Another EUSecWest NFC Trick: Ride the Subway For Free

itwbennett writes "At the EUSecWest security conference in Amsterdam, researchers showed how their 'UltraReset' Android app can read the data from a subway fare card, store that information, and reset the card to its original fare balance. The researchers said that the application takes advantage of a flaw found in particular NFC-based fare cards that are used in New Jersey and San Francisco, although systems in other cities, including Boston, Seattle, Salt Lake City, Chicago and Philadelphia, could also be vulnerable."

Re:More like...

[snowraver1]

How would anyone ever catch you? These systems probably don't have network access, otherwise they would just read a token and then authenticate against a server, so all you have is log files. You could detect the fraud after the fact (if you somehow collected the log files), but to actually catch someone red handed would be pretty difficult.

Even if you did collect the log files, they may be useless. You would have to catch the same non-reloadable card bring used more than the maxumum number of times. To do that, you would probably have to analyse hundreds, if not thousands of .log files from different devices, unless the transactions are somehow manually collected and uploaded into a database. Even then, it would be an after-the-fact type thing.

Easy answer

[girlintraining]

I suppose the natural solution then would be to ban the app, possibly ban android phones with NFC capability, and/or threaten the security researchers with jail time. That's usually what legislators and law enforcement does... rather than, I don't know, fix the problem with the cards?

Long ago...

Back in the 80s they tried to introduce plain-clothes security officers on amsterdam trams to catch people who didn't pay for an honor-system ticket and got on anyway. The people of amsterdam had a referendum and votes that the officers had to wear unifroms, so that fare hoppers would have "a sporting chance" of running away when an inspector got on the tram.

what "take advantage"?

[holophrastic]

That's not taking advantage of anything. The card's programmable, you programmed it. Congrats. That's like printing a transfer on your home printer. Same illegal it's always been.

So tell me again why these cards don't authenticate against a central reliable source? Oh yeah, we're replacing slips of paper, not brinks trucks with armed guards.

Right.

High-speed traffic is still controlled with painted lines, not concrete walls. Not everything is security-related.

Re:what "take advantage"?

[holophrastic]

No, we shouldn't. There likely isn't enough fraud to warrant such measures. Besides, the system that you describe has huge maintenance costs. You can't have these things stop working during rush hour. And between the central server itself, network nodes everywhere, and wireless lag, there's expense, personnel, and it'll slow things down too. And in the end, you'll have a huge network, with so many nodes that it can be hacked directly anyway. Then you'll want to secure that.

On top of everything though, crime isn't the responsibility of the transportation department. If people are commiting fraud, that's what police are for. Transportation doesn't want to pay for it, and I don't blame them. I wouldn't pay for it either.

Balance on the card?

[Nethemas+the+Great]

Why on earth would anyone store the balance on the card you give to customers? Isn't that kind of an open invitation to exploitation not to mention customer service headaches from people losing/damaging their cards?

Re:Balance on the card?

[swillden]

Why on earth would anyone store the balance on the card you give to customers? Isn't that kind of an open invitation to exploitation not to mention customer service headaches from people losing/damaging their cards?

There are lots of reasons that you might want to store the balance on the card. Increased reliability in the face of network outages, improved performance by eliminating the need for a network round trip and a database query, the ability to deploy in environments without network access at all, the ability to cross incompatible system boundaries... and many more.

Further, if you do it right, there's no reason not to store the balance on the card. Smart card chips like those used in these fare cards are designed to provide a fairly high degree of security. They can perform cryptographic operations to authenticate the commands they're given, and they can make decisions about whether or not they're going to honor the commands based on authentication and on the content of the request and its context (to the degree that they're aware of context).

But building smart card systems is hard, and making them secure adds another layer of complexity and frustration when things just don't work because the damned card keeps rejecting your -- you believe -- properly authenticated and formatted commands. It's normal for the early stages of development to disable security for ease of development and testing... and it's unfortunately pretty common for security to be left off, or at least not thoroughly validated, for deployment. And it mostly works, because contactless smart card readers are relatively rare -- they're not expensive, mind you, haven't been for many years, but they have been uncommon. Except now there's one embedded in every one of an increasing number of high-end smartphone models.

This isn't a fundamental architectural flaw, it's either a detailed design flaw or (very likely) a straight up implementation error. Most likely caused by simple laziness and incompetence (granted that finding competent people in this area of technology isn't trivial, and self-education is a multi-year process).

Re:More like...

[Razgorov+Prikazka]

Link to the Powned (yes it is called powned:) clip: http://youtu.be/3izaITMDAYg (in Dutch)

Transcript for the non-Dutch:
<anchor guy> Our Jojanneke showed us yesterday that even blonde women can crack the TLS-chipcard without a problem. The responsible company reacted frivolously because the hack would show up in their systems, and the authorities would be alerted. In other words, keep calm and carry on. But that was before they saw this news-item.
<Journalist 1> I can check in and out myself, simply by typing in the time that I want to be checked in, and upload it to the card. No signs in their back-office, this is undetectable.
<anchor guy> Yes indeed, now the TLS-card can be hacked even without TLS getting to know about it. The chance that the identity of the fraudulent traveller is to be unveiled is as good as nil. And that is what the responsible company is finally - although not enthusiastically - admitting.
<TLS spokes woman, Anita Hilhorst (to a journalist in a studio)>...At this moment our checks with detectors and inspectors do not show those transactions in our back-office,
<journalist in the studio> yeah, when I the conductor checks me, his machine just says that I am checked in.
<TLS spokes woman>...Yes...
<journalist in the studio> So then I dont have a problem and you are completely ignorant about it.
<TLS spokes woman>...then we cant see that ehhh ehhh in the transactions in our back-office
<journalist in the studio> So at that moment I am untraceable, and you cant do anything against me.
<TLS spokes woman> We aren't able to see that, no.
<anchor guy> And so definitively the TLS-card dies. Costing 3.000.000.000,- Euro, and nothing. The minister is summoned for a debate before parliament to explain what he will do about it. And here is some more ammo for the ladies and gentlemen of the opposition; the software needed is, since yesterday, downloadable from bittorrent sites. Cracking the TLS-card is now in reach for your grandmother of 82 years old.
<Jojanneke a.k.a. Pow-janneke> The cracking of the TLS-card is now made even simpler because the software is leaked to bittorrent sites, what does that mean?
<journalist> It means that anyone can download this, and since it is a very simple crack I am not surprised that it is put in the open.
<Jojanneke> This thing is also needed (hold up card reader), where to buy this? In a shop?
<journalist> Yes, it is about three tenner's, so anyone can go ahead with a TLS-card.
<Jojanneke> But can it be bought in a store?
<journalist> Yes, or on-line if they aren't sold out yet.
<Jojanneke> And we dont have to check in at the station, we can do this at home?
<journalist> yes, that is quite simple to do (shows program how-to) and because you do this at home, you are invisible to the back-office. The conductor just checks whether the card has been checked in or not, and that data is transmitted to the system at the end of the day, but by then you already left the train.
<Jojanneke> In other words, it is so simple even my grandmother can do this?
<journalist> Even your grandmother can do this easily
<anchor guy> Well and if this isnt bad enough, the hackers will present a new version tomorrow that will make it even more easy with new features like making mony with that card!
<Jojanneke> Hackers are busy to speed up the process to keep it within 15 seconds, what does this mean if the succeed in that?
<journalist> Well then it is so fast and easy that it becomes feasible to start a 'business' with that.
<Jojanneke> So they can recharge a lot of cards in a short while.
<journalist> Yes, you give me a tenner, and I put a hundred euro's worth of credit on it. And I have warned about this in the past that this might happen.
<anchor guy> If by chance you are slightly handy with computers, TransLinkSystems is looking for a fraud-manager that can monitor the security measures of the cards, stress-resistance is a pre.

Sorry for any mistakes made, but you'll get the message right?

Re:Not that hard, really

[nedlohs]

"Here you are caught by security camera A231763 purchasing said ticket at a vending machine. And we know it is that ticket because as you can see a simple uncrop and we can see the serial number reflected in that window which is reflected in that water drop which is reflected on that man's hat."