Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Zealand's Hackable Transport Card Grants Free Bus Rides

Posted by Unknown on from the we'll-fix-that-tomorrow dept.

mask.of.sanity writes "Kiwis could have their names, addresses, dates of birth and phone numbers exposed by flaws in the Christchurch public transport system that could also allow locals to travel on buses for free. The flaws in the MiFare Classic system allow anyone to add limitless funds to their transport cards and also buy cheap grey market cards and add them to the system. The website fails to check users meaning attackers could look up details of residents and opens the potential for someone to write a script and erase all cards in existence. Several flaws have been known to the operator since 2009." There are two sets of problems: their website is not adequately secured, allowing identity harvesting attacks, and the transit cards themselves are easy to forge.

12 of 96 comments (clear)

  1. Why is everyone reinventing the wheel? by kwark · · Score: 2

    There have been already a couple of mifrate classic public transport implementations where they discovered the card was abusable! eg http://en.wikipedia.org/wiki/OV-chipkaart#Technology
    This was known in 2007.

  2. that and Sydney... should have gone bluetooth by johnjones · · Score: 2

    frankly they should have used a software system that worked with phones with optional card if you wanted it rather than a phone

    Oyster has been hacked again and again...

    http://www.wired.com/autopia/2008/06/hackers-crack-l/

    regards

    John Jones

     

    1. Re:that and Sydney... should have gone bluetooth by hairyfish · · Score: 2

      frankly they should have used a software system

      Or here's something left field, how about make public transport free and just pay for it through a flat levy? Oh noes! higher taxes! Yeah it won't sell politically, but really common sense tells you public transport benefits everyone so should be paid for out of the public purse. And think of how much more efficient you can make it when you don't have to bother with complicated ticketing systems. If you like public transport it's a win, if you're a Canyonero fan then you also win (less other cars on the road to get in your way). Of course it'll never happen because the 2nd amendment or some other bullshit excuse.

  3. Problem already solved by waynemcdougall · · Score: 4, Funny

    Good news everybody! Here in New Zealand such actions as hacking cards to add value, or taking personal information off websites, or even wiping data off someone else's computer system are all illegal.

    Thus solving the problem once and for all.

    --
    Recycle PCs and build a wireless community network www.hillsborough.org.nz
    1. Re:Problem already solved by gweilo8888 · · Score: 2

      ...which is the equivalent of 2,832 people being murdered in the US every year.

      Actual US homicide rate, courtesy of the CDC: 16,259, of which 11,078 were using firearms.

      So you have a 5.74x greater chance of being murdered in the USA than in New Zealand, assuming your figure was correct. (I didn't bother to check it.) And even if you ignore the firearm deaths completely in the US (but still include them for NZ), you still have 1.83x greater chance of being murdered in the USA.

      So much for the whole "guns make you safer" thing. You're less safe in the US in terms of non-gun crime, and you're much, much less safe in terms of gun crime.

  4. Such a deal by Earthquake+Retrofit · · Score: 2
    "Kiwis could have their names, addresses, dates of birth and phone numbers exposed by flaws in the Christchurch public transport system that could also allow locals to travel on buses for free."

    So I get free rides on the bus and anyone can see my (fairly public) directory information... not such a bad deal.

    --
    Fifty years of Yippie! 1968-2018
    1. Re:Such a deal by PRMan · · Score: 2

      Clearly the submitter doesn't understand the culture of the south island of New Zealand. When I was there recently, there were bags of apples in a barn with an "honesty box" where you paid the amount listed on the bag. Could I have stolen all the apples and got them "free"? I guess. But that's not the culture there. People pay for things because it's the right thing to do, not because the card "makes" them.

      --
      Peter predicted that you would "deliberately forget" creation 2000 years ago...
  5. Why do transit smartcards need to be hard? by jonwil · · Score: 3, Informative

    Why is it that transit smart cards always seem to take longer to roll out than promised, cost more than promised, end up being more complex than promised and end up being less secure than they should be?

    You dont even need to make the cards themselves "smart", you can make the cads just data storage devices that can store an encrypted data blob and do all the cryptography and stuff in the readers. And you can use good strong well-tested cryptography instead of inventing your own crypto.

    Cards would be cheaper because they wouldn't contain much logic, just a memory chip, RFID/NFC/whatever antenna and some logic to read from and write to the memory chip. Anyone who builds a reader and reads their card out will simply get an encrypted/signed blob that they cant mess with.

    1. Re:Why do transit smartcards need to be hard? by jonwil · · Score: 2

      Thats why the terminals have all the intelligence.
      If the system is designed right, forged cards, replay attacks (e.g. add $50 to the card, read its contents, spend the $50, write the old contents to get a free top-up) and other such things can be prevented.

      What you can do is to add a simple hardware increment-only counter to the card. Each time the card is written to, the counter is incremented by the circuit logic. When the card is read, if the value of the counter doesn't match whats stored in the encrypted-and-signed blob, it will reject the card.

    2. Re:Why do transit smartcards need to be hard? by the_olo · · Score: 2

      Why is it that transit smart cards always seem to take longer to roll out than promised, cost more than promised, end up being more complex than promised and end up being less secure than they should be?

      You dont even need to make the cards themselves "smart", you can make the cads just data storage devices that can store an encrypted data blob and do all the cryptography and stuff in the readers. And you can use good strong well-tested cryptography instead of inventing your own crypto.

      Cards would be cheaper because they wouldn't contain much logic, just a memory chip, RFID/NFC/whatever antenna and some logic to read from and write to the memory chip. Anyone who builds a reader and reads their card out will simply get an encrypted/signed blob that they cant mess with.

      Do you really think it's that simple? If it was, there would be no problem.

      Your proposed non-smart card solution (as any stored value one) is inherently susceptible to cloning. Anybody with a RFID/NFC reader can pass close to you just once, then produce a card that's an identical copy (from the perspective of the system) of yours. He can then have a few rides at your cost and discard the cloned card or load another individual's captured data onto it so that he can avoid using a particular person's card for too long.

      The transport company could see symptoms of duplication (rides by the same customer at the same time observed in different areas), but good luck with distinguishing between the original user and the clone! They'd have to employ careful analysis of riding patterns to isolate the individual who uses cloned cards (assuming that his transport usage patterns are uniform).

  6. Smart people... by Coditor · · Score: 2

    ... apparently don't make Smart Cards.

    1. Re:Smart people... by flyingfsck · · Score: 2

      Hmm, you are a funny card, what?

      --
      Excuse me, but please get off my Pennisetum Clandestinum, eh!