Slashdot Mirror
Aussie Researchers Crack Transport Crypto, Get Free Rides
mask.of.sanity writes "Shoddy customised cryptography by a state rail outfit has been busted by a group of Australian researchers who were able to replicate cards to get free rides. The flaws in the decades-old custom cryptographic scheme were busted using a few hundred dollars' worth of equipment. The unnamed transport outfit will hold its breath until a scheduled upgrade to see the holes fixed."
Nobody Seems To Notice and Nobody Seems To Care - Government & Stealth Malware
In Response To Slashdot Article: Former Pentagon Analyst: China Has Backdoors To 80% of Telecoms 87
How many rootkits does the US[2] use officially or unofficially?
How much of the free but proprietary software in the US spies on you?
Which software would that be?
Visit any of the top freeware sites in the US, count the number of thousands or millions of downloads of free but proprietary software, much of it works, again on a proprietary Operating System, with files stored or in transit.
How many free but proprietary programs have you downloaded and scanned entire hard drives, flash drives, and other media? Do you realize you are giving these types of proprietary programs complete access to all of your computer's files on the basis of faith alone?
If you are an atheist, the comparison is that you believe in code you cannot see to detect and contain malware on the basis of faith! So you do believe in something invisible to you, don't you?
I'm now going to touch on a subject most anti-malware, commercial or free, developers will DELETE on most of their forums or mailing lists:
APT malware infecting and remaining in BIOS, on PCI and AGP devices, in firmware, your router (many routers are forced to place backdoors in their firmware for their government) your NIC, and many other devices.
Where are the commercial or free anti-malware organizations and individual's products which hash and compare in the cloud and scan for malware for these vectors? If you post on mailing lists or forums of most anti-malware organizations about this threat, one of the following actions will apply: your post will be deleted and/or moved to a hard to find or 'deleted/junk posts' forum section, someone or a team of individuals will mock you in various forms 'tin foil hat', 'conspiracy nut', and my favorite, 'where is the proof of these infections?' One only needs to search Google for these threats and they will open your malware world view to a much larger arena of malware on devices not scanned/supported by the scanners from these freeware sites. This point assumed you're using the proprietary Microsoft Windows OS. Now, let's move on to Linux.
The rootkit scanners for Linux are few and poor. If you're lucky, you'll know how to use chkrootkit (but you can use strings and other tools for analysis) and show the strings of binaries on your installation, but the results are dependent on your capability of deciphering the output and performing further analysis with various tools or in an environment such as Remnux Linux. None of these free scanners scan the earlier mentioned areas of your PC, either! Nor do they detect many of the hundreds of trojans and rootkits easily available on popular websites and the dark/deep web.
Compromised defenders of Linux will look down their nose at you (unless they are into reverse engineering malware/bad binaries, Google for this and Linux and begin a valuable education!) and respond with a similar tone, if they don't call you a noob or point to verifying/downloading packages in a signed repo/original/secure source or checking hashes, they will jump to conspiracy type labels, ignore you, lock and/or shuffle the thread, or otherwise lead you astray from learning how to examine bad binaries. The world of Linux is funny in this way, and I've been a part of it for many years. The majority of Linux users, like the Windows users, will go out of their way to lead you and say anything other than pointing you to information readily available on detailed binary file analysis.
Don't let them get you down, the information is plenty and out there, some from some well known publishers of Linux/Unix books. Search, learn, and share the information on detecting and picking through bad binaries. But this still will not touch the void of the APT malware described above which will survive any wipe of r/w media. I'm convinced, on both *nix and Windows, these pieces of APT malware
All we need now is a concerted effort to crack the Japanese Suica system.
Aussie crypto researchers transporting crack get a free ride.
Shoddy customised cryptography
Brought to you by the Department of Redundancy Department.
Governments give these contracts to retarded companies, simply because they offer to do it for a lower price than "proper" companies would.
Same exact thing happened in the Netherlands, Trans Link Systems got the contract for the "Public transit chip card", it was hacked in a week. An improved, "unhackable" version was also cracked when it was released.
The problem with these companies mostly is that they think security through obscurity actually works, which is pathetic.
Hopefully theft won't become widespread, both because it will have a negative impact on public transport systems AND it will have a huge negative impact on anonymity. I just checked out Victoria's MyKi system(which was not the one they cracked, but I imagine the one they cracked offers similar services) and they still have an option to buy anonymously.
However if theft becomes a huge problem I can quickly see that option going away in the name of deterring theft(note that I am not defending the practice, simply stating what will probably happen). After all you are much less likely to try to score a free ride if your name is attached to the ticket. I quite like being able to travel conveniently without being tracked(*puts tinfoil hat in murse*)
Monstar L
Gee I wonder what state huh? Don't worry they have a very effective form of security. The service is so bad no body wants to travel on their system.
Twitter / UNSWCOMPUTING: Congratulations to our tea ... Defence University Challenge: Karla Burnett, Theo Julienne, Jack Murray & Petr Novak!
twitter.com/UNSWCOMPUTING/status/188049246694539264
5 Apr 2012 – UNSW COMPUTING @UNSWCOMPUTING 5 Apr
The article contains absolutely no information about what the vulnerability was. Have anybody been able to find a link to the actual presentation?
Do you care about the security of your wireless mouse?
Can be found here.
it could be worse. Your parents could have named you "Dick Short". Then on all the surname/forename lists you would appear as "Short Dick".
they cracked a system with well known vulnerabilities. do something with myki and you might have a real story.
I worked out how to get a free train ride in adelaide, and I didn't even need any custom equipment.
If the trains don't know the time, they stamp an error bit flag on the mag-stripe ticket. The gates that let you out, supposedly only if you have a ticket valid for that time, will let you past if you have an error bit. And there's no time limit.
Look, I know this is Slashdot where we dupe articles without reading them, and it's in the original article title, but given that TFA itself goes to some lengths to explain that the filthy h5xx0rz bought all their tickets (and I don't blame them, given Oz's propensity for criminalising everything that isn't mandatory), could we please, just once, actually have an accurate title or summary?
If Slashdot has just become Google News for Nerds, I can pretty much get that myself with a custom search. Upgrade the small shell scripts masquerading as "editors", eh?
If you were blocking sigs, you wouldn't have to read this.
What's the difference between researchers and hackers / crackers? The hat?
If public transport were run by government off taxes (remember: your workers have to get in to work to work for your company), then just run them when they need to be run and save the expense of trying to chase dodgers and secure electronic payment.
To say there have on baby...don't filed countersuit, the8e are some to use the GNAA FreeBSD at about 80 poor dead last
This was cracked a number of years ago apparently because it used a simple linear feedback shifter as a random number generator which meant the code were easy to guess. Or something along those lines , I can't fine the article at the moment
LU said they'd be "improving security" and then we heard nothing more about it. Anyone know whats going on these days?
"If public transport were run by government off taxes"
Except they're not. No major PT system in the world is run completely off taxes and is free to the end user. They all collect fares in some fashion. And if you think about it , why should people in one part of a country pay via taxes for people in some city hundreds of miles away to ride for free?
I expect most transport systems have inspectors already to catch people jumping barriers or coasting in and out behind other people. So the faker is going to get caught eventually. If they're really unlucky the inspector will compare the printed data on the ticket to the data on the stripe using a portable reader and call the cops.
Some transport systems don't even bother with barriers and rely exclusively teams of inspectors. e.g. Dublin's Luas tramline has no barriers so there is nothing to stop someone riding for nothing. To enforce the ticketing system it is not uncommon to see a team of 4 or 5 ticket inspectors board without notice and systematically sweep the train for either end. People with no tickets risk huge fines so you'd have to be pretty dumb to ride this way, fake ticket or not.
make a fence unnecessary.
It defines the social border, the socially accepted line.
Crossing this line involves a reaction from the society, which wants to defend its norms.
If I were an Australian General Prosecutor I would suggest 2 -3 years of imprisonment to these group of young researches so that the next time they would think twice before forging public transportation tickets.
every day...Like elec7ion to the BSD managed to make Numbers continue be 'very pporly benefits of being Unpleasant
The transit system in question is 5-7 years old - or less depending on which one they refer to. The crypto is old, but the smartcard transit system isn't. Fail. How do I know? Because there are no older transit tag systems in Australia.
""If public transport were run by government off taxes"
Except they're not."
Except there's no rason they can't be.
"why should people in one part of a country pay via taxes for people in some city hundreds of miles away to ride for free?"
Are public transport systems only for other people? No.
And how many thousands of dollars worth of skilled security researchers' time?
There is no music - home taping killed it.
From: http://dou.gl/trainhack-ruxcon-slides.pdf
"It is an offence to travel without a valid ticket. A ticket is not valid
if it is defaced, mutilated or altered."
I recognise that from CityRail (NSW, Australia) tickets
[NB: the 07 AA is understood, the 21 02 08 I am unsure about, and the rest with it the obvious data repetition / incrementation, i can't help but feel the timestamp is staring at me!]
I agree with the above poster that is most likely City Rail in NSW, by a process of elimination:
- Only 5 cities in Australia have public transport rail networks.
- Melbourne have recently introduced Myki - good case study on how not to do it, so they are unlikely and the article states this
- Brisbane use Oyster Card, unlikely but if it is then this is a much bigger story
- Perth uses Smartrider, a smart card system.
- Adelaide have used MetroTicket which contains a magnetic strip developed by Crouzet-SA. A smartcard system is in the process of being rolled out
The RailCorp is being split in two article has some pretty cutting statements about the inefficiency of government run enterprises and entitlement mentality. Solving this will not be simple, and as other posters have commented the problem is the organisation. I'd advise potential vendors to think of a price and triple it. There is a reason some government organisations are charged a premium and yet the vendor still makes a loss.
Posting this as an Anonymous Coward, because I have a bit of experience working as a vendor to RailCorp NSW. Let's just say they are a "challenging" client.
They used "a few hundred dollars' worth of equipment", that's pretty damn far from free, not to mention impractical considering how many train rides one can buy with a few hundred dollars.
So the public service paid for crypto and got it. Theses kids buy a card reader and card makers and probably use an open source crypt o program wala instant security searchers?
Jack of all trades,master of none
""Except there's no rason they can't be."
Sure, if the government has unlimited funds."
That would require that public transport for a finite number of people on a finite landscape would be infinite.
This is not the case.
So if you had a shop next to the train station with only a few hundred dollars of equipment they could sell discounted train tickets, right?
The problem with this sort of thing is there is no real need for a great deal of authentication on transit systems. If you are going to go to the trouble to forge tickets, you are probably no real threat the system's revenue because of the huge investment required. Once you become a real threat, you are going to get caught and the jail time will not be pretty. Most countries will add onto the charges of simply riding without paying a fair because this was done a lot and is "willful".
So, is being able to make forged tickets worth 10-15 years in prison? Who cares if they used a low-bidder for the authentication. It is good enough for 99.9999% of the population and is producing revenue. Would any sane individual decide that millions, tens of millions or even hundreds of millions of the local currency should be spent to "secure" the system? Sounds like complete idiocy to me.
Sure, the system is insecure, but so is every other system on the face of the planet. I'm sure using a forged ticket is already a crime, but all they have to do is make selling forged tickets a serious crime and the problem is a non-problem.
I see the problem; zeroes. You data is littered with zeroes.
I swear to God...I swear to God! That is NOT how you treat your human!
They'd value the travel to work based on results not cost.
With a Mifare 1k card to store just timestamps, I guess they had space to burn ;)
well....
21 02 08 could be 08 month 2012. last record/entry or exit?
00 6e 07 06 07 00 66 83
01 6e 07 06 08 37 00 00
First 00 and 01 entry/exit flag? 6e 07 month? 06 07 00 66 / 06 08 37 00 could be days/ hours, last four seconds ?
Correction. After reading the presentation, it's clear that this is not a smartcard system, it's a magentic strip system. That means it isn't Western Australia's SmartRider, and WA's old MultiRider magnetic strip system has been retired for 5 years so it's not going to be MultiRider.
It was Sydney rails old magnetic paper cards. The researchers compiled a tonne of cards, and started brute forcing the card ID string in blocks doing a brute force attack on XOR until parts of the card ID string became human readable, and they correlated enough of the data to figure out things like Station ID, Time, Date etc. See #Ruxcon for more information.