Slashdot Mirror

← Back to Stories (view on slashdot.org)

Aussie Researchers Crack Transport Crypto, Get Free Rides

Posted by timothy on from the dirty-socialists dept.

mask.of.sanity writes "Shoddy customised cryptography by a state rail outfit has been busted by a group of Australian researchers who were able to replicate cards to get free rides. The flaws in the decades-old custom cryptographic scheme were busted using a few hundred dollars' worth of equipment. The unnamed transport outfit will hold its breath until a scheduled upgrade to see the holes fixed."

48 of 88 comments (clear)

  1. The way I read the headline by Ukab+the+Great · · Score: 5, Funny

    Aussie crypto researchers transporting crack get a free ride.

    1. Re:The way I read the headline by cloricus · · Score: 1

      I was at their Ruxcon talk this last weekend and I can categorically state that the headline is accurate!

      --
      I ate your fish.
    2. Re:The way I read the headline by trancemission · · Score: 3, Funny

      You should lay off the crack...

  2. This message brought to you by... by Ignacio · · Score: 4, Funny

    Shoddy customised cryptography

    Brought to you by the Department of Redundancy Department.

    1. Re:This message brought to you by... by hattig · · Score: 5, Insightful

      So shoddy that it worked fine for "decades". As one of the researchers said - it was designed before he was born.

      Even if a few people had previously worked out their way around it, they could hardly mass-market their cloned cards on the market, and thus the number of users was always going to be rather limited - and probably not worth replacing the current system to deal with.

      Now technology has got to the point where the average person could abuse the system, so I guess the system will get an upgrade soon.

    2. Re:This message brought to you by... by Jane+Q.+Public · · Score: 1

      And the Natural Guard.

  3. Happening everywhere? by Anonymous Coward · · Score: 5, Informative

    Governments give these contracts to retarded companies, simply because they offer to do it for a lower price than "proper" companies would.

    Same exact thing happened in the Netherlands, Trans Link Systems got the contract for the "Public transit chip card", it was hacked in a week. An improved, "unhackable" version was also cracked when it was released.

    The problem with these companies mostly is that they think security through obscurity actually works, which is pathetic.

    1. Re:Happening everywhere? by Kergan · · Score: 5, Insightful

      The problem with these companies mostly is that they think they've come up with better cryptographic security than tried and tested solutions, which is pathetic.

      FTFY.

    2. Re:Happening everywhere? by Anonymous Coward · · Score: 1

      You're giving them too much credit. Most of the people doing this stuff are so clueless that they don't even know what are the tried and tested solutions. They come up with terrible solutions because they understand neither the foundation libraries already available nor the basics of cryptographic security.

    3. Re:Happening everywhere? by Anonymous Coward · · Score: 1

      What exactly is "Proper"? A company that can engineer a train so that its reliable and people don't die and is efficient is likely a company that will get the contract. They usually 'throw in' a ticketing system. Politicians and people (taxpayers) look at the whopping costs of implementing a train system, and see anything free as "it had better be". So they make a ticketing system, but its a freebie (I believe that your use of the word "proper" and freebie are diametrically opposed here). The rail system is opened, people start using it, the pain of taxpayers is softened, and people forget about the millions. Then, a group of smartypants students looking for a research project looks at the now decades old system, and breaks the freebie security. Commenters on public blogs mutter about "proper" and shake their heads with disdain (although the system had worked ok for many years, apparently). The company puts some money into a 'proper' system. Since it doesn't cost millions, taxpayers see it as a curious line item, and the story is forgotten the next day.

  4. Killing anonymity by antifoidulus · · Score: 4, Informative

    Hopefully theft won't become widespread, both because it will have a negative impact on public transport systems AND it will have a huge negative impact on anonymity. I just checked out Victoria's MyKi system(which was not the one they cracked, but I imagine the one they cracked offers similar services) and they still have an option to buy anonymously.

    However if theft becomes a huge problem I can quickly see that option going away in the name of deterring theft(note that I am not defending the practice, simply stating what will probably happen). After all you are much less likely to try to score a free ride if your name is attached to the ticket. I quite like being able to travel conveniently without being tracked(*puts tinfoil hat in murse*)

    --
    Monstar L
    1. Re:Killing anonymity by aaron552 · · Score: 2

      I just checked out Victoria's MyKi system(which was not the one they cracked, but I imagine the one they cracked offers similar services) and they still have an option to buy anonymously.

      No personally identifying information is stored on the Myki - just the balance and last 10 trips.

      From the article it's pretty easy to guess that the cracked system was the ancient, magnetic-strip-on-paper-cards Metcard system. I highly doubt there's any tracking going on, that would require the people running the system to be competent

      --
      I had a sig once. It was lost in the great storm of '09.
    2. Re:Killing anonymity by tqft · · Score: 3, Informative

      From August in Qld http://www.brisbanetimes.com.au/queensland/go-card-travel-records-point-finger-at-murder-accused-20120816-24b3v.html
      "A Supreme Court jury heard that Ashley Michael McGoldrick's Go Card history showed ..."
      and from 2010
      http://www.brisbanetimes.com.au/queensland/police-watching-where-you-go-20100728-10vx2.html
      "The revelation came after brisbanetimes.com.au exclusively revealed that police are using Go Card technology to not only pinpoint the movements of criminal suspects but also potential witnesses.
      "

      --
      The Singularity is closer than you think
      Quant
    3. Re:Killing anonymity by mcbridematt · · Score: 4, Interesting

      More likely it is the Brisbane GoCard or Perth SmartRider - which use the horribly insecure MiFare Classic, which was compromised some years ago and there are 'off the shelf' exploits.

      The operator of the Brisbane system even tried to play down the significance of the MiFare Classic exploit when it was known before launch.

    4. Re:Killing anonymity by Anonymous Coward · · Score: 1

      Hey Slashdotters, should we tell this person that if they're taking a train, they're already being recorded on ten different cameras being fed back to HQ where they pump the feeds into facial recognition software?

      Unless you walk around in a hoodie with a full facial skull mask such as those worn by motorcyclists, you haven't been traveling anonymously for a long time - cash or not.

    5. Re:Killing anonymity by cloricus · · Score: 4, Informative

      As per their Ruxcon presentation it was a previously un-compromised system that used magnetic stripes.

      --
      I ate your fish.
    6. Re:Killing anonymity by Gothmolly · · Score: 3, Funny

      You live in AUSTRALIA, and you're suddenly worried about privacy/anonymity?

      --
      I want to delete my account but Slashdot doesn't allow it.
    7. Re:Killing anonymity by Ronin441 · · Score: 1

      Perth SmartRider does indeed use MiFare Classic, and the cards are indeed insecure. But there's some server-side smarts which will (eventually) notice a cloned card, and deactivate it. I expect it also (eventually) notices if you top up your card yourself for free.

      The idea is that although the system can be exploited at a small scale, it isn't worth the hassle. Provided their server-side stuff prevents exploits going commercial and becoming widespread, it's good enough.

    8. Re:Killing anonymity by EnempE · · Score: 1

      Not on that rail network they aren't. QR has been struggling to make ends meet for a while, the go card system was supposed to improve the situation by reducing ticketing costs and reducing staffing requirements at smaller platforms. They don't have the money to invest in facial recognition software. The left bag systems would probably be running on the live feeds but the cameras don't have the resolution to pick out faces and track them through the system, it would be a major upgrade. As the system stands. They would have to do facial recognition the old fashioned way, by going back through the recorded feeds and looking at them. In TFA they say that they have footage from the bus where the card was used, bus dvrs are standalone and aren't suitable for facial recognition.

  5. Link to the presentation by kasperd · · Score: 2

    The article contains absolutely no information about what the vulnerability was. Have anybody been able to find a link to the actual presentation?

    --

    Do you care about the security of your wireless mouse?
    1. Re:Link to the presentation by Anonymous Coward · · Score: 5, Insightful

      Almost guaranteed that the rail systrem is the City Rail, the NSW rail system. Their ticketing system is a nightmare, and has been the subject of multiple botched upgrades over the last couple of decades, costing millions of dollars. The latest plan is to upgrade to London's "Oyster Card" technology (renamed Opal card), but I'll believe it once I see it. The current tickets are just a piece of cardboard/plastic with a magnetic strip. Trivial to read, and most likely (as has been found out) trivial to decode.

      In fact, when you do the numbers, it would be cheapest for the NSW government to abolish ticketing all together. The money saved on the (absence of a) ticking system and the reduction in road use would exceed the current revenue from tickets.

    2. Re:Link to the presentation by kasperd · · Score: 1

      Somebody else did post a link to the slides, though not in response to my question.

      --

      Do you care about the security of your wireless mouse?
    3. Re:Link to the presentation by ewanm89 · · Score: 1

      Better not use the Oyster cards as they are MIFARE classic 1K and are well cracked already.

  6. Re:Government & Stealth Malware by Anonymous Coward · · Score: 1

    http://www.thinkpenguin.com/

    Freedom friendly hardware. Much of it is not as suseptable to these attacks although there are so many places to hide...

    The real risk is the most common components. What chipset is used in nearly every system? These are the ones I would target.

  7. Presentation Slides by Catchwa · · Score: 5, Informative

    Can be found here.

    1. Re:Presentation Slides by kasperd · · Score: 4, Insightful

      Wow. The encryption described in those slides is like state of the art of the 16th century. Nowadays that scheme doesn't even qualify as cryptography. It's not custom cryptography, it's a joke.

      The slides do mention, that they have modified some details, probably as part of a responsible disclosure. But I suppose the sort of methods used and the strength of the encryption does correspond to the original version.

      But as so often before, people are using "encryption" when it isn't what they need. 90% of the time where people use encryption, what they really need is integrity, which is not achieved through encryption but rather through message-authentication-codes or digital signatures. Encryption without integrity is rarely a good idea. If the integrity of the data on these tickets had been protected, there would be no need for encryption in the first place. After all, the plaintext version of the data is probably even printed on the ticket.

      --

      Do you care about the security of your wireless mouse?
  8. Free rides in adelaide by Anonymous Coward · · Score: 2, Interesting

    I worked out how to get a free train ride in adelaide, and I didn't even need any custom equipment.

    If the trains don't know the time, they stamp an error bit flag on the mag-stripe ticket. The gates that let you out, supposedly only if you have a ticket valid for that time, will let you past if you have an error bit. And there's no time limit.

  9. Re:Government & Stealth Malware by Lumpy · · Score: 3, Insightful

    "Nobody Seems To Notice" I guarantee to you that someone noticed and has been exploiting it for a while now. I know guys that have cracked the Chicago system for years now, wait... for over a decade now. Maybe Chicago has updated their ticket system, but I doubt it. Municipalities dont care if a system is cracked until it is widespread abused. If only 400 people in a city the size of Chicago are getting free rides, they dont even show up as an accounting anomoly. Imagine how many in NYC have figured out it's holes and are exploiting them.

    People notice and people take advantage of it.

    --
    Do not look at laser with remaining good eye.
  10. London Underground Oyster smartcard by Viol8 · · Score: 1

    This was cracked a number of years ago apparently because it used a simple linear feedback shifter as a random number generator which meant the code were easy to guess. Or something along those lines , I can't fine the article at the moment

      LU said they'd be "improving security" and then we heard nothing more about it. Anyone know whats going on these days?

    1. Re:London Underground Oyster smartcard by Anonymous Coward · · Score: 1

      DESFire cards are all you can get on Oyster now. MiFare classic was replaced a few years back. This is why it is now much slower to read/write and why the hotspot is smaller (DESFire requires more power).

  11. Err, to collect revenue? by Viol8 · · Score: 1

    "If public transport were run by government off taxes"

    Except they're not. No major PT system in the world is run completely off taxes and is free to the end user. They all collect fares in some fashion. And if you think about it , why should people in one part of a country pay via taxes for people in some city hundreds of miles away to ride for free?

    1. Re:Err, to collect revenue? by TapeCutter · · Score: 1

      There's also this strange behavior with humans where they value something more if they pay for it directly, even if the payment is trivial.

      --
      And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
  12. Is this really a high risk? by DrXym · · Score: 2
    I really don't see this as a huge threat. Let's assume the worst case, that some people buy a mag stripe reader/writer and use software to program the tickets with bogus data. These tickets might fool automatic barriers but they won't fool a ticket inspector.

    I expect most transport systems have inspectors already to catch people jumping barriers or coasting in and out behind other people. So the faker is going to get caught eventually. If they're really unlucky the inspector will compare the printed data on the ticket to the data on the stripe using a portable reader and call the cops.

    Some transport systems don't even bother with barriers and rely exclusively teams of inspectors. e.g. Dublin's Luas tramline has no barriers so there is nothing to stop someone riding for nothing. To enforce the ticketing system it is not uncommon to see a team of 4 or 5 ticket inspectors board without notice and systematically sweep the train for either end. People with no tickets risk huge fines so you'd have to be pretty dumb to ride this way, fake ticket or not.

    1. Re:Is this really a high risk? by Anonymous Coward · · Score: 2, Informative

      On some trains the ticket inspectors will just sell the tickets at normal price if you don't have one, or escort you off the train if you don't want to pay. Of course some places don't even bother with barriers or inspectors for local trains, they have enough honest people buying tickets that it isn't seen as cost effective to have either just to stop a few kids from taking a free ride.

  13. Any fence can be scaled, but it does not by Max_W · · Score: 1, Interesting

    make a fence unnecessary.

    It defines the social border, the socially accepted line.

    Crossing this line involves a reaction from the society, which wants to defend its norms.

    If I were an Australian General Prosecutor I would suggest 2 -3 years of imprisonment to these group of young researches so that the next time they would think twice before forging public transportation tickets.

  14. The crypto is old, the system is new by Craig+Ringer · · Score: 3, Informative

    The transit system in question is 5-7 years old - or less depending on which one they refer to. The crypto is old, but the smartcard transit system isn't. Fail. How do I know? Because there are no older transit tag systems in Australia.

    1. Re:The crypto is old, the system is new by jimicus · · Score: 1

      Maybe they bought it in from an outside company that had been selling similar systems in other parts of the world for years?

    2. Re:The crypto is old, the system is new by Craig+Ringer · · Score: 1

      Nope, turns out it's a magnetic strip system not a smartcard system, so it isn't SmartRider.

  15. A few hundred dollars of hardware by FridgeFreezer · · Score: 1

    And how many thousands of dollars worth of skilled security researchers' time?

    --
    There is no music - home taping killed it.
  16. Re:Except there's no reason to be. by Viol8 · · Score: 1

    "Except there's no rason they can't be."

    Sure, if the government has unlimited funds. Most don't. Usually there are more important things to spend money on.

    "Are public transport systems only for other people? No."

    Huh?

  17. RE: Data Analysis by Archon-X · · Score: 2
    I've got a current project of trying to do some data analysis on RFID data dumps. I've made some progress, but have been getting stuck on trying to pull out the timestamp. 'Obvious' things, like days of the year, epoch stamps etc don't seem to appear. From research, there should be a defined start date / time, and an ending date / time - and the gap should be no more than 84 hours. The dump I have is from around Sept 2012. If anyone feels like helping out or can see something obvious...

    03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    aa 07 00 00 21 02 08 00 00 6e 07 06 07 00 66 83
    00 00 00 00 00 00 00 00 01 6e 07 06 08 37 00 00

    [NB: the 07 AA is understood, the 21 02 08 I am unsure about, and the rest with it the obvious data repetition / incrementation, i can't help but feel the timestamp is staring at me!]

  18. City Rail in NSW by Anonymous Coward · · Score: 1

    I agree with the above poster that is most likely City Rail in NSW, by a process of elimination:
    - Only 5 cities in Australia have public transport rail networks.
    - Melbourne have recently introduced Myki - good case study on how not to do it, so they are unlikely and the article states this
    - Brisbane use Oyster Card, unlikely but if it is then this is a much bigger story
    - Perth uses Smartrider, a smart card system.
    - Adelaide have used MetroTicket which contains a magnetic strip developed by Crouzet-SA. A smartcard system is in the process of being rolled out

    The RailCorp is being split in two article has some pretty cutting statements about the inefficiency of government run enterprises and entitlement mentality. Solving this will not be simple, and as other posters have commented the problem is the organisation. I'd advise potential vendors to think of a price and triple it. There is a reason some government organisations are charged a premium and yet the vendor still makes a loss.

    Posting this as an Anonymous Coward, because I have a bit of experience working as a vendor to RailCorp NSW. Let's just say they are a "challenging" client.

  19. So the public service paid fo by Stan92057 · · Score: 1

    So the public service paid for crypto and got it. Theses kids buy a card reader and card makers and probably use an open source crypt o program wala instant security searchers?

    --
    Jack of all trades,master of none
  20. I guess the danger is resellers by cdrguru · · Score: 1

    So if you had a shop next to the train station with only a few hundred dollars of equipment they could sell discounted train tickets, right?

    The problem with this sort of thing is there is no real need for a great deal of authentication on transit systems. If you are going to go to the trouble to forge tickets, you are probably no real threat the system's revenue because of the huge investment required. Once you become a real threat, you are going to get caught and the jail time will not be pretty. Most countries will add onto the charges of simply riding without paying a fair because this was done a lot and is "willful".

    So, is being able to make forged tickets worth 10-15 years in prison? Who cares if they used a low-bidder for the authentication. It is good enough for 99.9999% of the population and is producing revenue. Would any sane individual decide that millions, tens of millions or even hundreds of millions of the local currency should be spent to "secure" the system? Sounds like complete idiocy to me.

    Sure, the system is insecure, but so is every other system on the face of the planet. I'm sure using a forged ticket is already a crime, but all they have to do is make selling forged tickets a serious crime and the problem is a non-problem.

  21. Re: Data Analysis by GodfatherofSoul · · Score: 1

    I see the problem; zeroes. You data is littered with zeroes.

    --
    I swear to God...I swear to God! That is NOT how you treat your human!
  22. Re:Public transport cost is infinite??? by Viol8 · · Score: 1

    Don't be a smartass, you know exactly what I mean. And do explain why people who don't use a service should pay just as much for it as people who do in this socialist nirvana you've dreamt up?

  23. Re: Data Analysis by Archon-X · · Score: 1

    With a Mifare 1k card to store just timestamps, I guess they had space to burn ;)

  24. Whoops, wrong by Craig+Ringer · · Score: 1

    Correction. After reading the presentation, it's clear that this is not a smartcard system, it's a magentic strip system. That means it isn't Western Australia's SmartRider, and WA's old MultiRider magnetic strip system has been retired for 5 years so it's not going to be MultiRider.