Slashdot Mirror

← Back to Stories (view on slashdot.org)

Aussie Researchers Crack Transport Crypto, Get Free Rides

Posted by timothy on from the dirty-socialists dept.

mask.of.sanity writes "Shoddy customised cryptography by a state rail outfit has been busted by a group of Australian researchers who were able to replicate cards to get free rides. The flaws in the decades-old custom cryptographic scheme were busted using a few hundred dollars' worth of equipment. The unnamed transport outfit will hold its breath until a scheduled upgrade to see the holes fixed."

7 of 88 comments (clear)

  1. Happening everywhere? by Anonymous Coward · · Score: 5, Informative

    Governments give these contracts to retarded companies, simply because they offer to do it for a lower price than "proper" companies would.

    Same exact thing happened in the Netherlands, Trans Link Systems got the contract for the "Public transit chip card", it was hacked in a week. An improved, "unhackable" version was also cracked when it was released.

    The problem with these companies mostly is that they think security through obscurity actually works, which is pathetic.

  2. Killing anonymity by antifoidulus · · Score: 4, Informative

    Hopefully theft won't become widespread, both because it will have a negative impact on public transport systems AND it will have a huge negative impact on anonymity. I just checked out Victoria's MyKi system(which was not the one they cracked, but I imagine the one they cracked offers similar services) and they still have an option to buy anonymously.

    However if theft becomes a huge problem I can quickly see that option going away in the name of deterring theft(note that I am not defending the practice, simply stating what will probably happen). After all you are much less likely to try to score a free ride if your name is attached to the ticket. I quite like being able to travel conveniently without being tracked(*puts tinfoil hat in murse*)

    --
    Monstar L
    1. Re:Killing anonymity by tqft · · Score: 3, Informative

      From August in Qld http://www.brisbanetimes.com.au/queensland/go-card-travel-records-point-finger-at-murder-accused-20120816-24b3v.html
      "A Supreme Court jury heard that Ashley Michael McGoldrick's Go Card history showed ..."
      and from 2010
      http://www.brisbanetimes.com.au/queensland/police-watching-where-you-go-20100728-10vx2.html
      "The revelation came after brisbanetimes.com.au exclusively revealed that police are using Go Card technology to not only pinpoint the movements of criminal suspects but also potential witnesses.
      "

      --
      The Singularity is closer than you think
      Quant
    2. Re:Killing anonymity by cloricus · · Score: 4, Informative

      As per their Ruxcon presentation it was a previously un-compromised system that used magnetic stripes.

      --
      I ate your fish.
  3. Presentation Slides by Catchwa · · Score: 5, Informative

    Can be found here.

  4. The crypto is old, the system is new by Craig+Ringer · · Score: 3, Informative

    The transit system in question is 5-7 years old - or less depending on which one they refer to. The crypto is old, but the smartcard transit system isn't. Fail. How do I know? Because there are no older transit tag systems in Australia.

  5. Re:Is this really a high risk? by Anonymous Coward · · Score: 2, Informative

    On some trains the ticket inspectors will just sell the tickets at normal price if you don't have one, or escort you off the train if you don't want to pay. Of course some places don't even bother with barriers or inspectors for local trains, they have enough honest people buying tickets that it isn't seen as cost effective to have either just to stop a few kids from taking a free ride.