Thursday, 28 August 2008

Brisbane's Go Cards: Easily Cracked

UPDATE: I posted this article over at the brisneyland community on livejournal, and there are plenty of interesting comments there about hacking the Go/Mifare card.

The Go Card has started up in Brisbane this year. It's a card that lets you travel on public transport - you load the card up with credit, and touch it to a reader when you get on and off buses, trains and ferries. But the card is very insecure, and three different groups of academics have been able to crack it, which means they could easily create a fake card and use it to get free transport. The card could be cracked by someone with cheap equipment in just a few seconds. Meanwhile, the company that makes the cards, NXP Semiconductors, has been trying to suppress the information about the card's weaknesses, instead of fixing the problems.

The Go Card is actually a Mifare Classic card, made by NXP Semiconductors, a Dutch company. Mifare Classic cards are used all over the world, including in London, where they are branded as the well-known Oyster Card. NXP sent a letter on July 29th to its customers who use the Mifare Classic card, saying:

We are investigating protection scenarios for systems using MIFARE Classic, as in some systems insufficient mechanisms to detect fraudulent cards may have been implemented. Mindful of the above, we urgently ask you to contact your system integrator for an assessment of your systems. Extensive additional protection mechanisms are recommended [emphasis added], both on how the data on the card is used as well as deploying additional security layers separate from the card.

NXP also used the letter to do a bit of upselling:

Depending on the specific situation in existing MIFARE Classic access management infrastructures, in many cases the usage of more sophisticated card ICs may be recommendable. DESFire EV1 and MIFARE Plus (available in Q4 2008) are our recommended solution for new access management implementations where a strong level of security is required.

MIFARE Classic provides a benchmark in cost competitiveness, while the recently announced MIFARE Plus enables an optimal future-proof migration path when necessary. Both, MIFARE Plus and our new high-end product MIFARE DESFire EV1 offer strong AES encryption and are targeted to receive the internationally recognized Common Criteria certification.

Cubic, the company which actually installed the Go Card system in Brisbane's public transport, said in March that the system was secure:

In a statement last week, Queensland Transport said it was pursuing security concerns with Cubic, the Australian operator of the go card system.

"Cubic has provided advice that the go card ticketing system is not at risk from the most recent claims raised regarding the Mifare Classic smart card," the statement said.

A Queensland Transport spokesman said it was Cubic's responsibility to provide a ticketing system "fit for purpose", including appropriate security systems.

"TransLink has received further advice from Cubic in March 2008 regarding the need for an ongoing security review due to technology advances as a normal and prudent approach to managing a smart card ticketing system," the spokesman said.

"TransLink has commenced and will continue assessing its responses to ensure system security remains paramount."

However, Mr Nohl [a member of one of the groups that cracked the cards] said he believed operators would be confident of the system's security until faced with an actual attack on its integrity.

"I'm sure they are very confident of it [the system] until someone comes around and cracks it," he said.

"The Mifare system was marketed as having advanced levels of protection, proved security and that's what people thought they had a few months ago and now our research has shown them quite the opposite."

NXP Semiconductors has been trying to sue the Dutch university that cracked the cards, to force them to keep their knowledge under wraps. However, they have failed in their attempt to shoot the messenger:

NXP Semiconductors regrets to inform you on the decision of the court in Arnhem from July 18th to allow the publication by the IT security specialists from the Radboud University Nijmegen, which includes attacks on MIFARE Classic systems. The University intends to present the publication during a conference on October 6th, with information on how the protocol and algorithm were reverse engineered, the description of the protocol and algorithm and the description of some practical attacks which can be carried out with limited means.

This report from the Radboud University Nijmegen will reduce the barrier to carry-out actual attacks on infrastructures using MIFARE Classic, which prompted our request for a delay in its publication in order to allow for a reasonable time for appropriate system security upgrades.

As we were not successful in our request, you may want to address your interests directly with the University of Nijmegen, in relation to the disclosure of security risks to your systems in the aforementioned publication.

This article in Wired Magazine explains why it is dangerous to let companies that make security systems to keep secret the flaws in their systems. The article quotes the Dutch court:

"Damage to NXP is not the result of the publication of the article but of the production and sale of a chip that appears to have shortcomings."

It will be interesting to see what happens here in Brisbane. Will Translink make any changes at all to the Go Card? Will they sue Cubic, and will Cubic in turn sue NXP Semiconductors, for making an easily cracked product? Will NXP pretend that it's all the fault of the bad universities, instead of making cards that can't be easily cracked? One thing is for sure: the only way we are going to get to know of flaws like this is if companies can't sue people into silence. I wonder what NXP Semiconductors would have done if no-one had bothered to research their cards. My guess: NOTHING.


m said...

yeah, I figured as much, since these types of cards have been cracked everywhere else.

It;s just like the electronic voting machines in the US - the companies who make them pour money into trying to silence critics, rather than actually fixing their issues.

Surely just admitting it's wrong, getting recommendations, and fixing the problems would be much better PR, cheaper, and easier?

heh, what do I know?

David J said...

Surely just admitting it's wrong, getting recommendations, and fixing the problems would be much better PR, cheaper, and easier?

m, clearly not :(

Admitting a mistake and fixing the problems seems to take a back seat to pretending that everything is OK, and trying to close down legitimate criticism. I guess that at least part of this is because companies don't want to get sued by people. Since the Go Card is the same as the Oyster Card, which is widely used in London (for literally many million trips per day), you can imagine just how much money would be up for grabs if Transport for London sued them.