Perth is now among the worlds cities whose public transport payment system (“Smartrider”) has been cracked by security researchers.
The smartcard used in Perth contains a ‘Mifare’ chip supplied under a 2003 $30 Million contract with Wayfarer, that uses a weakened implementation of encryption standard ISO 9798-2 (which itself is several years old – 1999).
The weakness in random number generation used in the chip means the security implementation, that it was initially estimated would take some 44,600 years of computation to crack, can in fact be undone in around 1 hour. Current estimates are that common attacks will be possible on a massive scale within about 18 months.
And the advice from Mifare’s manufacturers?:
The security of a system must not be restricted to the individual components. It is also essential to ensure that the individual components are used in the right way to prevent some attacks on the system.
So basically they know, they can’t do anything about it, and it is down to the customers/users to mitigate the weakness (although how you use a ticketing machine the ‘right way’ remains to be seen).
The investigation into this weakness not only allowed researchers to ride public transport in London for free, but also allowed them to gain entry into buildings that use the same chips in building access systems.
In terms of future threats we can expect similar scams that currently plague credit card use – the ability to simply brush up against the card, clone it, and then use this information to either sell the valid account details online, or create multiple clone cards that can be resold and used in the original owners name. This is worrisome, considering that many Transperth users have an automatic direct-debit from a bank account to get the maximum 25% fare discount – so could 100 cloned copies of your Smartrider suck 100 direct debit updates from your bank once their credit was exhausted?
Any evolution in the sensitivity of aerials that could read the chips from more than the current few centimetres away would also represent a nightmare scenario – a thief able to remotely clone 1000’s of travellers cards at a single station in a single day would create a denial of service attack on the transport system that would cause chaos.
The purpose of telling you this is really to increase vigilance and healthy cynicism – considering that also in recent news UK passports have been successfully cloned, and 3000 blank ones were stolen before they could be issued (Australian passports are also smart-chip based).
The hype is that these systems are smarter and safer, but as we invest so much more faith in them these small flaws can be exploited to exact much more damage that was previously possible. The real elixir of security is to have smart people making smart choices – but this is what automated systems take us farther from, instead making us unthinking automatons incapable of realising that something has gone wrong until days or even weeks later – by which time we are often financially poorer for it.
The other thing that is essentially wrong about these systems is that we are trading-in previously trusted tokens (currency issued by the government to pay for tickets) for a privatised least-effort-to-get-paid alternative where the implications of counterfeit fraud is exponentially greater.
Take a look at the Mifare response, details of the Transperth contract in 2003, The Times’ article on passport cloning, and the Times article on the orignal Mifare vulnerability, with a simple demonstration of the attack. Also you can see the technical details of the research into the security weakness of the system here: http://www.cs.ru.nl/~flaviog/publications/Attack.MIFARE.pdf.
