Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cracking Atlanta Subway's Poorly-Encrypted RFID Smart Cards Is a Breeze

Posted by timothy on from the but-you're-still-in-atlanta dept.

McGruber writes "Seven metro Atlanta residents are facing theft, fraud, and racketeering charges for allegedly selling counterfeit MARTA Breeze cards. Breeze cards are stored-value smart cards that passengers use as part of an automated fare collection system which the Metropolitan Atlanta Rapid Transit Authority introduced to the general public in October 2006. Breeze cards are supplied by Cubic Transportation Systems, an American company that provides automated fare collection equipment and services to the mass transit industry. At the time of this slashdot submission, the Wikipedia page for the Breeze Card (last modified on 2 August 2013 at 14:52) says: 'The Breeze Card uses the MIFARE smart-card system from Dutch company NXP Semiconductors, a spin-off from Philips. The disposable, single-use, cards are using on the MIFARE Ultralight while the multiple-use plastic cards are the MIFARE Classic cards. There have been many concerns about the security of the system, mainly caused by the poor encryption method used for the cards.'"

27 of 139 comments (clear)

  1. Inevitable... by Shuntros · · Score: 4, Interesting

    Old MiFare stuff is toast, security wise. Any old fool can order some UID-writable tokens on eBay from China, grab a copy of libnfc and mfoc, then things get interesting pretty quickly.

    1. Re:Inevitable... by AdamColley · · Score: 3, Funny

      It's a subsidy for smart people, that's obvious -.o;

    2. Re:Inevitable... by the_B0fh · · Score: 2

      Why do you blame OP? Shouldn't you blame the company for using really stupid and known to be flawed encryption?

    3. Re:Inevitable... by Shuntros · · Score: 3, Insightful

      Well thanks Anonymous Coward (latin: buffoonus maximus), but that's a bit of a tenuous jump. I don't even use public transport, I'm just a guy who does a bit of NFC engineering for the day job and knows the difference between the wrong way to do it and the way I do it. The token security is weak, certainly, but it's easy to protect against with some very low-overhead crypto.

    4. Re:Inevitable... by sjames · · Score: 2

      A 'locksmith' who uses his skills where not authorized is a burglar.

    5. Re:Inevitable... by the_B0fh · · Score: 3, Insightful

      There is this thing called a "reasonable man" standard. If you run a business website, you're expected to run it behind a firewall, and have other security standards in place.

      Otherwise, you end up like any one of those companies that get hacked. I had stated it incorrectly earlier - I do not mean to say criminals who hacked the system are not in the wrong. However, implementing shitting security is also wrong.

      Just like a bank should have a reasonable security system, and the bank's vault should have something better than a $5 padlock. Bank robbers are wrong, but if a bank had only a $5 padlock on it, *THEY ARE WRONG TOO!*

      WHY ARE YOU SO FORGIVING OF COMPANIES THAT IMPLEMENT SHITTY SECURITY OR PUTTING IN FAKE SECURITY?

    6. Re:Inevitable... by the_B0fh · · Score: 2

      Who is talking about perfect security? I'm talking about not deploying systems with *KNOWN* security problems.

      Like how WEP was known flawed and yet deployed, because of people like you. No one is talking about perfect security. But at least put some effort into making it secure, damnit. And by that, I don't mean letting your damned intern throw some shit together, but getting some seasoned professionals in the security field to work on it.

  2. why? by Lehk228 · · Score: 3, Informative

    I don't understand why these systems are set up like this, operationally it's not much different from EZ-Pass which works fine with an account based system, putting the value tracking on the cards is just asking for an upgrade treadmill even if it's well designed now, 10 years from now it will be easilly cracked. compare CPU vs GPU/FPGA/ASIC hashing advances

    --
    Snowden and Manning are heroes.
    1. Re:why? by QuietLagoon · · Score: 4, Informative
      E-ZPasses Get Read All Over New York (Not Just At Toll Booths)

      After spotting a police car with two huge boxes on its trunk — that turned out to be license-plate-reading cameras — a man in New Jersey became obsessed with the loss of privacy for vehicles on American roads. (He’s not the only one.) The man, who goes by the Internet handle “Puking Monkey,” did an analysis of the many ways his car could be tracked and stumbled upon something rather interesting: his E-ZPass, which he obtained for the purpose of paying tolls, was being used to track his car in unexpected places, far away from any toll booths.

    2. Re:why? by CaptBubba · · Score: 2

      It allows for fallback to the stored value on the card if the data connection between the authenticating device and the home station is unreliable, as would be expected in a wide-ranging bus system when these cards were initially deployed.

      Also EZPass and the like have the additional advantage of being tied to either a registered name or an easily identifiable way to bill someone (via a photo of the license plate) in case their account is empty. You don't have that luxury when dealing with people getting on and off mass transit.

    3. Re: why? by Pinky's+Brain · · Score: 2

      The same is true for an anonymously bought card with remotely stored value.

    4. Re:why? by fluffy99 · · Score: 3, Informative

      E-ZPasses Get Read All Over New York (Not Just At Toll Booths)

      The plausible explanation is that they are simply using ez-pass as a means to assess traffic congestion, ie how long is it taking a car to traverse a section of highway. Of course I don't doubt that law enforcement wants access to track people, but generally cell phone tracking is more reliable and readily accessible. Wanna bet these are at the border as well?

  3. Security by ledow · · Score: 5, Informative

    Like everything:

    If you can buy the readers, and someone obviously sells the writers somewhere, you can clone them.

    As soon as you then rely on these tokens to hold individual data themselves (with no reference to a central database), then they become valued targets for attack.

    If you had these cards hold nothing more than a code number, and wired all the readers to talk home, then the system can't be "scammed" as such - people can have their cards cloned, of course, but you can spot it, you can trace them, arrest them at your convenience, and give the original account holder a new card in the meantime as soon as they report the fraud. But because everything has to talk to a central database, the cards are not so much "cash" as a stolen "credit card" - traceable, and stoppable.

    Then, it doesn't matter if you do use something as common as MiFare (a school I used to work in used Mifare entry systems - they weren't expensive or hard to get hold of at all and I used to program my Oyster - London Tube travel - card to open the door for me in the morning if I'd forgotten my ID card). As soon as the readers are that commonplace, the writers will be available even if that means people are building their own and making fake "cards" the size of a Raspberry Pi with some RF circuitry to pretend to be a card. The next step is just a matter of shrinking the device.

    MiFare is long-cracked. You can buy the cards for pence each and the readers (direct to USB, etc.) for a pittance. The next step up is no harder than going from magstripe readers and cards up to magstripe writers with the correct magstripe "level" to read/write the banking data on an old magstripe credit card.

    Don't put "value" into a chip that can be cloned. Put the value into a central, monitored, system, and provide people only with a codenumber to access it. That codenumber can be cloned still, sure, but then you can watch out for it, notice it, blacklist it, catch people red-handed. And they can't go spending "free money" offline from your system.

    This is my biggest bugbear with London's Oyster system. It's just a number for the most part, but they try to store "value" on the cards and let you buy newspapers with them. Now you have an offline, valued, unmonitored, commodity on an easy-to-clone chip.

    1. Re:Security by jonbryce · · Score: 2

      Oyster is mostly online. There is an offline backup, because if you use it on a bus, the bus may not have a network signal at your bus stop. If you do manage to hack an Oyster card, it will work for one day, but when the reconciliation is done overnight, your card will be blacklisted and it won't work the following day, even in offline mode.

    2. Re:Security by ledow · · Score: 2

      Not true - it's a lot more "offline" than you think.

      That's why you have to nominate a station to "collect" your top-up - basically they preload to that station in the morning and then you card gets an instruction that you have X pounds more on it now. The card knows how much you have and works when the system is out (done it many times). That's how the vendor purchases work too - they rely on the card to have an up-to-date record of how much PAYG credit they have.

      But, that said, when it is networked - as pointed out - it all gets noticed quite quickly. This is my point - network and keep online as much as possible and don't rely on the CARD to tell you how much money the user has. Use a number on the card to refer to a central database and take a loss on "system down" times rather than "use can clone any card" times (and then keep things up as much as possible).

    3. Re:Security by ledow · · Score: 2

      Our Mifare card access system used to read data off of the latest PayWave-type phones. To our systems it was just a random long number but it uses the same frequencies, protocols, etc. as everything else RFID to power itself/send it.

      Caused havoc with our systems when people started buying Galaxy S3's and holding them in their hands while they swiped their entry cards. We wondered what the hell was going on for a long time.

  4. Another card scam... by QuietLagoon · · Score: 3, Interesting
    Police Warn of Gift Card Scam

    .
    Fare cards, gift cards, credit and debit cards used at Target, etc.,.etc,. etc...

    When are we going to make our erzatz money secure?

  5. Does it really need to be secure? by JoeyRox · · Score: 2

    Naturally if they're going to spend the money on a secure system it might as well fulfill that goal. But do these metro metering devices really need to be all that secure? I checked MARTA's fare schedule and their most expensive ticket is $5 round-trip. Doesn't seem like enough incentive for the average joe to cheat it, esp. when you consider how transit authorities use a few high-profile prosecutions to discourage people from even buying second-hand tickets let alone hacking their own. In my view the system only need be marginally more secure than the honor system.

    1. Re:Does it really need to be secure? by BringsApples · · Score: 2

      In my view the system only need be marginally more secure than the honor system.

      I couldn't agree more. And since there is an extreme lack of honor these days, I feel that the next step, rather than spend so much money to secure the transaction(s), is to simply utilize credit/debit cards. If that doesn't work, fuck it, shut the MARTA down; "Sorry folks, the people in this area are to wicked to have nice things."

      --
      Politics; n. : A religion whereby man is god.
    2. Re:Does it really need to be secure? by Pembers · · Score: 2

      Apparently they also do passes that are good for 30 days, which cost $96 (see the comment a few places above). The scam was to buy lots of $1 tickets and reprogram them into 30-day ones.

      --

      Just another wannabe fantasy novelist...

  6. Re:Any Detail, At All? by McGruber · · Score: 4, Informative

    What about any detail at all about this? What "weak" encryption do they use? How was it broken? What was the value of the fraud? Can these cards be used for anything else, or cashed out, or does this fraud require very extensive MARTA ridership?

    Seven people have been charged with fairly serious crimes, but I can't see the value of the fraud being more than a few hundred or few thousand dollars. It's like counterfeiting $1 bills, what's the point?

    It appears that MARTA is just discovering the extend of the fraud, based upon the information in this article by the NBC affiliate in Atlanta: Atlanta Channel 11 TV News: 7 arrested for MARTA Breeze Card fraudl

    Some detail:

    MARTA says the thieves spent $1 to buy the Breeze card, then reprogrammed the data on it to turn it into a 30-day pass. They then sold it to riders for $40, a deep discount of the real price of $96. That meant the thieves got to pocket $39, and the buyers got a cheap ride.

    and

    MARTA police chief Wanda Dunham says the cards were sold at MARTA stations and on Craigslist. But it was a suspicious buyer who purchased one at an area mall that contacted police. "He knew that wasn't the right fare so he called us, asked us to check into it," said Dunham.

    As they investigated, the agency's Revenue Department noticed in November, a large number of cards were sold at its Chamblee and Lenox stations for only a dollar. Police started reviewing surveillance video to create a list of suspects.

    MARTA won't say how many counterfeit cards the group sold, but says during the arrests it confiscated 400 fraudulent cards. Had the thieves sold them, their $400 initial investment, would have earned them $16,000.

    MARTA says it's never had something like this happen before, but security expert Gregory Evans says MARTA needs to act fast, if wants to keep it from happening again. He says the hackers likely got away with their scheme using a simple card writer that costs just a few hundred dollars. "The crazy part, the scary part about this? MARTA would have never known if some had not gone back and told them what was happening. That's it," said Evans. Evans says the data on the card could be encrypted and an alert built into their software system. "If I go to use this card somewhere and all the sudden there's $100 on this card, their system should have caught that and said hold up," Evans said.

  7. Re:Except you don't have a 100% link to your db by davidwr · · Score: 2

    always allow, but record the transactions, and go back later to reconcile.

    In other words, treat it like we used to treat credit cards back before instant verification.

    Anyone else remember signing a multi-part credit card form and having the clerk run it through the "ker-chunker"?

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  8. Re:Any Detail, At All? by noh8rz10 · · Score: 2

    Seven people have been charged with fairly serious crimes, but I can't see the value of the fraud being more than a few hundred or few thousand dollars. It's like counterfeiting $1 bills, what's the point?

    I spent $3,000 on Metrolink tickets last year in Los Angeles. I know many people who pay more. there is serious money in mass transit.

  9. Quick question by Okian+Warrior · · Score: 5, Interesting

    Out of curiosity, how much revenue comes in from fares, and how much expense goes out in fare maintenance?

    A lot of metro systems charge fares in addition to getting public support from taxes. Has anyone thought to tally the costs of the fare system compared to the income? Things like cost of the machines, maintenance of the machines, maintenance of the turnstiles, accounting, law enforcement &c... all these things add up.

    Even if the fares bring in revenue, it's probably minor. Most of the cost goes into collecting the fares, so most of that value is wasted.
    The economy would get a boost if that money were freed up to be spent by consumers, and doing so would help the people who need it the most (ie - poor people).

    This whole thing seems like a fabricated problem - a system that forces people to spend money just for the sake of spending it. Then spend more money reimplementing the system when the original system is found to have flaws, then spend countless hours and resources in enforcement and prosecution.

    Just get rid of it. Let the money go into the economy.

    1. Re:Quick question by swb · · Score: 2

      That's a great question. From what I've read about the Minneapolis light rail system, fares cover about a third of the operating cost. I'm not sure what the fare collection costs are (machines, enforcement, etc) but its hard to see them being more than 10% of the fare revenue, especially when you consider that a lot of the collection costs are upfront (buying, installing machines, etc) and basically one-time costs.

      You do wonder what would happen if they just made riding it free. It might mean more ridership which would enhance some of the secondary economic value of the system which seems to be a major selling point (reduced traffic, development on the line, etc).

    2. Re:Quick question by bsa3 · · Score: 2

      There are indeed reasonable number of fare-free systems. But you neglect the core purpose of public transit as it is seen by most US governments—i.e. distributing cash. Even if a system has 10% farebox recovery, they still get to buy the equipment and employ people to collect the money. Sure, they could go to proof-of-payment (or drop fares entirely), and further reduce costs by putting the Buy America Act and Davis-Bacon out of their misery, but that would reduce the opportunity for graft.

  10. NYC born, recently moved to Atlanta by Deemus · · Score: 2

    MARTA - Moving Africans Rapidly Through Atlanta (or so the locals call the system).

    It's probably wrong to, but I applaud the hackers. It's really only the poor folks in Atlanta that use the system (everyone else drives) and every little bit they can save helps.