Security flaw in smart cards poses risk for transit, building access
Last Updated: Friday, October 10, 2008 | 1:45 AM ET
By Zach Dubinsky, CBC News
Related
Internal Links
External Links
(Note: CBC does not endorse and is not responsible for the content of external sites - links will open in new window)
Transit systems across Canada stand to lose tens of thousands of dollars to fare fraud, and access to office buildings could be compromised, after a security flaw in some of their smart-card technology was widely publicized this week.
Computer-security researchers at the Radboud University Nijmegen in the Netherlands revealed how the smart-card technology, called Mifare, can be hacked to let anyone with a computer and $100 worth of parts create counterfeit transit and building-access passes.
Mifare uses a radio-frequency-emitting computer chip embedded in a plastic card. Transit riders wave the card over a reader to pay fares, while employees and students flash it at secured doorways to gain admittance in many offices and schools.
The management summary would be something like, 'Mifare Classic is broken.'—Dutch security researchers
The technology has been implemented in transit systems in St. John's, Gatineau, Que., the Greater Toronto Area and the Ontario cities of Kingston and Brantford, and is under consideration for use in Saskatoon.
Mifare chips, according to Dutch-based vendor NXP Semiconductors, are used in more than a billion radio-frequency identification (RFID) cards around the world — including security passes used to access buildings — and represent 70 per cent of the market for so-called contactless smart cards.
"The proprietary cryptography used on the Mifare Classic RFID chip is severely flawed," Wouter Teepe, one of the Dutch researchers, writes in a paper published Monday. "The management summary would be something like, 'Mifare Classic is broken.' "
Teepe and his colleagues cracked the encryption code on Mifare chips. They reported the security flaw in March, in the wake of earlier work by University of Virginia grad student Karsten Nohl, but only published the full details this week.
Once they'd cracked the encryption, the Dutch researchers were able to use hand-held antennas to remotely read the contents of someone's building-access pass, then forge a fake duplicate pass that gave them access to the same building.
The researchers also successfully hacked the Dutch national transit system and London's transit, showing how someone could get a day of free rides with little effort.
NXP working on solutions
Transit systems that use Mifare Classic smart cards are vulnerable in two ways. Because the cards communicate through the air using radio waves, a hacker could wirelessly read a transit rider's pass from a distance — several inches, or, as some hackers have demonstrated, up to 10 feet — and then "clone" the confidential information onto a blank impostor card that would seem like the original to a bus farebox. In transit systems where riders put money onto their smart cards that gets deducted with each trip, a hacker could also tinker with the card to increase its balance.
NXP Semiconductors has acknowledged the security problems and says it is working on solutions.
"It is NXP's objective to transparently update all system integrators and operators of infrastructures which use Mifare Classic in a timely manner," the company says in a statement on its website.
There are also ways to mitigate the security gaps, according to Juan Liverant, CEO of BEA Transit Solutions, which implemented smart-card payment systems for the transit networks in St. John's, Kingston and Brantford, as well as cities in Mexico.
"One is for the software on the back end to keep track of the balance on all the cards, and if one doesn't match what I have on my system, then the next time it's tried to be used it can be invalidated," Liverant told CBC News. "So far, to our knowledge, we haven't had a card cloned of all the systems we have in Canada or anywhere in the world."
But that fix has its shortcomings, Liverant acknowledged. Payment information has to be downloaded from every bus in the transit system onto a central database, which typically can only happen once the buses are parked for the night, so high-tech fare cheats would enjoy 24 hours of potentially free rides.
Also, riders with legit transit cards that were copied by a hacker would see their cards invalidated, in the same way that credit cards can be automatically blocked in the event of suspected fraud.
'It's unlikely we'd use that'
Cities around the world have been shaken by the Mifare flaw. In addition to London and the Netherlands, Mifare Classic is used in Minneapolis-St. Paul, Boston and Brisbane, Australia.
Edmonton is using Mifare technology in a small, pilot smart-card program to test the feasibility of deploying contactless payments across its transit system. But Graydon Woods, the program's manager, said the security flaw won't affect the city's transit in the long term.
"We're aware of the vulnerabilities with Mifare, so it's unlikely we'd use that," Woods said Thursday. "It's not applicable to us."
Elsewhere in Canada, the Gatineau transit authority implemented its payment system based on Mifare Classic in 1998. Burlington, Ont., a city located west of Toronto, used a Mifare Classic system until last summer.
Vince Mauceri, a former manager with Burlington Transit and now the general manager of transportation operations for the Greater Toronto Area's Metrolinx transit agency, played down the Mifare problem.
"We're talking micropayments. We're not talking about buying a couch at Leon's," Mauceri said. "I think the crooks want to go after the big-dollar items, not micropayments."
Metrolinx is part of a project to implement a smart card called the Presto card for all Toronto-area transit systems over the next four years, and it will use a newer, more secure Mifare platform called DESFire — the same version Edmonton is considering.
Vancouver is also aiming to bring in smart-card payment systems, but transit authority TransLink is still in the early stages of planning and hasn't settled on what technology it will use, spokesperson Ken Hardy said.
Manufacturer blamed
The Dutch researchers who successfully hacked Mifare said NXP is entirely to blame for the security issues because the manufacturer decided to use a confidential, proprietary encryption method that was untested.
"All this demonstrates, once again, the dangers of relying on 'security by obscurity,' keeping the design of a system secret and relying on this to keep the system secure," the researchers said in a statement issued Monday.
"As all experts in the field agree, a better approach is … making the design of a system public so that it can be openly evaluated and scrutinized by experts."
Share Tools
Top News Headlines
- Greece passes new austerity deal amid rioting
- Greek lawmakers have approved harsh new austerity measures demanded by bailout creditors to save the debt-crippled nation from bankruptcy, after riots in Athens and other cities left stores looted and burned and more than 120 people hurt. more »
- Quebec town 'heartbroken' after killing of woman, sisters
- A small Quebec town is in mourning Sunday after a Quebec man was charged with killing his nieces and his mother, who were found dead in their family home. more »
- Hit and run victim's family fears accused will walk
- The family of a young mother killed in a hit and run is outraged that the case against the alleged driver is among thousands in B.C. at risk of being thrown out because of a huge court backlog. more »
- Neil Macdonald: The death penalty debate America isn't having
- Texas's death row archive is a troubling document, not the least for what it doesn't say about those who may be wrongfully convicted, Neil Macdonald writes. more »
Latest Technology & Science News Headlines
- Ancient Antarctic lake may harbour microbial life
- If scientists find microbes in a frigid lake 3.2 kilometres beneath the thick ice of Antarctica, it will illustrate once again that somehow life finds a way to survive in the strangest and harshest places, and it will offer hope that life exists beyond Earth. more »
- B.C. killer whale habitat protection ruled a legal duty
- The federal minister of fisheries has no discretion when it comes to protecting the critical habitat of B.C.'s southern resident killer whales, the Federal Court of Appeal has ruled. more »
- Create-your-own-app product to launch in Moncton
- A Moncton entrepreneur is hoping to revolutionize the way mobile applications are created by launching a new product that allows people to develop their own app within minutes. more »
- Game developer seeks $400K, makes $1M in a day
- Videogame studio Double Fine went on the website Kickstarter to raise $400K US in a month to develop a new game. They reached that target in a matter of hours. more »
Bob McDonald's Blog
Glacier Discovery Walk: Will the visitor centre enhance the view? Feb. 10, 2012 3:17 PM Environment minister Peter Kent has announced the construction of a new Glacier Discovery Walk and visitor centre on the Icefields Parkway in Jasper National Park. It raises the issue of how to balance commercial development in our National Parks against the preservation of the last refuges of wilderness.
Quirks & Quarks
- February 11: Inside the Mind of a Neandertal Feb. 10, 2012 4:01 PM Can we get inside the mind of a species that's been dead for 30,000 years? A new book, How to Think Like a Neanderthal, suggests we can. The authors reconstruct a creature like us in many ways, but with important differences.
Latest Features
- Adele wins best album, best record Grammys
- Houston autopsy results withheld by police
- Quebec town 'heartbroken' after killing of woman, sisters
- Northern lights viewed from space
- Greece passes new austerity deal amid rioting
- Pop queen Whitney Houston dies at 48
- Manitoba man dies after falling off moving SUV
- Doors blocked in fatal Manitoba trailer blaze
- Former Stanley Park petting zoo goats feared slaughtered
