Free public transport in Hong Kong, Britain and The Netherlands
Written on July 21, 2008 – 1:35 pm
Joop Dorresteijn, Contributing editor
Okay, its not as simple as free, but Dr. B. Jacobs, computer science professor at the Radboud University Nijmegen has demonstrated how to copy the smart travel cards, and travel for free in London last June. His demonstration alarmed the card maker NXP, who claimed that the publication was irrelevant to the research, and filed a case at the Arnhem court. Last Friday, the Judge decided that the research can be published this Oktober, leaving little time for the card makers to create a fix.
The court: “Damage to NXP is not the result of the publication of the article but of the production and sale of a chip that appears to have shortcomings.” But with over 1 billion cards sold, the impact of publishing would be devastating.
“I’m very happy that the court upheld the right to open research and freedom of publication,” said K. Nohl, a gratuate student at the university of Virginia. CNET News “I’m also happy that the court understood that publishing vulnerabilities is a crucial part of the evolution of security and a different court outcome would have slowed down that evolution of smart card security and left too many systems vulnerable.”
But for those of you that are thinking of setting up your own card business, Mifare mentions that there are techniques and countermeasures to detect cards and data which have been tampered with.
Edit: Stefan pointed us to the PDF file in the comments!
I hope you like that post!
Do you have a start-up that we should write about? Contact us! Thanks for visiting and hope you come back again!
Email
Facebook
Netlog
Linkedin
Twitter
The Next Web Blog is closely associated with The Next Web Conference which is held annually in Amsterdam, The Netherlands. At this event speakers from all over the world come together to talk about, and show of, the future of the Web. (
By Stefan on Jul 21, 2008
It’s been out already … http://www.wikileaks.org/leak/.....c-2008.pdf
[Reply]
By Reinier Zwitserloot on Jul 21, 2008
You’re misreporting the extent of the leak. As far as Oyster, Hong Kong, and the dutch national OV card are concerned, this hack really doesn’t matter. I’ll explain:
Mifare cards contain 10 digits. That’s it. That’s all. It’s a glorified barcode. Nothing more. The hack is very simple: Given any 10 digit mifare code (which you can read out from any card with a simple cardreader, that’s not the hack), you can WRITE it onto a blank mifare card. That’s the hack. You can duplicate cards.
That’s all. So, in order to screw around with the system, you need to first:
A) lift some unwitting patsy’s 10-code. You’d do this by having a card reader close to their wallet. You could also just -lift- their wallet and get a lot more cash that way. If you are afraid of being the patsy, just keep two mifare cards stacked on top of each other on your wallet. Voila - no card reader can read either now. For example, your London Oyster card + Your dutch OV card. Yes, I tried this. It’s also hard to read these out from a distance; it’s been designed for reading from a very close distance.
B) Dupe their card and get some running shoes, because if the original owner mentions to the authorities that their card’s balance seems to run out all by itself, the 10-code can easily be flagged so that you’ll get some nice attention the next time you try to use your dupe card.
If you were a high tech thief, you’d be an absolute moron to try this. The risks far, FAR outweigh the tiny benefit compared to the gazillions of other opportunities for someone with that kind of skill.
It’s still a hack, of course, and the makers of the mifare card makers (Philips) should stop claiming that you can’t duplicate 10-codes, but the way everyone’s reporting it, it sounds like you can create a ‘travel for free’ card that is indistinguishable from other cards. That’s *NOT* what’s going on here.
Security breaches are often an amalgam of individual mostly innocuous events and in that sense this is big. For example, if the official mifare cards are released with a non-random 10-code, in other words, if it is possible to guess the code of the next fresh mifare card to be released, you could use a new 10-code everytime you travel. Again, you can control this: Randomly destroy each new card with 1 in 10 odds, and flag its 10-code as someone you need to arrest if someone ever used that code.
The best way I can imagine abusing this is to install a secondary card reader at a recharge terminal, creating an attack similar to the hacked ATMs in the Netherlands of last year. Like the ATM scare, that problem can be managed as well.
[Reply]