Another EUSecWest NFC Trick: Ride the Subway For Free 135
itwbennett writes "At the EUSecWest security conference in Amsterdam, researchers showed how their 'UltraReset' Android app can read the data from a subway fare card, store that information, and reset the card to its original fare balance. The researchers said that the application takes advantage of a flaw found in particular NFC-based fare cards that are used in New Jersey and San Francisco, although systems in other cities, including Boston, Seattle, Salt Lake City, Chicago and Philadelphia, could also be vulnerable."
Long ago... (Score:5, Informative)
Back in the 80s they tried to introduce plain-clothes security officers on amsterdam trams to catch people who didn't pay for an honor-system ticket and got on anyway. The people of amsterdam had a referendum and votes that the officers had to wear unifroms, so that fare hoppers would have "a sporting chance" of running away when an inspector got on the tram.
Re:Long ago... (Score:0, Informative)
Mod up parent as informative.
buses don't have a 100% live link (Score:4, Informative)
buses don't have a 100% live link
Re:what "take advantage"? (Score:4, Informative)
Well, don't speak for the system being described in TFA, but I do know that my city (Ottawa, Canada) has been trying to replace the old bus pass/ticket/transfer system with an electronic system called Presto.
With the Presto system, in theory, it communicates your card ID to a central server, debits the card, and records the last time you used it so that you can swipe it every time you get on, and it will be smart about whether it charges you (assuming you're not on a monthly pass). You can also buy extra money through an online portal, and you can set it up to automatically renew. That's how it's supposed to work, in theory.
In practice, it's been delayed by a year due to "unforseen behaviour". Specifically, it occasionally double charges somebody when the wireless communication is spotty, sometimes it doesn't register the charge at all, and I've seen the readers on buses popping up error windows instead of the actual reader screen more often than not... presumably this error is also caused by lack of communication with the central server, if the text of the error message is anything to go by. I've also seen them pop up the Windows CE equivalent of a BSOD a couple of times, and at this point, even though they were supposed to be in full use/production by June of this year, they're turned off.
Now, for a subway system, there's no excuse to be relying on wireless communications for the point of sale. The gates don't move, and you're running a wire to it for power anyway. But for something that does move, like, say, a bus or trolley car, they do have to rely on some kind of wireless network, and that may or may not be reliable depending on how the network is set up. They may have decided that going with something like cellular data was too expensive for the system, and have set it up to sync the logs by wifi when they get back to the shop. In a situation like that, it may make sense to have some writeable data on the card to sync with, like a floating balance.
That being said, not having each card uniquely identifiable/trackable to catch this kind of thing is just silly... if you *are* going to have to leave some writeable data on the card, put a unique identifier in a non-programmable part of the memory, and have an automated system update the central database with your running balance at the end of the day... when the last value read by the card reader doesn't match what it should be in the database, blacklist the card have each unit pull the current blacklist as they leave the terminal for the day's route. It's not as if it would take a lot of data storage to keep a list of blacklisted serial numbers, and flash storage is cheap enough to include in every console.
Re:More like... (Score:5, Informative)
Transcript for the non-Dutch:
<anchor guy> Our Jojanneke showed us yesterday that even blonde women can crack the TLS-chipcard without a problem. The responsible company reacted frivolously because the hack would show up in their systems, and the authorities would be alerted. In other words, keep calm and carry on. But that was before they saw this news-item.
<Journalist 1> I can check in and out myself, simply by typing in the time that I want to be checked in, and upload it to the card. No signs in their back-office, this is undetectable.
<anchor guy> Yes indeed, now the TLS-card can be hacked even without TLS getting to know about it. The chance that the identity of the fraudulent traveller is to be unveiled is as good as nil. And that is what the responsible company is finally - although not enthusiastically - admitting.
<TLS spokes woman, Anita Hilhorst (to a journalist in a studio)>...At this moment our checks with detectors and inspectors do not show those transactions in our back-office,
<journalist in the studio> yeah, when I the conductor checks me, his machine just says that I am checked in.
<TLS spokes woman>...Yes...
<journalist in the studio> So then I dont have a problem and you are completely ignorant about it.
<TLS spokes woman>...then we cant see that ehhh ehhh in the transactions in our back-office
<journalist in the studio> So at that moment I am untraceable, and you cant do anything against me.
<TLS spokes woman> We aren't able to see that, no.
<anchor guy> And so definitively the TLS-card dies. Costing 3.000.000.000,- Euro, and nothing. The minister is summoned for a debate before parliament to explain what he will do about it. And here is some more ammo for the ladies and gentlemen of the opposition; the software needed is, since yesterday, downloadable from bittorrent sites. Cracking the TLS-card is now in reach for your grandmother of 82 years old.
<Jojanneke a.k.a. Pow-janneke> The cracking of the TLS-card is now made even simpler because the software is leaked to bittorrent sites, what does that mean?
<journalist> It means that anyone can download this, and since it is a very simple crack I am not surprised that it is put in the open.
<Jojanneke> This thing is also needed (hold up card reader), where to buy this? In a shop?
<journalist> Yes, it is about three tenner's, so anyone can go ahead with a TLS-card.
<Jojanneke> But can it be bought in a store?
<journalist> Yes, or on-line if they aren't sold out yet.
<Jojanneke> And we dont have to check in at the station, we can do this at home?
<journalist> yes, that is quite simple to do (shows program how-to) and because you do this at home, you are invisible to the back-office. The conductor just checks whether the card has been checked in or not, and that data is transmitted to the system at the end of the day, but by then you already left the train.
<Jojanneke> In other words, it is so simple even my grandmother can do this?
<journalist> Even your grandmother can do this easily
<anchor guy> Well and if this isnt bad enough, the hackers will present a new version tomorrow that will make it even more easy with new features like making mony with that card!
<Jojanneke> Hackers are busy to speed up the process to keep it within 15 seconds, what does this mean if the succeed in that?
<journalist> Well then it is so fast and easy that it becomes feasible to start a 'business' with that.
<Jojanneke> So they can recharge a lot of cards in a short while.
<journalist> Yes, you give me a tenner, and I put a hundred euro's worth of credit on it. And I have warned about this in the past that this might happen.
<anchor guy> If by chance you are slightly handy with computers, TransLinkSystems is looking for a fraud-manager that can monitor the security measures of the cards, stress-resistance is a pre.
Sorry for any mistakes made, but you'll get the message right?