×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Aussie Researchers Crack Transport Crypto, Get Free Rides

timothy posted about a year and a half ago | from the dirty-socialists dept.

Australia 88

mask.of.sanity writes "Shoddy customised cryptography by a state rail outfit has been busted by a group of Australian researchers who were able to replicate cards to get free rides. The flaws in the decades-old custom cryptographic scheme were busted using a few hundred dollars' worth of equipment. The unnamed transport outfit will hold its breath until a scheduled upgrade to see the holes fixed."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

88 comments

Government & Stealth Malware (-1)

Anonymous Coward | about a year and a half ago | (#41726579)

Nobody Seems To Notice and Nobody Seems To Care - Government & Stealth Malware

In Response To Slashdot Article: Former Pentagon Analyst: China Has Backdoors To 80% of Telecoms 87

How many rootkits does the US[2] use officially or unofficially?

How much of the free but proprietary software in the US spies on you?

Which software would that be?

Visit any of the top freeware sites in the US, count the number of thousands or millions of downloads of free but proprietary software, much of it works, again on a proprietary Operating System, with files stored or in transit.

How many free but proprietary programs have you downloaded and scanned entire hard drives, flash drives, and other media? Do you realize you are giving these types of proprietary programs complete access to all of your computer's files on the basis of faith alone?

If you are an atheist, the comparison is that you believe in code you cannot see to detect and contain malware on the basis of faith! So you do believe in something invisible to you, don't you?

I'm now going to touch on a subject most anti-malware, commercial or free, developers will DELETE on most of their forums or mailing lists:

APT malware infecting and remaining in BIOS, on PCI and AGP devices, in firmware, your router (many routers are forced to place backdoors in their firmware for their government) your NIC, and many other devices.

Where are the commercial or free anti-malware organizations and individual's products which hash and compare in the cloud and scan for malware for these vectors? If you post on mailing lists or forums of most anti-malware organizations about this threat, one of the following actions will apply: your post will be deleted and/or moved to a hard to find or 'deleted/junk posts' forum section, someone or a team of individuals will mock you in various forms 'tin foil hat', 'conspiracy nut', and my favorite, 'where is the proof of these infections?' One only needs to search Google for these threats and they will open your malware world view to a much larger arena of malware on devices not scanned/supported by the scanners from these freeware sites. This point assumed you're using the proprietary Microsoft Windows OS. Now, let's move on to Linux.

The rootkit scanners for Linux are few and poor. If you're lucky, you'll know how to use chkrootkit (but you can use strings and other tools for analysis) and show the strings of binaries on your installation, but the results are dependent on your capability of deciphering the output and performing further analysis with various tools or in an environment such as Remnux Linux. None of these free scanners scan the earlier mentioned areas of your PC, either! Nor do they detect many of the hundreds of trojans and rootkits easily available on popular websites and the dark/deep web.

Compromised defenders of Linux will look down their nose at you (unless they are into reverse engineering malware/bad binaries, Google for this and Linux and begin a valuable education!) and respond with a similar tone, if they don't call you a noob or point to verifying/downloading packages in a signed repo/original/secure source or checking hashes, they will jump to conspiracy type labels, ignore you, lock and/or shuffle the thread, or otherwise lead you astray from learning how to examine bad binaries. The world of Linux is funny in this way, and I've been a part of it for many years. The majority of Linux users, like the Windows users, will go out of their way to lead you and say anything other than pointing you to information readily available on detailed binary file analysis.

Don't let them get you down, the information is plenty and out there, some from some well known publishers of Linux/Unix books. Search, learn, and share the information on detecting and picking through bad binaries. But this still will not touch the void of the APT malware described above which will survive any wipe of r/w media. I'm convinced, on both *nix and Windows, these pieces of APT malware are government in origin. Maybe not from the US, but most of the 'curious' malware I've come across in poisoned binaries, were written by someone with a good knowledge in English, some, I found, functioned similar to the now well known Flame malware. From my experience, either many forum/mailing list mods and malware developers/defenders are 'on the take', compromised themselves, and/or working for a government entity.

Search enough, and you'll arrive at some lone individuals who cry out their system is compromised and nothing in their attempts can shake it of some 'strange infection'. These posts receive the same behavior as I said above, but often they are lone posts which receive no answer at all, AT ALL! While other posts are quickly and kindly replied to and the 'strange infection' posts are left to age and end up in a lost pile of old threads.

If you're persistent, the usual challenge is to, "prove it or STFU" and if the thread is not attacked or locked/shuffled and you're lucky to reference some actual data, they will usually attack or ridicule you and further drive the discussion away from actual proof of APT infections.

The market is ripe for an ambitious company or individual to begin demanding companies and organizations who release firmware and design hardware to release signed and hashed packages and pour this information into the cloud, so everyone's BIOS is checked, all firmware on routers, NICs, and other devices are checked, and malware identified and knowledge reported and shared openly.

But even this will do nothing to stop backdoored firmware (often on commercial routers and other networked devices of real importance for government use - which again opens the possibility of hackers discovering these backdoors) people continue to use instead of refusing to buy hardware with proprietary firmware/software.

Many people will say, "the only safe computer is the one disconnected from any network, wireless, wired, LAN, internet, intranet" but I have seen and you can search yourself for and read about satellite, RF, temperature, TEMPEST (is it illegal in your part of the world to SHIELD your system against some of these APT attacks, especially TEMPEST? And no, it's not simply a CRT issue), power line and many other attacks which can and do strike computers which have no active network connection, some which have never had any network connection. Some individuals have complained they receive APT attacks throughout their disconnected systems and they are ridiculed and labeled as a nutter. The information exists, some people have gone so far as to scream from the rooftops online about it, but they are nutters who must have some serious problems and this technology with our systems could not be possible.

I believe most modern computer hardware is more powerful than many of us imagine, and a lot of these systems swept from above via satellite and other attacks. Some exploits take advantage of packet radio and some of your proprietary hardware. Some exploits piggyback and unless you really know what you're doing, and even then... you won't notice it.

Back to the Windows users, a lot of them will dismiss any strange activity to, "that's just Windows!" and ignore it or format again and again only to see the same APT infected activity continue. Using older versions of sysinternals, I've observed very bizarre behavior on a few non networked systems, a mysterious chat program running which doesn't exist on the system, all communication methods monitored (bluetooth, your hard/software modems, and more), disk mirroring software running[1], scans running on different but specific file types, command line versions of popular Windows freeware installed on the system rather than the use of the graphical component, and more.

[1] In one anonymous post on pastebin, claiming to be from an intel org, it blasted the group Anonymous, with a bunch of threats and information, including that their systems are all mirrored in some remote location anyway.

[2] Or other government, US used in this case due to the article source and speculation vs. China. This is not to defend China, which is one messed up hell hole on several levels and we all need to push for human rights and freedom for China's people. For other, freer countries, however, the concentration camps exist but you wouldn't notice them, they originate from media, mostly your TV, and you don't even know it. As George Carlin railed about "Our Owners", "nobody seems to notice and nobody seems to care".

[3] http://www.stallman.org/ [stallman.org] [stallman.org]

Try this yourself on a wide variety of internet forums and mailing lists, push for malware scanners to scan more than files, but firmware/BIOS. See what happens, I can guarantee it won't be pleasant, especially with APT cases.

So scan away, or blissfully ignore it, but we need more people like RMS[3] in the world. Such individuals tend to be eccentric but their words ring true and clear about electronics and freedom.

I believe we're mostly pwned, whether we would like to admit it or not, blind and pwned, yet fiercely holding to misinformation, often due to lack of self discovery and education, and "nobody seems to notice and nobody seems to care".

##

Schneier has covered it before: power line fluctuations (differences on the wire in keys pressed).

There's thermal attacks against cpus and temp, also:

ENF (google it)

A treat (ENF Collector in Java):

sourceforge dot net fwdslash projects fwdslash nfienfcollector

No single antimalware scanner exists which offers the ability to scan (mostly proprietary) firmware on AGP/PCI devices (sound cards, graphics cards, usb novelty devices excluding thumb drives), BIOS/CMOS.

If you boot into ultimate boot cd you can use an archane text interface to dump BIOS/CMOS and examine/checksum.

The real attacks which survive disk formats and wipes target your PCI devices and any firmware which may be altered/overwritten with something special. It is not enough to scan your hard drive(s) and thumb drives, the real dangers with teeth infect your hardware devices.

When is the last time you:

Audited your sound card for malware?
Audited your graphics card for malware?
Audited your network card for malware?

Google for:

* AGP and PCI rootkit(s)
* Network card rootkit(s)
* BIOS/CMOS rootkit(s)

Our modern PC hardware is capable of much more than many can imagine.

Do you:

* Know your router's firmware may easily be replaced on a hacker's whim?
* Shield all cables against leakage and attacks
* Still use an old CRT monitor and beg for TEMPEST attacks?
* Use TEMPEST resistant fonts in all of your applications including your OS?
* Know whether or not your wired keyboard has keypresses encrypted as they pass to your PC from the keyboard?
* Use your PC on the grid and expose yourself to possible keypress attacks?
* Know your network card is VERY exploitable when plugged into the net and attacked by a hard core blackhat or any vicious geek with the know how?
* Search out informative papers on these subjects and educate your friends and family about these attacks?
* Contact antimalware companies and urge them to protect against many or all these attacks?

Do you trust your neighbors? Are they all really stupid when it comes to computing or is there a geek or two without a conscience looking to exploit these areas?

The overlooked threat are the potential civilian rogues stationed around you, especially in large apartment blocks who feed on unsecured wifi to do their dirty work.

With the recent news of Russian spies, whether or not this news was real or a psyop, educate yourself on the present threats which all antimalware scanners fail to protect against and remove any smug mask you may wear, be it Linux or OpenBSD, or the proprietary Windows and Mac OS you feel are properly secured and not vulnerable to any outside attacks because you either don't need an antivirus scanner (all are inept to serious attacks) or use one or several (many being proprietary mystery machines sending data to and from your machine for many reasons, one is to share your information with a group or set database to help aid in threats), the threats often come in mysterious ways.

Maybe the ancients had it right: stone tablets and their own unique language(s) rooted in symbolism.

#

I'm more concerned about new rootkits which target PCI devices, such as the graphics card and the optical drives, also, BIOS. Where are the malware scanners which scan PCI devices and BIOS for mismatches? All firmware, BIOS and on PCI devices should be checksummed and saved to match with others in the cloud, and archived when the computer is first used, backing up signed firmware.

When do you recall seeing signed router firmware upgrades with any type of checksum to check against? Same for PCI devices and optical drives and BIOS.

Some have begun with BIOS security:

http://www.biosbits.org/ [biosbits.org] [biosbits.org]

Some BIOS has write protection in its configuration, a lot of newer computers don't.

#

"Disconnect your PC from the internet and don't add anything you didn't create yourself. It worked for the NOC list machine in Mission Impossible"

The room/structure was likely heavily shielded, whereas most civvies don't shield their house and computer rooms. There is more than meets the eye to modern hardware.

Google:

subversion hack:
tagmeme(dot)com/subhack/

network card rootkits and trojans
pci rootkits
packet radio
xmit "fm fingerprinting" software
"specific emitter identification"
forums(dot)qrz(dot)com

how many malware scanners scan bios/cmos and pci/agp cards for malware? zero, even the rootkit scanners. have you checksummed/dumped your bios/cmos and firmware for all your pci/agp devices and usb devices, esp vanity usb devices in and outside the realm of common usb devices (thumbdrives, external hdds, printers),

Unless your computer room is shielded properly, the computers may still be attacked and used, I've personally inspected computers with no network connection running mysterious code in the background which task manager for windows and the eqiv for *nix does not find, and this didn't find it all.

Inspect your windows boot partition in *nix with hexdump and look for proxy packages mentioned along with command line burning programs and other oddities. Computers are more vulnerable than most would expect.

You can bet all of the malware scanners today, unless they are developed by some lone indy coder in a remote country, employ whitelisting of certain malware and none of them scan HARDWARE devices apart from the common usb devices.

Your network cards, sound cards, cd/dvd drives, graphics cards, all are capable of carrying malware to survive disk formatting/wiping.

Boot from a Linux live cd and use hexdump to examine your windows (and *nix) boot sectors to potentially discover interesting modifications by an unknown party.

#
eof

Re:Government & Stealth Malware (1)

Anonymous Coward | about a year and a half ago | (#41726677)

http://www.thinkpenguin.com/

Freedom friendly hardware. Much of it is not as suseptable to these attacks although there are so many places to hide...

The real risk is the most common components. What chipset is used in nearly every system? These are the ones I would target.

Re:Government & Stealth Malware (3, Insightful)

Lumpy (12016) | about a year and a half ago | (#41726885)

"Nobody Seems To Notice" I guarantee to you that someone noticed and has been exploiting it for a while now. I know guys that have cracked the Chicago system for years now, wait... for over a decade now. Maybe Chicago has updated their ticket system, but I doubt it. Municipalities dont care if a system is cracked until it is widespread abused. If only 400 people in a city the size of Chicago are getting free rides, they dont even show up as an accounting anomoly. Imagine how many in NYC have figured out it's holes and are exploiting them.

People notice and people take advantage of it.

Re:Government & Stealth Malware (0)

Anonymous Coward | about a year and a half ago | (#41726987)

test

Re:Government & Stealth Malware (0)

Anonymous Coward | about a year and a half ago | (#41730483)

In Boston, we just jump over the rails.

Suica (0)

Anonymous Coward | about a year and a half ago | (#41726587)

All we need now is a concerted effort to crack the Japanese Suica system.

The way I read the headline (5, Funny)

Ukab the Great (87152) | about a year and a half ago | (#41726617)

Aussie crypto researchers transporting crack get a free ride.

Re:The way I read the headline (1)

cloricus (691063) | about a year and a half ago | (#41726785)

I was at their Ruxcon talk this last weekend and I can categorically state that the headline is accurate!

This message brought to you by... (4, Funny)

Ignacio (1465) | about a year and a half ago | (#41726621)

Shoddy customised cryptography

Brought to you by the Department of Redundancy Department.

Re:This message brought to you by... (5, Insightful)

hattig (47930) | about a year and a half ago | (#41726675)

So shoddy that it worked fine for "decades". As one of the researchers said - it was designed before he was born.

Even if a few people had previously worked out their way around it, they could hardly mass-market their cloned cards on the market, and thus the number of users was always going to be rather limited - and probably not worth replacing the current system to deal with.

Now technology has got to the point where the average person could abuse the system, so I guess the system will get an upgrade soon.

The crypto is old, the system is new (3, Informative)

Craig Ringer (302899) | about a year and a half ago | (#41727147)

The transit system in question is 5-7 years old - or less depending on which one they refer to. The crypto is old, but the smartcard transit system isn't. Fail. How do I know? Because there are no older transit tag systems in Australia.

Re:The crypto is old, the system is new (1)

jimicus (737525) | about a year and a half ago | (#41727197)

Maybe they bought it in from an outside company that had been selling similar systems in other parts of the world for years?

Re:The crypto is old, the system is new (1)

Craig Ringer (302899) | about a year and a half ago | (#41736103)

Nope, turns out it's a magnetic strip system not a smartcard system, so it isn't SmartRider.

Whoops, wrong (1)

Craig Ringer (302899) | about a year and a half ago | (#41735927)

Correction. After reading the presentation, it's clear that this is not a smartcard system, it's a magentic strip system. That means it isn't Western Australia's SmartRider, and WA's old MultiRider magnetic strip system has been retired for 5 years so it's not going to be MultiRider.

Re:Whoops, wrong (0)

Anonymous Coward | about a year and a half ago | (#41736271)

Canberra's public transport works on magnetic strips. Melbourne's old system does too, but that's gone now.

Happening everywhere? (5, Informative)

Anonymous Coward | about a year and a half ago | (#41726631)

Governments give these contracts to retarded companies, simply because they offer to do it for a lower price than "proper" companies would.

Same exact thing happened in the Netherlands, Trans Link Systems got the contract for the "Public transit chip card", it was hacked in a week. An improved, "unhackable" version was also cracked when it was released.

The problem with these companies mostly is that they think security through obscurity actually works, which is pathetic.

Re:Happening everywhere? (5, Insightful)

Kergan (780543) | about a year and a half ago | (#41726693)

The problem with these companies mostly is that they think they've come up with better cryptographic security than tried and tested solutions, which is pathetic.

FTFY.

Re:Happening everywhere? (1)

Anonymous Coward | about a year and a half ago | (#41726975)

You're giving them too much credit. Most of the people doing this stuff are so clueless that they don't even know what are the tried and tested solutions. They come up with terrible solutions because they understand neither the foundation libraries already available nor the basics of cryptographic security.

Re:Happening everywhere? (0)

Anonymous Coward | about a year and a half ago | (#41726921)

The problem with these government entities purchasing these systems is that they think security through obscurity actually works, which is pathetic.

Fixed it....

The problem is that the groups purchasing these systems and awarding these contracts think that obscurity works. The companies are only selling what is being purchased. They may be selling a bill of goods but the problem lies in that these bill of goods are still being purchased despite the wide spread knowledge that the underlying system is inadequate.

Re:Happening everywhere? (1)

Anonymous Coward | about a year and a half ago | (#41731085)

What exactly is "Proper"? A company that can engineer a train so that its reliable and people don't die and is efficient is likely a company that will get the contract. They usually 'throw in' a ticketing system. Politicians and people (taxpayers) look at the whopping costs of implementing a train system, and see anything free as "it had better be". So they make a ticketing system, but its a freebie (I believe that your use of the word "proper" and freebie are diametrically opposed here). The rail system is opened, people start using it, the pain of taxpayers is softened, and people forget about the millions. Then, a group of smartypants students looking for a research project looks at the now decades old system, and breaks the freebie security. Commenters on public blogs mutter about "proper" and shake their heads with disdain (although the system had worked ok for many years, apparently). The company puts some money into a 'proper' system. Since it doesn't cost millions, taxpayers see it as a curious line item, and the story is forgotten the next day.

Killing anonymity (4, Informative)

antifoidulus (807088) | about a year and a half ago | (#41726647)

Hopefully theft won't become widespread, both because it will have a negative impact on public transport systems AND it will have a huge negative impact on anonymity. I just checked out Victoria's MyKi system(which was not the one they cracked, but I imagine the one they cracked offers similar services) and they still have an option to buy anonymously.

However if theft becomes a huge problem I can quickly see that option going away in the name of deterring theft(note that I am not defending the practice, simply stating what will probably happen). After all you are much less likely to try to score a free ride if your name is attached to the ticket. I quite like being able to travel conveniently without being tracked(*puts tinfoil hat in murse*)

Re:Killing anonymity (2)

aaron552 (1621603) | about a year and a half ago | (#41726673)

I just checked out Victoria's MyKi system(which was not the one they cracked, but I imagine the one they cracked offers similar services) and they still have an option to buy anonymously.

No personally identifying information is stored on the Myki - just the balance and last 10 trips.

From the article it's pretty easy to guess that the cracked system was the ancient, magnetic-strip-on-paper-cards Metcard system. I highly doubt there's any tracking going on, that would require the people running the system to be competent

Re:Killing anonymity (4, Interesting)

mcbridematt (544099) | about a year and a half ago | (#41726711)

More likely it is the Brisbane GoCard or Perth SmartRider - which use the horribly insecure MiFare Classic, which was compromised some years ago and there are 'off the shelf' exploits.

The operator of the Brisbane system even tried to play down [brisbanetimes.com.au] the significance of the MiFare Classic exploit when it was known before launch.

Re:Killing anonymity (4, Informative)

cloricus (691063) | about a year and a half ago | (#41726803)

As per their Ruxcon presentation it was a previously un-compromised system that used magnetic stripes.

Re:Killing anonymity (0)

Anonymous Coward | about a year and a half ago | (#41727677)

Then it'll be Adelaide's Metrotickets. They still use the magnetic stripe system.

Re:Killing anonymity (0)

Anonymous Coward | about a year and a half ago | (#41734771)

It could be the new Adelaide MetroCard - which is in the process of being rolled out and is... wait for it... MiFare Classic!

Re:Killing anonymity (0)

Anonymous Coward | about a year and a half ago | (#41728605)

"As per their Ruxcon presentation it was a previously un-compromised system that used magnetic stripes."

Which probably means Sydney CityRail (http://www.cityrail.info/tickets/images/landing_which.jpg)

Re:Killing anonymity (1)

Ronin441 (89631) | about a year and a half ago | (#41728257)

Perth SmartRider does indeed use MiFare Classic, and the cards are indeed insecure. But there's some server-side smarts which will (eventually) notice a cloned card, and deactivate it. I expect it also (eventually) notices if you top up your card yourself for free.

The idea is that although the system can be exploited at a small scale, it isn't worth the hassle. Provided their server-side stuff prevents exploits going commercial and becoming widespread, it's good enough.

Re:Killing anonymity (0)

Anonymous Coward | about a year and a half ago | (#41736297)

A little bit of research points me to NSW (UNSW Students)

Re:Killing anonymity (3, Informative)

tqft (619476) | about a year and a half ago | (#41726697)

From August in Qld http://www.brisbanetimes.com.au/queensland/go-card-travel-records-point-finger-at-murder-accused-20120816-24b3v.html [brisbanetimes.com.au]
"A Supreme Court jury heard that Ashley Michael McGoldrick's Go Card history showed ..."
and from 2010
http://www.brisbanetimes.com.au/queensland/police-watching-where-you-go-20100728-10vx2.html [brisbanetimes.com.au]
"The revelation came after brisbanetimes.com.au exclusively revealed that police are using Go Card technology to not only pinpoint the movements of criminal suspects but also potential witnesses.
"

Re:Killing anonymity (1)

Anonymous Coward | about a year and a half ago | (#41726763)

Hey Slashdotters, should we tell this person that if they're taking a train, they're already being recorded on ten different cameras being fed back to HQ where they pump the feeds into facial recognition software?

Unless you walk around in a hoodie with a full facial skull mask such as those worn by motorcyclists, you haven't been traveling anonymously for a long time - cash or not.

Re:Killing anonymity (0)

Anonymous Coward | about a year and a half ago | (#41727011)

Yup - you're about as anonymous on the trains as you are on Slashdot (it still knows it's you - and it's hosted in the US :) ).

Re:Killing anonymity (1)

EnempE (709151) | about a year and a half ago | (#41736207)

Not on that rail network they aren't. QR has been struggling to make ends meet for a while, the go card system was supposed to improve the situation by reducing ticketing costs and reducing staffing requirements at smaller platforms. They don't have the money to invest in facial recognition software. The left bag systems would probably be running on the live feeds but the cameras don't have the resolution to pick out faces and track them through the system, it would be a major upgrade. As the system stands. They would have to do facial recognition the old fashioned way, by going back through the recorded feeds and looking at them. In TFA they say that they have footage from the bus where the card was used, bus dvrs are standalone and aren't suitable for facial recognition.

Yeah not hard to work out which state (0)

Anonymous Coward | about a year and a half ago | (#41726649)

Gee I wonder what state huh? Don't worry they have a very effective form of security. The service is so bad no body wants to travel on their system.

Twitter / UNSWCOMPUTING: Congratulations to our tea
twitter.com/UNSWCOMPUTING/status/188049246694539264
5 Apr 2012 – UNSW COMPUTING @UNSWCOMPUTING 5 Apr ... Defence University Challenge: Karla Burnett, Theo Julienne, Jack Murray & Petr Novak!

Re:Yeah not hard to work out which state (0)

Anonymous Coward | about a year and a half ago | (#41726701)

FFFFFFFFFFFFFFFFFFFFFFFFFFFF
I was hoping it was Myki in Melbourne, colour me annoyed!

Re:Yeah not hard to work out which state (0)

Anonymous Coward | about a year and a half ago | (#41726779)

Yeah same here, MyKi should be made a case study on how not to implement a ticketing system.

Link to the presentation (2)

kasperd (592156) | about a year and a half ago | (#41726659)

The article contains absolutely no information about what the vulnerability was. Have anybody been able to find a link to the actual presentation?

Re:Link to the presentation (5, Insightful)

Anonymous Coward | about a year and a half ago | (#41726699)

Almost guaranteed that the rail systrem is the City Rail [cityrail.info] , the NSW rail system. Their ticketing system [wikipedia.org] is a nightmare, and has been the subject of multiple botched upgrades over the last couple of decades, costing millions of dollars. The latest plan is to upgrade to London's "Oyster Card" technology (renamed Opal card), but I'll believe it once I see it. The current tickets are just a piece of cardboard/plastic with a magnetic strip. Trivial to read, and most likely (as has been found out) trivial to decode.

In fact, when you do the numbers, it would be cheapest for the NSW government to abolish ticketing all together. The money saved on the (absence of a) ticking system and the reduction in road use would exceed the current revenue from tickets.

Re:Link to the presentation (0)

Anonymous Coward | about a year and a half ago | (#41726937)

The latest plan is to upgrade to London's "Oyster Card" technology (renamed Opal card), but I'll believe it once I see it.

Brisbane has had this for four years now ("go card"). Seems to be the same thing as London's "Oyster" (I've used both). So it should be doable (I acknowledge, mind you, that re-fitting the whole of Sydney will be a much bigger job than setting it up in Brisbane...).

Re:Link to the presentation (0)

Anonymous Coward | about a year and a half ago | (#41727029)

The problem is the organisation, not the technology. Despite Melbourne, Brisabane, and a multitude of other cities doing it, I'll believe CityRail can do it once I see it.

Re:Link to the presentation (0)

Anonymous Coward | about a year and a half ago | (#41727139)

You're right, it absolutely was the organisation and not the technology. The fact that the supplier with the best technology and the most experience (Glide Consortium, consisting of Thales and Hong Kong's Octopus) voluntarily dropped out of the tendering process says loads about what kind of risk working with the NSW Government / CityRail must entail. Keep in mind that they ended up bankrupting their previous supplier the last time they tried modernising the ticketing system...

Re:Link to the presentation (1)

ewanm89 (1052822) | about a year and a half ago | (#41727171)

Better not use the Oyster cards as they are MIFARE classic 1K and are well cracked already.

Re:Link to the presentation (0)

Anonymous Coward | about a year and a half ago | (#41727451)

So it is claimed, and yet you can't find a reliable source saying that the crack is in use.

Re:Link to the presentation (0)

Anonymous Coward | about a year and a half ago | (#41727551)

Sorry but you are out of date. Nearly the entire estate has been replaced by DESFire, a project completed about 3 years ago

City Rail in NSW (1)

Anonymous Coward | about a year and a half ago | (#41727805)

I agree with the above poster that is most likely City Rail in NSW, by a process of elimination:
- Only 5 cities in Australia have public transport rail networks.
- Melbourne have recently introduced Myki - good case study on how not to do it [duckduckgo.com] , so they are unlikely and the article states this
- Brisbane use Oyster Card, unlikely but if it is then this is a much bigger story
- Perth uses Smartrider [wikipedia.org] , a smart card system.
- Adelaide have used MetroTicket [wikipedia.org] which contains a magnetic strip developed by Crouzet-SA. A smartcard system is in the process of being rolled out [adelaidenow.com.au]

The RailCorp is being split in two [smh.com.au] article has some pretty cutting statements about the inefficiency of government run enterprises and entitlement mentality. Solving this will not be simple, and as other posters have commented the problem is the organisation. I'd advise potential vendors to think of a price and triple it. There is a reason some government organisations are charged a premium and yet the vendor still makes a loss.

Posting this as an Anonymous Coward, because I have a bit of experience working as a vendor to RailCorp NSW [wikipedia.org] . Let's just say they are a "challenging" client.

Re:Link to the presentation (0)

Anonymous Coward | about a year and a half ago | (#41733933)

Since Karla Burnett is a student at UNSW, I'm guessing it was NSW Rail as well

Re:Link to the presentation (0)

Anonymous Coward | about a year and a half ago | (#41734245)

Actually, the 9 yrs spent trying to get the contactless card was with the company that did London and a bunch of other countries. It only failed in NSW due to the convoluted fares and refusal of gov't to budge. Lack of end trip sensors in 'remote' stations. But they have cash to instal blinky LED screens at CBD stations that do nothing. What happens after the failure? NSW implements the zone system that was asked for.
Anyway, it's not going to happen, the last 'Opal' was coming 'next year' for 9 years.

Re:Link to the presentation (0)

Anonymous Coward | about a year and a half ago | (#41736513)

It is CityRail in Sydney. Queensland's Go Card is RFID, not mag swipe. Also, his website (dou.gl) mentions he goes to the Uni of New South Wales, so he'd live in Sydney.

He started uni in 2009, so he's 21. He won't be flying to Brisbane or Melbourne to do security research.

Presentation Slides (5, Informative)

Catchwa (1017396) | about a year and a half ago | (#41726691)

Can be found here [dou.gl] .

Re:Presentation Slides (0)

Anonymous Coward | about a year and a half ago | (#41726767)

Most of the authors as from UNSW, so it can be assumed that they cracked the NSW State Transit System (CityRail, SydneyBuses, Sydney Ferries).

Re:Presentation Slides (4, Insightful)

kasperd (592156) | about a year and a half ago | (#41727005)

Wow. The encryption described in those slides is like state of the art of the 16th century. Nowadays that scheme doesn't even qualify as cryptography. It's not custom cryptography, it's a joke.

The slides do mention, that they have modified some details, probably as part of a responsible disclosure. But I suppose the sort of methods used and the strength of the encryption does correspond to the original version.

But as so often before, people are using "encryption" when it isn't what they need. 90% of the time where people use encryption, what they really need is integrity, which is not achieved through encryption but rather through message-authentication-codes or digital signatures. Encryption without integrity is rarely a good idea. If the integrity of the data on these tickets had been protected, there would be no need for encryption in the first place. After all, the plaintext version of the data is probably even printed on the ticket.

it could be worse (-1)

Anonymous Coward | about a year and a half ago | (#41726725)

it could be worse. Your parents could have named you "Dick Short". Then on all the surname/forename lists you would appear as "Short Dick".

wow (0)

Anonymous Coward | about a year and a half ago | (#41726749)

they cracked a system with well known vulnerabilities. do something with myki and you might have a real story.

Free rides in adelaide (2, Interesting)

Anonymous Coward | about a year and a half ago | (#41726797)

I worked out how to get a free train ride in adelaide, and I didn't even need any custom equipment.

If the trains don't know the time, they stamp an error bit flag on the mag-stripe ticket. The gates that let you out, supposedly only if you have a ticket valid for that time, will let you past if you have an error bit. And there's no time limit.

"get free rides"? (0)

Rogerborg (306625) | about a year and a half ago | (#41726867)

Look, I know this is Slashdot where we dupe articles without reading them, and it's in the original article title, but given that TFA itself goes to some lengths to explain that the filthy h5xx0rz bought all their tickets (and I don't blame them, given Oz's propensity for criminalising everything that isn't mandatory), could we please, just once, actually have an accurate title or summary?

If Slashdot has just become Google News for Nerds, I can pretty much get that myself with a custom search. Upgrade the small shell scripts masquerading as "editors", eh?

Difference? (0)

Anonymous Coward | about a year and a half ago | (#41726893)

What's the difference between researchers and hackers / crackers? The hat?

Re:Difference? (0)

Anonymous Coward | about a year and a half ago | (#41726917)

Test

Why bother with the cards? (0)

Anonymous Coward | about a year and a half ago | (#41726909)

If public transport were run by government off taxes (remember: your workers have to get in to work to work for your company), then just run them when they need to be run and save the expense of trying to chase dodgers and secure electronic payment.

Err, to collect revenue? (1)

Viol8 (599362) | about a year and a half ago | (#41726995)

"If public transport were run by government off taxes"

Except they're not. No major PT system in the world is run completely off taxes and is free to the end user. They all collect fares in some fashion. And if you think about it , why should people in one part of a country pay via taxes for people in some city hundreds of miles away to ride for free?

Except there's no reason to be. (0)

Anonymous Coward | about a year and a half ago | (#41727313)

""If public transport were run by government off taxes"

Except they're not."

Except there's no rason they can't be.

"why should people in one part of a country pay via taxes for people in some city hundreds of miles away to ride for free?"

Are public transport systems only for other people? No.

Re:Except there's no reason to be. (1)

Viol8 (599362) | about a year and a half ago | (#41727719)

"Except there's no rason they can't be."

Sure, if the government has unlimited funds. Most don't. Usually there are more important things to spend money on.

"Are public transport systems only for other people? No."

Huh?

Public transport cost is infinite??? (0)

Anonymous Coward | about a year and a half ago | (#41728357)

""Except there's no rason they can't be."

Sure, if the government has unlimited funds."

That would require that public transport for a finite number of people on a finite landscape would be infinite.

This is not the case.

Re:Public transport cost is infinite??? (1)

Viol8 (599362) | about a year and a half ago | (#41729251)

Don't be a smartass, you know exactly what I mean. And do explain why people who don't use a service should pay just as much for it as people who do in this socialist nirvana you've dreamt up?

Re:Err, to collect revenue? (1)

TapeCutter (624760) | about a year and a half ago | (#41728695)

There's also this strange behavior with humans where they value something more if they pay for it directly, even if the payment is trivial.

I don't think that would apply to travel to work. (0)

Anonymous Coward | about a year and a half ago | (#41729149)

They'd value the travel to work based on results not cost.

London Underground Oyster smartcard (1)

Viol8 (599362) | about a year and a half ago | (#41726981)

This was cracked a number of years ago apparently because it used a simple linear feedback shifter as a random number generator which meant the code were easy to guess. Or something along those lines , I can't fine the article at the moment

  LU said they'd be "improving security" and then we heard nothing more about it. Anyone know whats going on these days?

Re:London Underground Oyster smartcard (1)

Anonymous Coward | about a year and a half ago | (#41727581)

DESFire cards are all you can get on Oyster now. MiFare classic was replaced a few years back. This is why it is now much slower to read/write and why the hotspot is smaller (DESFire requires more power).

Is this really a high risk? (2)

DrXym (126579) | about a year and a half ago | (#41727019)

I really don't see this as a huge threat. Let's assume the worst case, that some people buy a mag stripe reader/writer and use software to program the tickets with bogus data. These tickets might fool automatic barriers but they won't fool a ticket inspector.

I expect most transport systems have inspectors already to catch people jumping barriers or coasting in and out behind other people. So the faker is going to get caught eventually. If they're really unlucky the inspector will compare the printed data on the ticket to the data on the stripe using a portable reader and call the cops.

Some transport systems don't even bother with barriers and rely exclusively teams of inspectors. e.g. Dublin's Luas tramline has no barriers so there is nothing to stop someone riding for nothing. To enforce the ticketing system it is not uncommon to see a team of 4 or 5 ticket inspectors board without notice and systematically sweep the train for either end. People with no tickets risk huge fines so you'd have to be pretty dumb to ride this way, fake ticket or not.

Re:Is this really a high risk? (2, Informative)

Anonymous Coward | about a year and a half ago | (#41727267)

On some trains the ticket inspectors will just sell the tickets at normal price if you don't have one, or escort you off the train if you don't want to pay. Of course some places don't even bother with barriers or inspectors for local trains, they have enough honest people buying tickets that it isn't seen as cost effective to have either just to stop a few kids from taking a free ride.

Re:Is this really a high risk? (0)

Anonymous Coward | about a year and a half ago | (#41740887)

If they're really unlucky the inspector will compare the printed data on the ticket to the data on the stripe using a portable reader and call the cops.

In the NSW transit system, which this is most likely about, you can buy tickets (e.g MyMulti) that don't have anything printed on them like a date, except maybe if you use them to ride the bus. Also, all the ticket inspectors I've encountered just look at your ticket and don't do much more, so you can at least safely get away with free train travel using this exploit. Although, in general you can get away with free train travel anyway, since the barriers are only on the high traffic stations, and ticket inspectors are pretty rare.

Any fence can be scaled, but it does not (1, Interesting)

Max_W (812974) | about a year and a half ago | (#41727047)

make a fence unnecessary.

It defines the social border, the socially accepted line.

Crossing this line involves a reaction from the society, which wants to defend its norms.

If I were an Australian General Prosecutor I would suggest 2 -3 years of imprisonment to these group of young researches so that the next time they would think twice before forging public transportation tickets.

NIGGA (-1)

Anonymous Coward | about a year and a half ago | (#41727051)

every day...Like elec7ion to the BSD managed to make Numbers continue be 'very pporly benefits of being Unpleasant

CityRail Tickets (0)

Anonymous Coward | about a year and a half ago | (#41727415)

From: http://dou.gl/trainhack-ruxcon-slides.pdf [dou.gl]

"It is an offence to travel without a valid ticket. A ticket is not valid
if it is defaced, mutilated or altered."

I recognise that from CityRail (NSW, Australia) tickets

RE: Data Analysis (2)

Archon-X (264195) | about a year and a half ago | (#41727733)

I've got a current project of trying to do some data analysis on RFID data dumps. I've made some progress, but have been getting stuck on trying to pull out the timestamp. 'Obvious' things, like days of the year, epoch stamps etc don't seem to appear. From research, there should be a defined start date / time, and an ending date / time - and the gap should be no more than 84 hours. The dump I have is from around Sept 2012. If anyone feels like helping out or can see something obvious...

03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
aa 07 00 00 21 02 08 00 00 6e 07 06 07 00 66 83
00 00 00 00 00 00 00 00 01 6e 07 06 08 37 00 00

[NB: the 07 AA is understood, the 21 02 08 I am unsure about, and the rest with it the obvious data repetition / incrementation, i can't help but feel the timestamp is staring at me!]

Re: Data Analysis (0)

Anonymous Coward | about a year and a half ago | (#41735663)

well....
        21 02 08 could be 08 month 2012. last record/entry or exit?

00 6e 07 06 07 00 66 83
01 6e 07 06 08 37 00 00

First 00 and 01 entry/exit flag? 6e 07 month? 06 07 00 66 / 06 08 37 00 could be days/ hours, last four seconds ?

Your definition of free is skewed (0)

Anonymous Coward | about a year and a half ago | (#41728137)

They used "a few hundred dollars' worth of equipment", that's pretty damn far from free, not to mention impractical considering how many train rides one can buy with a few hundred dollars.

I guess the danger is resellers (1)

cdrguru (88047) | about a year and a half ago | (#41728441)

So if you had a shop next to the train station with only a few hundred dollars of equipment they could sell discounted train tickets, right?

The problem with this sort of thing is there is no real need for a great deal of authentication on transit systems. If you are going to go to the trouble to forge tickets, you are probably no real threat the system's revenue because of the huge investment required. Once you become a real threat, you are going to get caught and the jail time will not be pretty. Most countries will add onto the charges of simply riding without paying a fair because this was done a lot and is "willful".

So, is being able to make forged tickets worth 10-15 years in prison? Who cares if they used a low-bidder for the authentication. It is good enough for 99.9999% of the population and is producing revenue. Would any sane individual decide that millions, tens of millions or even hundreds of millions of the local currency should be spent to "secure" the system? Sounds like complete idiocy to me.

Sure, the system is insecure, but so is every other system on the face of the planet. I'm sure using a forged ticket is already a crime, but all they have to do is make selling forged tickets a serious crime and the problem is a non-problem.

Re:I guess the danger is resellers (0)

Anonymous Coward | about a year and a half ago | (#41736829)

Erm...If forgeries do get good enough, and the act of forgery and the ease of it is also good enough, the system is broken.

So the public service paid fo (1)

Stan92057 (737634) | about a year and a half ago | (#41728181)

So the public service paid for crypto and got it. Theses kids buy a card reader and card makers and probably use an open source crypt o program wala instant security searchers?

More info (0)

Anonymous Coward | about a year and a half ago | (#41749861)

It was Sydney rails old magnetic paper cards. The researchers compiled a tonne of cards, and started brute forcing the card ID string in blocks doing a brute force attack on XOR until parts of the card ID string became human readable, and they correlated enough of the data to figure out things like Station ID, Time, Date etc. See #Ruxcon for more information.

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...