuned circuit.

If the chip tuned circuit has no load on it then it will not take energy out of the class C tuned circuit and the valve voltmeter will show aproximatly the peak voltage as being twice the supply rail voltage. If the chip tuned circuit is then slugged with a low impedance it's Q drops but more importantly power is coupled out of the class C tuned circuit and into the chip tuned circuit where it is then transfered to the low impedence across it.

The result will be that if the class C amp circuit has been designed properrly it will not be able to supply the power to the load, so the voltage across it will drop to some value below twice the supply voltage. This will be clearly seen on the valve voltmeter reading.

Now assume the load on the chip tuned circuit is actually in series with transistor (bibolar or fet it makes little difference) and the transistor control gate (Base) is driven by the output of a UART chip or some other parallel to serial converter.

The valve voltmeter will display the serial signal and could in fact drive the input of another UART thus allowing the data to be recovered.

Now provided the chips have some kind of "identity related" time delay you could have a significant number all being on the receiver as each one will modulate at a different time.

The data to be output from the TX UART is for arguments sake "laser etched" onto the chip substrate (etc) and thus alows quite large unique identifiers to be implemented...

WaelSeptember 13, 2012 3:11 PM

@ Clive Robinson

Now assume the load on the chip tuned circuit is actually in series with transistor (bibolar or fet it makes little difference) and the transistor control gate (Base) is driven by the output of a UART chip or some other parallel to serial converter. The valve voltmeter will display the serial signal and could in fact drive the input of another UART thus allowing the data to be recovered.

That... I can buy, although sounds a little unreliable a technology for the race we are talking about. I wish this blog allowed sharing of schematics or mathematical formula notations...

chapmanm007September 16, 2012 6:17 AM

My bet is the whole article is a fraud and that Kip Litton as a legitimate marathon runner is a fictional construct. Most likely part of the bait has been taken so half the data is real noise that masks the signal. And does it matter?

SteveSeptember 17, 2012 4:39 AM

Occam's raser: what is the minimum needed to perpetrate the fraud?

1. His chip needs to get recorded by the mats

2. He needs to get his photo taken

So he starts and finishes the race, and finds other methods / shortcuts of getting between the mats.

PeterSeptember 17, 2012 10:04 AM

Making copies of the chip is easy, but the old maxim about two people being able to keep a secret applies.

The changing of outfits is significant. Why change clothes if there isn't a reason?

Hacking Boston is tough. Rosie couldn't do it, and biking isn't realistic unless you really know the area.

I really like the idea of someone (multiple someones) trailing him through the entire race, without his knowledge.

kholsonSeptember 17, 2012 12:43 PM

I see the clothing conundrum (the changes of clothing during the race) as a case for plausible deniability. Because there are no clear pictures of Kip, face up and same gear over the entire race, doubt is implied. It is one more inconclusive, like a partially showing number, which is not evidential.

How often do sub-180' marathoners change gear in a race? Is it common or does changing gear make it difficult to finish in that time?

CareyApril 19, 2013 3:52 AM

Maps won't automatically note when you've changed direction
or taken a turn, so you have to manually go step
by step. It is one of the greatest investments for the
safety of children one could make to feeling of losing your child even if it's for minutes because it will be the most devastating and stressful situation you will ever go through. Device which highlights high resolution features normally implies sharper images projected on the screen.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..