Saturday, September 3, 2011

Dutch journalist hacks transit card

In Netherlands, a reporter has been trying to stress out the outrageously insecure card software that the Dutch subway system uses for their transit cards. The transit card is designed as a kind of debit card where one can add money to the card and then travel with the subway system by paying with the card.

The card is delivered by the company Trans Link Systems that also oversees the transit card system. It functions by using a RFID chip that you wave in front of a proximity sensor that registers a travels start and stop, and then withdraws the amount of money according to the distance traveled. The main security issue exists in the encryption that the card is protected by, namely the Crypto-1 algorithm which was cracked in 2008, for more information see this.
   Now, armed with a cheap RFID reader/writer, which you can get for less than $40, you can easily access the information stored on the card and edit it as you wish. Moreover, the software that is used for monitoring the cards is not designed to detect unusual activity or even tampering with the card. That was exactly what the reporter/hacker Brenno de Winter proved by using a hacked card for 3 weeks without being detected even though he intentionally tried to get caught by inserting mutliple check-outs from the same airport with a 3-minute interval, which is practically impossible without some sort of teleportation. And that's not even the worst part. The technique not only allows you to insert checkouts but you could also add an unlimited amount of money to the card which means one could travel for free within the Dutch subway system with a hacked card. A potential exploiter could also use a portable RFID reader that would steal the information on other peoples cards just by walking past them and then print the information to his own card.
   You don't even have to be a hacker, let alone a techsavvy person,  to successfully hack your card since the tools needed only includes the cheap RFID reader/writer and software that easily can be downloaded from the internet.

Now the reporter Brenno de Winter, is being sued by the transportation companies for fraud, and his goal of getting the vulnerabilities fixed is being draned down the toilet. The company only stated that it is illegal to hack your card and that there will be taken legal actions against exploiters.

Even though the cards security flaws are well known, the same solution is being implemented into the bus and subway system in Denmark, which already is many years behind schedule and many millions of dollars over budget because of adjustments that needed to be made so it would adapt to the already established systems in Denmark.

At time of writing, there still hasn't been taken any action nor is there any information available that they intend to fix the vulnerabilities in the current card software.


  1. Cool story, its a shame companies don't thank people like this for discovering a flaw and just choose to sue them to oblivion.

  2. I agree, but I think they are making an example of him to keep others from doing the same. This story has been a huge subject in Dutch media, so to avoid mass exploitation they probably must show people that such actions will be dealt with.

  3. Well, one thing is, that you can hack the card, but if the backend systems detect it, then the security of the chip doesn't really matter, as fraud will be noticed quickly. And hopefully other people using mifare, has taken greater care in the backend systems, to detect and maybe even prevent fraud.