New Zealand's Hackable Transport Card Grants Free Bus Rides 96
mask.of.sanity writes "Kiwis could have their names, addresses, dates of birth and phone numbers exposed by flaws in the Christchurch public transport system that could also allow locals to travel on buses for free. The flaws in the MiFare Classic system allow anyone to add limitless funds to their transport cards and also buy cheap grey market cards and add them to the system. The website fails to check users meaning attackers could look up details of residents and opens the potential for someone to write a script and erase all cards in existence. Several flaws have been known to the operator since 2009."
There are two sets of problems: their website is not adequately secured, allowing identity harvesting attacks, and the transit cards themselves are easy to forge.
Why is everyone reinventing the wheel? (Score:2)
There have been already a couple of mifrate classic public transport implementations where they discovered the card was abusable! eg http://en.wikipedia.org/wiki/OV-chipkaart#Technology [wikipedia.org]
This was known in 2007.
Re: (Score:2)
All makes could be supported? Only those with bluetooth low energy support.
Also, no one has made a passive bluetooth card yet. It requires too much power and runs at 2.4GHz. You'd need to supply power on a different frequency.
Re: (Score:1)
Bluetooth? They just shouldn't have picked a known bad contactless smartcard. NFC is perfectly suitable for this (and can be tied to "modern" phones)
Re: (Score:1)
MiFare _IS_ a NFC card.
Most of the problems I see with them revolve around operators not even bothering to use encryption in the first place.
Re: (Score:2)
[This] is yet another example of how big companies buy systems that clearly dont work[. You] only have to look at the Sydney transport mess...
FTFY. If those buying !@#$ buy !@#$, they should bear the guilt.
Re: (Score:2)
Also several of the travel passes in Sweden have the same flaw, Västtrafik, SL etc. - all uses the same data format and basic strategy.
It's fairly easy to hack and with the new cell phones with NFC you can even copy the card that someone else carries without them knowing it and copy that to another card.
There are better cards that has better encryption, but it's just a question of time before they are broken too.
that and Sydney... should have gone bluetooth (Score:3)
frankly they should have used a software system that worked with phones with optional card if you wanted it rather than a phone
Oyster has been hacked again and again...
http://www.wired.com/autopia/2008/06/hackers-crack-l/ [wired.com]
regards
John Jones
Re: (Score:3)
frankly they should have used a software system
Or here's something left field, how about make public transport free and just pay for it through a flat levy? Oh noes! higher taxes! Yeah it won't sell politically, but really common sense tells you public transport benefits everyone so should be paid for out of the public purse. And think of how much more efficient you can make it when you don't have to bother with complicated ticketing systems. If you like public transport it's a win, if you're a Canyonero fan then you also win (less other cars on the roa
Re: (Score:2)
Public transport is heavily subsidised in New Zealand.
I don't know about Christchurch, but in Wellington public transport is 2/3rds funded by rate payers.
Re: (Score:1)
I visited Christchurch about 6 years ago and all bus trips were the same price regardless of distance traveled.
Of course I can not say if it is still the same, But I did appreciate the flat fare structure.
Re public transport for free? (Score:2)
I'm all for subsidizing this kind of public infrastructure if only because the alternative is using tax money to deal with all the extra traffic. However, I don't believe that making it free is a good idea. Transportation, public or not, still costs money; with free public transport, all financial incentives for people to reduce unnecessary movements disappear, as do financial incentives for the operators to increase efficiency. Th
Re: (Score:2)
What?
You are confusing 'free' with 'paid for by your tax dollars'.
People are not going to suddenly spend half their day on a bus driving back and forth because suddenly it's free (at the point of getting onto the bus) to do so. They will go where they need to go, just as they do today.
The operator will get X million dollars from the government (from your tax dollars) to keep the busses running, serviced etc. If they go over budget they're screwed, which means they will want to increase efficiency so there's
Re: (Score:2)
Actually, I think that that is exactly what will happen. See the other comment about loitering (sitting on the bus/train forever to keep warm). Other example: some 20 years ago, Netherlands introduced unlimited "free" public transport (bus and nation-wide trains) for students (age 18-24 years). It created a huge surge in passenger numbers, much more than what could be covered by the reduction in m
Re: (Score:2)
Really? "Unnecessary movements...?"
Should people just stay home and not go to work or socialize or recreate?
As far as efficiency... every transport system has a budget and assets and costs... a good manager will optimize their use. A good manager will get good performance reviews and will be successful. This has nothing to do with the cost (free or otherwise) of the ride. People will be happy or unhappy with the service depending on the schedule of the transport and the facilities. They may be a bit more un
Re: (Score:2)
I don't believe that making it free is a good idea. Transportation, public or not, still costs money; with free public transport, all financial incentives for people to reduce unnecessary movements disappear, as do financial incentives for the operators to increase efficiency. This is asking for ever increasing costs of the public transport system.
Those buses and trains are on a schedule and are going to run if they can whether they're full or empty. At Rush Hour, they're full. Midnight Tuesday when the late shift goes home, not so much. Is it really going to cost that much more to run them empty than if they're full?
I think if you'd have taken public transport recently, you wouldn't have brought up that "unnecessary movements" bit. These systems are more than capable of discouraging such activity all by themselves. I've lived here for about fou
Re: (Score:2)
Re: (Score:2)
Or here's something left field, how about make public transport free and just pay for it through a flat levy? Oh noes! higher taxes! Yeah it won't sell politically, but really common sense tells you public transport benefits everyone so should be paid for out of the public purse. And think of how much more efficient you can make it when you don't have to bother with complicated ticketing systems. If you like public transport it's a win, if you're a Canyonero fan then you also win (less other cars on the road to get in your way). Of course it'll never happen because the 2nd amendment or some other bullshit excuse.
Hmm ... sure, if you consider it a public benefit by getting the unwashed out of the way packed into their cattle cars, leaving the streets less crowded for us haves.
Tougher sell put that way, though ...
Re: (Score:2)
Re: (Score:2)
OK, so if public transit is free, how do we encourage people to swipe on and swipe off? What, why would we want them to I hear you say - it's about collecting system usage metrics for better planning.
I suspect in most cases it would probably be cheaper not to collect fares and simply manage it via a levy/tax, if the usage patterns were never going to change. However if you need to capture the number of unique users of a system and which lines and stops they use and what times - some kind of networked token
Re: (Score:2)
Problem already solved (Score:5, Funny)
Good news everybody! Here in New Zealand such actions as hacking cards to add value, or taking personal information off websites, or even wiping data off someone else's computer system are all illegal.
Thus solving the problem once and for all.
Re: (Score:2)
Guns are legal in NZ, if you hold a gun license.
Although, around 40 people are still murdered every year. Most without guns.
Re: (Score:3)
Actual US homicide rate, courtesy of the CDC: 16,259, of which 11,078 were using firearms.
So you have a 5.74x greater chance of being murdered in the USA than in New Zealand, assuming your figure was correct. (I didn't bother to check it.) And even if you ignore the firearm deaths completely in the US (but still include them for NZ), you still have 1.83x greater chance of being murdered in the USA.
So much for the whole "gun
Re: (Score:2)
I was just pointing out NZ is cooler than USA
Such a deal (Score:3)
So I get free rides on the bus and anyone can see my (fairly public) directory information... not such a bad deal.
Re: (Score:3)
Why do transit smartcards need to be hard? (Score:4, Informative)
Why is it that transit smart cards always seem to take longer to roll out than promised, cost more than promised, end up being more complex than promised and end up being less secure than they should be?
You dont even need to make the cards themselves "smart", you can make the cads just data storage devices that can store an encrypted data blob and do all the cryptography and stuff in the readers. And you can use good strong well-tested cryptography instead of inventing your own crypto.
Cards would be cheaper because they wouldn't contain much logic, just a memory chip, RFID/NFC/whatever antenna and some logic to read from and write to the memory chip. Anyone who builds a reader and reads their card out will simply get an encrypted/signed blob that they cant mess with.
Re: (Score:1)
You need to take into consideration that there is no active connection to the central office, terminals and cards have to be able to work standalone if you want to stop abuse of anonymous cards and gsm jammers (in busses).
Re: (Score:3)
Thats why the terminals have all the intelligence.
If the system is designed right, forged cards, replay attacks (e.g. add $50 to the card, read its contents, spend the $50, write the old contents to get a free top-up) and other such things can be prevented.
What you can do is to add a simple hardware increment-only counter to the card. Each time the card is written to, the counter is incremented by the circuit logic. When the card is read, if the value of the counter doesn't match whats stored in the encrypt
Re: (Score:2)
What you can do is to add a simple hardware increment-only counter to the card. Each time the card is written to, the counter is incremented by the circuit logic. When the card is read, if the value of the counter doesn't match whats stored in the encrypted-and-signed blob, it will reject the card.
easy just roll it over so it loops back or even better have roll over to a negative number so when you try to get on the bus it says read error and they may just let you ride free after a few try's.
Re: (Score:2)
by going way over NVRAM's rated write cycles.
Or you could just microwave the card
Re: (Score:2)
What is the practical gain from that?
The reality is that 99.9% of people are honest and will pay what they should regardless of whether the cards are insecure and could be 'hacked'. As such there isn't much to be gained from designing a system that protects against things almost no one is going to do
Re: (Score:1)
"The reality is that 99.9% of people are honest and will pay what they should regardless of whether the cards are insecure and could be 'hacked'."
People are less honest then you think, most will do stuff they know they shouldn't if they think they will not get caught, even when there is no financial need.
This chipcards and the required tollgates were introduced with a promise to stop fare dodgers. Recent news of the dutch system appears to have the effect of going from 11% to 2%. http://www.ad.nl/ad/nl/101 [www.ad.nl]
Re: (Score:2)
But this is a bus. There is an active connection to the central office. Some of them even have free WiFi.
In Wellington our buses have a system called "Snapper". It's an NFC card that's used in buses and some stores. No value is stored on the card, you scan it when you get on the bus and scan when you get off. The correct fare is automatically taken from your balance.
There are also a few phones it is compatible with.
Re: (Score:1)
"But this is a bus. There is an active connection to the central office."
Until the perp. is using a gsm jammer (or you get into an area without coverage). The bus terminal will store the transaction for later validation, but since the perp is using an anonymous or cloned card he has gotten an untracable free ride.
Re: (Score:2)
$3.80 saved by only an hours work and a thousand dollars worth of hardware along with the possibility of jail time... bargain :)
Re: (Score:1)
I'm fortunate enough to be working for a company that on the odd occasion actually asks me to hack/reverse engineer things and nothing beats finding that chink in the armor.
Re: (Score:2)
easy fix if the connect goes down NO RIDE in fact if the card is in any way unreadable NO RIDE.
couple this with a requirement that the readers must be working for the bus to stay in service and Bobs Your Uncle
Re: (Score:2)
I have ridden on buses many times where the readers are not working (in fact I rode one the other day) and the driver just tells everyone to get on anyway (the readers in my city have a back-to-base link as far as I know). Often the alternative to "run the service with broken readers and let people on for free" is "don't run the service at all and piss people off because their bus didn't show up", "get a replacement bus with working readers and piss people off because the bus is late" or "get another driver
Re: (Score:2)
If the connection is cut, the terminals stop working and you have to actually converse with the bus driver and pay cash
Re: (Score:2)
Snapper isn't realtime either. The data is stored by the (offline) onboard computer, the new value written to the card, and the transactions online processed overnight when the data is shipped off to the Data Warehouse in Seoul, South Korea (at which point if you're in Auckland, the data is also propagated back to Auckland Transport for analysis). Most buses do not have active online connections.
Re: (Score:2)
Re: (Score:2)
Winner's curse. The implementation of any public project tends to be awarded to the lowest cost bidder, the one who has underestimated the costs.
Re: (Score:2)
No it isn't, the implementation is awarded to the largest bidder, who estimated their costs perfectly fine, padded them by 150%, and lied about the timelines.
Re: (Score:3)
Why is it that transit smart cards always seem to take longer to roll out than promised, cost more than promised, end up being more complex than promised and end up being less secure than they should be?
You dont even need to make the cards themselves "smart", you can make the cads just data storage devices that can store an encrypted data blob and do all the cryptography and stuff in the readers. And you can use good strong well-tested cryptography instead of inventing your own crypto.
Cards would be cheaper because they wouldn't contain much logic, just a memory chip, RFID/NFC/whatever antenna and some logic to read from and write to the memory chip. Anyone who builds a reader and reads their card out will simply get an encrypted/signed blob that they cant mess with.
Do you really think it's that simple? If it was, there would be no problem.
Your proposed non-smart card solution (as any stored value one) is inherently susceptible to cloning. Anybody with a RFID/NFC reader can pass close to you just once, then produce a card that's an identical copy (from the perspective of the system) of yours. He can then have a few rides at your cost and discard the cloned card or load another individual's captured data onto it so that he can avoid using a particular person's card fo
Re: (Score:2)
Ok so you add a unique hardware ID (burned into the card when its manufactured and unchangeable) and the data stored on the card is tied to it. If the card data is cloned, the card its cloned to wont have the correct ID and will fail to work.
Its not like the people cloning these cards to get free bus travel are going to be spending dollars on equipment that can somehow create cards with the correct unique ID for the cards they are copying. Plus, a cloned card wont have the correct transit company logos on i
Re: (Score:2)
Ok so you add a unique hardware ID (burned into the card when its manufactured and unchangeable) and the data stored on the card is tied to it. If the card data is cloned, the card its cloned to wont have the correct ID and will fail to work.
Its not like the people cloning these cards to get free bus travel are going to be spending dollars on equipment that can somehow create cards with the correct unique ID for the cards they are copying. Plus, a cloned card wont have the correct transit company logos on it (unless you can replicate that too which also costs dollars to do properly) meaning inspectors or drivers looking to see your card (which happens on the transit network in my city which also has a card system) will see that its a fake.
How do you propose to practically achieve this "burned" ID?
How can you prevent the attacker from obtaining cards from a different manufacturer who doesn't do this "burning in" and lets the users to set any value in any stored field?
The whole aim of having the cards being "smart" is that they can be equipped with a protected private key that they don't allow to be read from the outside world and that these cards perform cryptographic signing internally, without letting any secret information about perfor
Re: (Score:2)
Such cards have existed for many years. The NZ bus network is apparently using "MiFare Classic" which is very, very old now and is known to be weak. Designing better systems is no use if people don't upgrade to them.
Re: (Score:2)
Because it is hard.
(Disclaimer: I used to work for a company which bid unsuccessfully a few years ago to fix up the Christchurch system)
Probably the hardest part is the decentralised nature. How much money do you have out there? If this card claims to have been topped up by a terminal but you have no record of that, either the terminal is slow at reporting back, or the card is lying. By the time you know, it's too late. We have no way of communicating with a card except when it happens to be brought on b
Re: (Score:2)
And unfortunately that national standard has already been chosen in the form of Auckland Transport's buggy, half-assed implementation brought to you by Thales. It's over-budget, late, plagued by "intermittent technical difficulties" and you'll be lucky if customer service doesn't tell you to just throw your card away and buy a new one if you get hit by one of the system's biggest flaws (like, I don't know, a refusal to top up your account after you've paid - the amount just sits as "pending" and never appl
justice (Score:1)
they just had their city destroyed by an earthquake. let them have all the free bus rides they want.
Smart people... (Score:2)
Re: (Score:3)
They did have some other priorities... (Score:2)
Phew (Score:2)