back to article Dutch transit card crippled by multihacks

The introduction of the Dutch public RFID transit pass will be delayed because it can be easily hacked. The final blow was given by researchers from Royal Holloway, University of London, who confirmed earlier findings by Dutch Institute TNO that the card isn't properly secured. The Dutch Green Party and the Social Party have …

COMMENTS

This topic is closed for new posts.
  1. Aitor
    Unhappy

    Security by obscurity

    This is the main problem of security through obfuscation.. as there are no external checks for security, security tend to be sloppy at best.

    If you start shouting "open source" as a mantra, please consider that if everyone knows what you are doing, someone will eventually crack your public system, and chances are he won't tell you....

    So companies should propably use public and secure algorithms and then, not tell anyone witch ones they are using. That is secure... but illegal (as you must say you are using XXX open source code..)

  2. Anonymous Coward
    Coat

    Multipass

    Leeloo Dallas mul-ti-pass

  3. Anonymous Coward
    Anonymous Coward

    hmm

    and where would we go to get our modified oyster cards?

  4. Dimitris Andrakakis
    Boffin

    @Aitor :

    Using a standard (and proven) algorithm in closed-source and not telling anybody is NOT illegal. There is nothing that obliges you to report which algorithm you are using.

    Ofcourse, if you use a certain open source IMPLEMENTATION of the algorithm, then you do have to disclose your code too --but this actually depends on the open source license used. AFAIK, the requirements of the BSD license are less than these of GPL.

    That said, many people (including me) do regard open source code as more secure not just because it is open-source, but because peer review will eventually give out any insecurities, and they will be fixed.

    This does not happen in closed source cathedrals, even in very security conscious companies.

  5. Nick Pettefar

    As an alternative

    Should have used Double-Dutch. That would have stumped them.

    Tot-ziens!

  6. Anonymous Coward
    Paris Hilton

    Boston "Charliecard"?

    Anyone know why they chose that name? Cos my parents have an LP (yup, real vinyl) by a group called The Kingston Trio, and it has a song about a guy named Charlie who gets stuck on... the Boston MTA.

    Are there still places in America where the Guys In Charge have a real sense of humour??

    (Paris, cos she probably doesn't know either. And she's nicer to look at than the other choices... :-)

  7. Anonymous Coward
    Anonymous Coward

    London

    I guess the mistake here is selling single use tickets + the inability of the system to record and block used tickets.

    In london the whole thing is cross checked against a database so if anything looks suspicious they can just block a card. On buses the system isnt online, but its still checked. They also charge for cards and the equipment needed to break an oyster is probably quite expensive if it may only work once (on a bus) before being caught.

    Bottom line is that basing the whole system around secure smartcards is doomed to fail unless there is a way to detect and block bad cards.

  8. dervheid
    Happy

    Hyuck, Hyuck, Hyuck!

    and

    Hur, hur, hur!

  9. Anonymous Coward
    Coat

    DMCA?

    I thought that the DMCA had put an end to all reverse engineering activities?

    How dare these Hackers circumvent the security of the device! I'm surprised they aren't being sued or having criminal charges brought against them (I thought all hacking tools were banned in Germany, at least).

    These devices were perfect until those pesky hackers got hold of them!

    All right, I'll get my coat - it's the one with my unopened medication in the pocket.

  10. Frederick Karno

    Not so smart cards.

    We in Britain are so fortunate to have a government that is able to create Hacker proof systems the rest of the world should use our advisors that would solve the problems.

    <sarcasm for free !!! >

    Where money and computer controlled systems meet will always result in a scam and its one the system designers will not win !!! if there is enough money involved any algorithms or security measures will be broken.

    What they hope is not too many people will use the scams but like they hoped not too many people would file share they are misguided.

  11. Owen Carter
    Thumb Down

    I use it often on Amsterdams Metro

    Yet another IT geek in Amsterdam..

    I've had one of these for a year now and use it a lot. The whole roll-out is a farce. We've had the portal gates installed for ages. But one always stands open, with attendants at the head of the stairs to do the real checking, (at least they are a relatively cheerful lot). Some of the portals have now failed, and the card purchase/recharge machines are often broke. many stations only have one of these, so I end up 'Zwart Rijden' (black riding) just because I cannot add credit to my card. The machines themselves are a classic example of cheap stuff done badly.

    Some of the more secure cards (only the temporary cards that suffer the security problems) are supposed to auto-recharge from your bank-account when they drop below 5Eur credit. Mine fails to do this; but given the crapness of these idiots that comes as a relief, they'd probably just take random amounts..

    There was a fantastic incident when they were demonstrating this new kit to the press, first the chief guest's card failed to work. Then a flunky used a 'pre-prepared' card to open the portal, which promptly tried to close as they walked through, crunch. Sums it up really.

    ---------------

    The real problem is that the individual transport companies (GVB in amsterdam, RET in Rotterdam, others elsewhere) are hopeless. Truly Hopeless, in fact more than that; pathetically hopeless and then some.. with knobs on.

    In Amsterdam we have; Electronic platform signs that are often just plain wrong, or display random errors and garbled text. Sporadic cleaning, poor maintenance of everything, years old graffiti in the trains.

    - Train drivers who are antisocial and lazy, at my local terminus they don't stop where the stairs are, they stop at the other end, where the coffee machine is. Another favourite of the drivers is turning the heating off in the winter and leaving the doors open at the terminus's. In summer, the heating gets turned on and the doors left in auto-close.

    - But the sh1tness goes all the way to the top too. There is a singular inability to roll out new kit, the chipcard is just part of this.. I suspect the drivers attitude comes partly from working for a bunch of obvious tossers who's chief skill is shifting blame down the foodchain.

    Last week a metro derailed in the tunnel near central station, it took them over an hour to get the power turned off and checked. The flack from this (the fire service in particular are livid..) might just bring some improvement, but I doubt it. Working in Dutch public transport is a sinecure.

    These days I mostly ride my bike, but when I came here my initial experience of the system was a shock. They managed to be worse then the UK.. and that takes some doing.

  12. Bas Scheffers
    Linux

    Halting it would be irresponsible

    I agree with AC, there are multiple checks; even off-line readers still sync at the end of the day and if you used a fraudulent card: smile, you are on CCTV!

    They should continue as-is for now, going back to the drawing board would cost way more than they could ever hope to lose in fares through fraud. But get rid of the single use system and simply give proper cards you can load up with money again and again and ask for a deposit for these more expensive cards. Then over time upgrade all to the newer (and secure) Mifare DESFire card or the as-yet unreleased Mifare plus. (cheaper than the DESFire and unlikely to be hacked any time soon)

    Tux, because an open system would have showed its insecurity a long time ago and have been fixed.

  13. TeeCee Gold badge
    Paris Hilton

    Charliecard.

    Presumably so called 'cos only a bunch of Charlies would deploy such a thing.

    Paris, for the "Charlies" association...

  14. Anonymous Coward
    Anonymous Coward

    zwart maarkets

    ia m sure once the underworld have discovered a way they will be for sale in every pub or phone cards salesmen around corner in every "dogey pub" in london?

    as for transport in the netherlands being worse thatn london, i am stunned - according to the daily mail the world is much better abroad, we just dont want them johhny foriegners coming over here and sroting all our problems out!!

    at leaast the dutch can nip to a *coffee shop* and forget about it all!

    ...for sure!

  15. Chris Cooper
    Boffin

    Charliecard

    It couldn't possibly be named after the Charles River, which is as iconic to Boston as the Thames is to London. Could it? (Nah! Much more likely to be named after an obscure pop record...)

  16. Anonymous Coward
    Anonymous Coward

    Charlie on the MTA

    The CharlieCard really is named after the chap who gets trapped on the metro in the song "Charlie on the MTA".

  17. Ferry Boat

    @Chris Cooper

    Is the London one not named after 'Euston Station' by The Oyster Band then?

  18. Chris O'Shea
    Thumb Down

    Open Source is not always the answer ...

    ... so you create your fantastic OpenSource farecard, release the code to the world, and produce 100 million cards which are used everywhere ...

    ... and now tens of thousands of basement hackers and students are studying your implementation to find any weaknesses and even if it takes them six months or a year or more to crack/hack/spoof or otherwise reduce in effectiveness, you've now got a vast expense to replace or upgrade those 100 million cards. And thanks to the OpenSource ethos, that bypass/crack will be around the world before you can reprogram card one.

    Sure it only takes one person/group to crack a card, but giving them the source code and such makes it easier for the hacker ...

    ... of course if you can get people working on looking at holes *before* it is put into use, that would be better ... but let's be honest, there will be more people looking, and looking harder, to break the system once it is in action, and it will cost *a lot* to recover from that (assuming the flaw isn't so basic that you end up having to just discard all the cards and start from scratch).

  19. Anonymous Coward
    Coat

    Remember...

    The way governments do encryption. Its simple, they pick an algorithm that they think no-one can crack. And then they don't tell anyone about it. The reason you do it this way is simple. You have to expect that information on all the fixed data (like the algorithm and any seeds used for it) will eventually get out into the wild. But not knowing the algorithm does make it harder to try and attack the algorithm. So don't rely on security by obscurity, but still use it anyway.

  20. Dale

    Security by obscurity

    All security is by obscurity. As long as there is, by necessity, a key to open the thing being secured, then it is only secure as long as that key remains hidden. This is true for both physical locks and mathematical algorithms. Whatever algorithm you choose is just a complicated way of hiding the key amongst lots of other keys that don't work. Some algorithms are weak which means there are ways to rule out a lot of the keys without actually trying them, but in the end, all security can be defeated by brute force (try every key until you find the right one). The only thing that stops this is the time it would take. Technology moves on; what today would take a billion years to brute force might take minutes one day in the future. It's secure today, but only because it takes so long to find all the hiding places.

  21. David Tonhofer Silver badge
    Alert

    First poster gets it wrong

    > This is the main problem of security through obfuscation.. as there are no external checks for security, security tend to be sloppy at best.

    Possibly, but not necessarily. Of course, "roll your own cryptosystem" is to be avoided as a sign of the typical cowboy coder stance.

    > If you start shouting "open source" as a mantra, please consider that if everyone knows what you are doing, someone will eventually crack your public system, and chances are he won't tell you....

    Possibly, but not necessarily. If everyone knows that I keep my rare pr0n in bank safe 12 at location X, there will still be nobody who can get at it.

    > So companies should probably use public and secure algorithms and then, not tell anyone witch ones they are using. That is secure... but illegal (as you must say you are using XXX open source code..)

    It's not "illegal", it's breach of contract. And then again, you may just add "contains OpenSSL code licensed by the Apache software foundation", which is sufficient.

    The larger problem being of course, that your _code_ is the LEAST problematic aspect of keeping your system secure (how do you "crack" my AES implementation? fat chance here),.

  22. Anonymous Coward
    Thumb Up

    @Multipass

    Well-played, sir. If anybody ever actually made something called a multipass, I'd end up getting one just so I could go around holding it up and saying, "Multipass!"

  23. Curtis W. Rendon
    Boffin

    irrelevant to opensource

    the license of whatever cryptography used is only relevant if they change the source code and republish it.

    Use of it in their systems certainly *DOES NOT* require a revelation of what they are using or how.

  24. J
    Linux

    @Aitor

    "So companies should propably use public and secure algorithms and then, not tell anyone witch ones they are using. That is secure... but illegal (as you must say you are using XXX open source code..)"

    Not really, I think. At least that's not how the GPL v.2, the license I'm more familiar with, works. You are only required to give out the source code if you are redistributing the software for other people to use, regardless of whether you modified it or not. Whatever modifications you eventually do need not be known to the world if the software stays in house.

    That's what Google does, isn't it? They sure modify a lot of free software to optimize for their needs, but they do not redistribute the software. Therefore, they are not required to divulge their mods.

  25. Anonymous Coward
    Thumb Up

    Re: Charliecard

    Yeah, if you've ever been in a bar full of Bostonians when the band plays "Charlie on the MTA" you would pretty well know they take that song to heart!

  26. Anonymous Coward
    Anonymous Coward

    Attributation

    BSD licenses often require it.

    Later GPL licenses require it, but not the old ones.

    The problem with GPL is the idea of distribution - if you give the code in a compiled format to anyone else then you have to give the source. GPL is not good if you wish to obscure the algorithm used.

    Instead most encryption algorithms that are used are in the public domain - all it requires is you hire a developer to code the algorithm and then run checks against the implementation. Then you can do what you like with it.

    So, yes if you wish to hide the algorithm used, which is a good idea and makes it a bit more secure, you have to code the algorithm yourself, nabbing someones GPL or BSD code will mean you have to disclose the algorithm used by association.

    Not all encryption algorithms are in the public domain though - the NSA hold quite a few patents on some encryption algorithms. But, the big ones you may have heard of tend to be in what is termed the Public Domain.

    The point is slightly moot though - encryption systems can give off their own signature if you will - and if you are ever able to encode something and see the result you can quite easily work out which algorithm is used. This is how the testing system works really - encode 0000000000000000 with itself and you get 4EF997456198DD78 for example, this would tell you blowfish is being used.

    Of course you can decided to shift the algorithm or combine algorithms, but you really do need to know what you are doing so as not to introduce a vulnerability into your encryption, and testing obviously will be harder.

  27. Michael

    Let's hope these people in Kitchner, Waterloo don't use the same technology!

    http://www.cbc.ca/technology/story/2008/04/16/chip-card.html

    Thanks.

    The Burger Man

    at

    Gmail

    dot

    com

  28. Anonymous Coward
    Stop

    @David Tonhofer, Re: First poster gets it wrong

    speaking of getting it wrong---

    "And then again, you may just add "contains OpenSSL code licensed by the Apache software foundation", which is sufficient."

    Better go check the OpenSSL web site. The only thing OpenSSL has to with with Apache is that the license is "...an Apache-style license..."

  29. Mike Morris

    Charlie..

    In reality the song was a political campaign song for one George O'Brien.

    From http://www.ktracy.com/?p=957

    Mr. O’Brien was a Progressive Socialist Party Candidate for Mayor in Boston in 1948.

    He was against a plan to add a nickel "exit" fare to the ten cent per ride transport system.

    The Kingston Trio made it more or less well known years later.

    I guess with the new crackable cards we could be rolling those fares back to 1948 prices...

    Cheers,

    Mike

  30. Avalanche
    Stop

    @Owen Carter

    The reason the gates (one or more) are always open is because the OV-chipkaart is still in the trial phase, as a result people with the old 'strippenkaart' (paper multi-ticket that you need to stamp for the number of zones + 1) or OV yearcard without chip also need to be admitted, since Amsterdam is famous for 'zwart rijders', there are extra admittance checks.

    Also by now all cards have been cracked, so people can travel on your expense.

    Also @other people claiming supremacy for the oyster card: that is exactly the same system as the Dutch OV-chipkaart. And cross-checking data might work to suspend cards after the fact, but the PR nightmare, support costs is not to be forgotten. Also if a auto-recharge card is cloned, that money is written from your bankaccount automatically; trying to prove you were not the one to recharge that card is rather hard.

  31. Moss Icely Spaceport
    Alert

    Two Billion!

    Two billion to develop, think about it.

    I'll bet I could enlist a whole army of ticket inspectors, supply them with uniforms, radios, ticket punches and a smart hat for way less than 2 billion.

    Paper tickets never looked so attractive.

    2 billion !!!!!

  32. Monty Lovering

    Dutch public transport rocks

    I travel 2 hours each day from the south of the Netherlands to Amsterdam, and back. 126km a day. It costs €87 or 67 quid per week, and for that I can travel free all the time anywhere on Dutch public transport.

    In four months I have been delayed by between 1/2 an hour or a little over an hour less than 5 times, and I get a refund of €6 each time I am delayed by half an hour, or €12 for over an hour.

    Beat that. In terms of reliability, cost and convenience the Dutch have one of the best public transport systems going.

    Door to door time is about equal to driiving but it is cheaper than the cost of petrol (far cheaper if you include parking costs) and you can't read a book, sleep or have breakfast in a traffic jam, not even the daily 'car park' traffic jams round Utrecht and on the drag into Amsterdam.

    Inside Amsterdam it might be a little different, but you can spit across Amsterdam and it's flat as a super-model chest, so you can cycle on ubiquitous cycle lanes that are safe and convenient, or be lazy, and take longer. Even then it takes half an hour to get to most places most day, top whack.

    Any one complaining really doesn't know what public transport in other cities is like.

    As you can spit across Amsterdam

This topic is closed for new posts.