Forgot your password?
typodupeerror
Security Encryption Transportation

New Zealand's Hackable Transport Card Grants Free Bus Rides 96

Posted by Unknown Lamer
from the we'll-fix-that-tomorrow dept.
mask.of.sanity writes "Kiwis could have their names, addresses, dates of birth and phone numbers exposed by flaws in the Christchurch public transport system that could also allow locals to travel on buses for free. The flaws in the MiFare Classic system allow anyone to add limitless funds to their transport cards and also buy cheap grey market cards and add them to the system. The website fails to check users meaning attackers could look up details of residents and opens the potential for someone to write a script and erase all cards in existence. Several flaws have been known to the operator since 2009." There are two sets of problems: their website is not adequately secured, allowing identity harvesting attacks, and the transit cards themselves are easy to forge.
This discussion has been archived. No new comments can be posted.

New Zealand's Hackable Transport Card Grants Free Bus Rides

Comments Filter:
  • There have been already a couple of mifrate classic public transport implementations where they discovered the card was abusable! eg http://en.wikipedia.org/wiki/OV-chipkaart#Technology [wikipedia.org]
    This was known in 2007.

    • by Z00L00K (682162)

      Also several of the travel passes in Sweden have the same flaw, Västtrafik, SL etc. - all uses the same data format and basic strategy.

      It's fairly easy to hack and with the new cell phones with NFC you can even copy the card that someone else carries without them knowing it and copy that to another card.

      There are better cards that has better encryption, but it's just a question of time before they are broken too.

  • by johnjones (14274) on Saturday November 09, 2013 @10:15PM (#45380257) Homepage Journal

    frankly they should have used a software system that worked with phones with optional card if you wanted it rather than a phone

    Oyster has been hacked again and again...

    http://www.wired.com/autopia/2008/06/hackers-crack-l/ [wired.com]

    regards

    John Jones

     

    • frankly they should have used a software system

      Or here's something left field, how about make public transport free and just pay for it through a flat levy? Oh noes! higher taxes! Yeah it won't sell politically, but really common sense tells you public transport benefits everyone so should be paid for out of the public purse. And think of how much more efficient you can make it when you don't have to bother with complicated ticketing systems. If you like public transport it's a win, if you're a Canyonero fan then you also win (less other cars on the roa

      • Public transport is heavily subsidised in New Zealand.

        I don't know about Christchurch, but in Wellington public transport is 2/3rds funded by rate payers.

        • I visited Christchurch about 6 years ago and all bus trips were the same price regardless of distance traveled.

          Of course I can not say if it is still the same, But I did appreciate the flat fare structure.

      • how about make public transport free and just pay for it through a flat levy?

        I'm all for subsidizing this kind of public infrastructure if only because the alternative is using tax money to deal with all the extra traffic. However, I don't believe that making it free is a good idea. Transportation, public or not, still costs money; with free public transport, all financial incentives for people to reduce unnecessary movements disappear, as do financial incentives for the operators to increase efficiency. Th

        • by Calydor (739835)

          What?

          You are confusing 'free' with 'paid for by your tax dollars'.

          People are not going to suddenly spend half their day on a bus driving back and forth because suddenly it's free (at the point of getting onto the bus) to do so. They will go where they need to go, just as they do today.

          The operator will get X million dollars from the government (from your tax dollars) to keep the busses running, serviced etc. If they go over budget they're screwed, which means they will want to increase efficiency so there's

          • by hankwang (413283)

            People are not going to suddenly spend half their day on a bus driving back and forth because suddenly it's free

            Actually, I think that that is exactly what will happen. See the other comment about loitering (sitting on the bus/train forever to keep warm). Other example: some 20 years ago, Netherlands introduced unlimited "free" public transport (bus and nation-wide trains) for students (age 18-24 years). It created a huge surge in passenger numbers, much more than what could be covered by the reduction in m

        • by mspohr (589790)

          Really? "Unnecessary movements...?"
          Should people just stay home and not go to work or socialize or recreate?
          As far as efficiency... every transport system has a budget and assets and costs... a good manager will optimize their use. A good manager will get good performance reviews and will be successful. This has nothing to do with the cost (free or otherwise) of the ride. People will be happy or unhappy with the service depending on the schedule of the transport and the facilities. They may be a bit more un

        • by tqk (413719)

          I don't believe that making it free is a good idea. Transportation, public or not, still costs money; with free public transport, all financial incentives for people to reduce unnecessary movements disappear, as do financial incentives for the operators to increase efficiency. This is asking for ever increasing costs of the public transport system.

          Those buses and trains are on a schedule and are going to run if they can whether they're full or empty. At Rush Hour, they're full. Midnight Tuesday when the late shift goes home, not so much. Is it really going to cost that much more to run them empty than if they're full?

          I think if you'd have taken public transport recently, you wouldn't have brought up that "unnecessary movements" bit. These systems are more than capable of discouraging such activity all by themselves. I've lived here for about fou

        • I don't think you've thought that through. What exactly is an unnecessary movement?The whole point pf is to get people moving as freely and as often as they want since this inevitablly improves everyone's lives, AND helps the overall economy. The cost will only rise to the real actual cost of moving people, and that will always be cheaper to do in bulk than some illusion of ubiquitous private transport.
      • Or here's something left field, how about make public transport free and just pay for it through a flat levy? Oh noes! higher taxes! Yeah it won't sell politically, but really common sense tells you public transport benefits everyone so should be paid for out of the public purse. And think of how much more efficient you can make it when you don't have to bother with complicated ticketing systems. If you like public transport it's a win, if you're a Canyonero fan then you also win (less other cars on the road to get in your way). Of course it'll never happen because the 2nd amendment or some other bullshit excuse.

        Hmm ... sure, if you consider it a public benefit by getting the unwashed out of the way packed into their cattle cars, leaving the streets less crowded for us haves.

        Tougher sell put that way, though ...

        • I used to live in Hong Kong where the us haves travel the same public transport as the great unwashed. I found it a lot easier and more civilised than anywhere else in the word where private transport dominates.
      • by Macgrrl (762836)

        OK, so if public transit is free, how do we encourage people to swipe on and swipe off? What, why would we want them to I hear you say - it's about collecting system usage metrics for better planning.

        I suspect in most cases it would probably be cheaper not to collect fares and simply manage it via a levy/tax, if the usage patterns were never going to change. However if you need to capture the number of unique users of a system and which lines and stops they use and what times - some kind of networked token

        • Trivial problems that solutions already exist for. A led beam at the door will give you a reasonably accurate count, cameras can do accurate counts of people movement (I used to work for a place that did this specifically), or you just pick on mobile phone signals.
  • by waynemcdougall (631415) <slashdot@codeworks.gen.nz> on Saturday November 09, 2013 @10:20PM (#45380275) Homepage

    Good news everybody! Here in New Zealand such actions as hacking cards to add value, or taking personal information off websites, or even wiping data off someone else's computer system are all illegal.

    Thus solving the problem once and for all.

  • by Earthquake Retrofit (1372207) on Saturday November 09, 2013 @10:55PM (#45380345) Homepage Journal
    "Kiwis could have their names, addresses, dates of birth and phone numbers exposed by flaws in the Christchurch public transport system that could also allow locals to travel on buses for free."

    So I get free rides on the bus and anyone can see my (fairly public) directory information... not such a bad deal.

    • by PRMan (959735)
      Clearly the submitter doesn't understand the culture of the south island of New Zealand. When I was there recently, there were bags of apples in a barn with an "honesty box" where you paid the amount listed on the bag. Could I have stolen all the apples and got them "free"? I guess. But that's not the culture there. People pay for things because it's the right thing to do, not because the card "makes" them.
  • by jonwil (467024) on Saturday November 09, 2013 @11:02PM (#45380365)

    Why is it that transit smart cards always seem to take longer to roll out than promised, cost more than promised, end up being more complex than promised and end up being less secure than they should be?

    You dont even need to make the cards themselves "smart", you can make the cads just data storage devices that can store an encrypted data blob and do all the cryptography and stuff in the readers. And you can use good strong well-tested cryptography instead of inventing your own crypto.

    Cards would be cheaper because they wouldn't contain much logic, just a memory chip, RFID/NFC/whatever antenna and some logic to read from and write to the memory chip. Anyone who builds a reader and reads their card out will simply get an encrypted/signed blob that they cant mess with.

    • by kwark (512736)

      You need to take into consideration that there is no active connection to the central office, terminals and cards have to be able to work standalone if you want to stop abuse of anonymous cards and gsm jammers (in busses).

      • by jonwil (467024)

        Thats why the terminals have all the intelligence.
        If the system is designed right, forged cards, replay attacks (e.g. add $50 to the card, read its contents, spend the $50, write the old contents to get a free top-up) and other such things can be prevented.

        What you can do is to add a simple hardware increment-only counter to the card. Each time the card is written to, the counter is incremented by the circuit logic. When the card is read, if the value of the counter doesn't match whats stored in the encrypt

        • What you can do is to add a simple hardware increment-only counter to the card. Each time the card is written to, the counter is incremented by the circuit logic. When the card is read, if the value of the counter doesn't match whats stored in the encrypted-and-signed blob, it will reject the card.

          easy just roll it over so it loops back or even better have roll over to a negative number so when you try to get on the bus it says read error and they may just let you ride free after a few try's.

        • If the system is designed right, forged cards, replay attacks (e.g. add $50 to the card, read its contents, spend the $50, write the old contents to get a free top-up) and other such things can be prevented.

          What is the practical gain from that?

          The reality is that 99.9% of people are honest and will pay what they should regardless of whether the cards are insecure and could be 'hacked'. As such there isn't much to be gained from designing a system that protects against things almost no one is going to do

          • by kwark (512736)

            "The reality is that 99.9% of people are honest and will pay what they should regardless of whether the cards are insecure and could be 'hacked'."

            People are less honest then you think, most will do stuff they know they shouldn't if they think they will not get caught, even when there is no financial need.

            This chipcards and the required tollgates were introduced with a promise to stop fare dodgers. Recent news of the dutch system appears to have the effect of going from 11% to 2%. http://www.ad.nl/ad/nl/101 [www.ad.nl]

      • But this is a bus. There is an active connection to the central office. Some of them even have free WiFi.
        In Wellington our buses have a system called "Snapper". It's an NFC card that's used in buses and some stores. No value is stored on the card, you scan it when you get on the bus and scan when you get off. The correct fare is automatically taken from your balance.

        There are also a few phones it is compatible with.

        • by kwark (512736)

          "But this is a bus. There is an active connection to the central office."

          Until the perp. is using a gsm jammer (or you get into an area without coverage). The bus terminal will store the transaction for later validation, but since the perp is using an anonymous or cloned card he has gotten an untracable free ride.

          • $3.80 saved by only an hours work and a thousand dollars worth of hardware along with the possibility of jail time... bargain :)

            • I think for this it's more about hacking the system and sticking it to the 'man' than about $3.80.
              I'm fortunate enough to be working for a company that on the odd occasion actually asks me to hack/reverse engineer things and nothing beats finding that chink in the armor.
          • easy fix if the connect goes down NO RIDE in fact if the card is in any way unreadable NO RIDE.

            couple this with a requirement that the readers must be working for the bus to stay in service and Bobs Your Uncle

            • by jonwil (467024)

              I have ridden on buses many times where the readers are not working (in fact I rode one the other day) and the driver just tells everyone to get on anyway (the readers in my city have a back-to-base link as far as I know). Often the alternative to "run the service with broken readers and let people on for free" is "don't run the service at all and piss people off because their bus didn't show up", "get a replacement bus with working readers and piss people off because the bus is late" or "get another driver

          • If the connection is cut, the terminals stop working and you have to actually converse with the bus driver and pay cash

        • by Kalriath (849904)

          Snapper isn't realtime either. The data is stored by the (offline) onboard computer, the new value written to the card, and the transactions online processed overnight when the data is shipped off to the Data Warehouse in Seoul, South Korea (at which point if you're in Auckland, the data is also propagated back to Auckland Transport for analysis). Most buses do not have active online connections.

    • Because of laws that prevent the government from doing anything themselves. Everything has to be contracted out because a bunch of politicians think that the free market is magic. Of course, contractors have financial incentives to deliver projects that take longer than advertised because they get paid for that extra time spent. Having competent people means that the project is finished quickly, so hiring idiots is financially beneficial. Of course, the contractor also gets paid for all the maintenance
    • by vakuona (788200)

      Winner's curse. The implementation of any public project tends to be awarded to the lowest cost bidder, the one who has underestimated the costs.

      • by Kalriath (849904)

        No it isn't, the implementation is awarded to the largest bidder, who estimated their costs perfectly fine, padded them by 150%, and lied about the timelines.

    • by the_olo (160789)

      Why is it that transit smart cards always seem to take longer to roll out than promised, cost more than promised, end up being more complex than promised and end up being less secure than they should be?

      You dont even need to make the cards themselves "smart", you can make the cads just data storage devices that can store an encrypted data blob and do all the cryptography and stuff in the readers. And you can use good strong well-tested cryptography instead of inventing your own crypto.

      Cards would be cheaper because they wouldn't contain much logic, just a memory chip, RFID/NFC/whatever antenna and some logic to read from and write to the memory chip. Anyone who builds a reader and reads their card out will simply get an encrypted/signed blob that they cant mess with.

      Do you really think it's that simple? If it was, there would be no problem.

      Your proposed non-smart card solution (as any stored value one) is inherently susceptible to cloning. Anybody with a RFID/NFC reader can pass close to you just once, then produce a card that's an identical copy (from the perspective of the system) of yours. He can then have a few rides at your cost and discard the cloned card or load another individual's captured data onto it so that he can avoid using a particular person's card fo

      • by jonwil (467024)

        Ok so you add a unique hardware ID (burned into the card when its manufactured and unchangeable) and the data stored on the card is tied to it. If the card data is cloned, the card its cloned to wont have the correct ID and will fail to work.

        Its not like the people cloning these cards to get free bus travel are going to be spending dollars on equipment that can somehow create cards with the correct unique ID for the cards they are copying. Plus, a cloned card wont have the correct transit company logos on i

        • by the_olo (160789)

          Ok so you add a unique hardware ID (burned into the card when its manufactured and unchangeable) and the data stored on the card is tied to it. If the card data is cloned, the card its cloned to wont have the correct ID and will fail to work.

          Its not like the people cloning these cards to get free bus travel are going to be spending dollars on equipment that can somehow create cards with the correct unique ID for the cards they are copying. Plus, a cloned card wont have the correct transit company logos on it (unless you can replicate that too which also costs dollars to do properly) meaning inspectors or drivers looking to see your card (which happens on the transit network in my city which also has a card system) will see that its a fake.

          How do you propose to practically achieve this "burned" ID?

          How can you prevent the attacker from obtaining cards from a different manufacturer who doesn't do this "burning in" and lets the users to set any value in any stored field?

          The whole aim of having the cards being "smart" is that they can be equipped with a protected private key that they don't allow to be read from the outside world and that these cards perform cryptographic signing internally, without letting any secret information about perfor

    • Such cards have existed for many years. The NZ bus network is apparently using "MiFare Classic" which is very, very old now and is known to be weak. Designing better systems is no use if people don't upgrade to them.

    • by lakeland (218447)

      Because it is hard.

      (Disclaimer: I used to work for a company which bid unsuccessfully a few years ago to fix up the Christchurch system)

      Probably the hardest part is the decentralised nature. How much money do you have out there? If this card claims to have been topped up by a terminal but you have no record of that, either the terminal is slow at reporting back, or the card is lying. By the time you know, it's too late. We have no way of communicating with a card except when it happens to be brought on b

      • by Kalriath (849904)

        And unfortunately that national standard has already been chosen in the form of Auckland Transport's buggy, half-assed implementation brought to you by Thales. It's over-budget, late, plagued by "intermittent technical difficulties" and you'll be lucky if customer service doesn't tell you to just throw your card away and buy a new one if you get hit by one of the system's biggest flaws (like, I don't know, a refusal to top up your account after you've paid - the amount just sits as "pending" and never appl

  • by Anonymous Coward

    they just had their city destroyed by an earthquake. let them have all the free bus rides they want.

  • ... apparently don't make Smart Cards.
  • Although there is no excuse for lousy security, the "security hobbyist" did fail to mention in the article that the city was hit by an earthquake [wikipedia.org] in February 2011, which mostly destroyed the central city [stuff.co.nz]. I suspect that might have more to do with Ecan's delay in implementing a new system, rather than just "they wanted a new flashy-looking website".
  • by rueger (210566)
    Thankfully the new "Compass" card being forced onto Vancouver transit users will absolutely, positively have none of these problems.

He keeps differentiating, flying off on a tangent.

Working...