Exclusive: Researchers crack Aussie state transport system, get free rides

Powered by SC Magazine
 

Ancient custom crypto defeated.

View larger image View larger image View larger image

See all pictures here »

 

credit: SC
(left-right) Theo Julienne, Karla Burnett, Damon Stacey, and Dougall Johnson

 

An Australian state public transport system has been cracked by a group of security researchers who were able to replicate cards to enable free travel.

Theo Julienne, Karla Brunett, Damon Stacey, and Dougall Johnson used flaws in the system's decades-old custom cryptographic scheme to access transport data and reproduce tickets.

A team of four security researchers, using the group name TrainHack, presented their work in a talk dubbed Reverse Engineering a Mass Transit Ticketing System at the Ruxcon security conference in Melbourne today.

It cost only a few hundred dollars to buy a card reader and equipment to crack the cards.

They chastised the use of weak custom encryption but in line with disclosure agreements did not name the type of cryptography used or identify the affected organisation.

But they said the transport organisation faced such an onerous task in fixing the massive distributed transport system – which spread across multiple modes of travel including trains and buses – it may withold a fix and wait for a scheduled upgrade of the system.

“It was independent research, done through curiosity,” Johnston said.

"The custom cryptography was made before I was born".

The transport organisation did not reveal the cost of repairing the flaws.

After about a week's worth of research, drawn out over months, the students sent their findings including a string of ticketing data extracted from the cards to the transport organisation as part of responsible disclosure.

About two months ago, they met the organisation's chief information officer and resident subject matter experts to discuss the flaws.

Their research was made using purchased tickets rather than the public transport hardware to avoid breaching computer crime laws.

They said following a cursory examination that Victoria's MyKi transport system, which upgraded to use Mifare DESFIRE EV1 cards, was built with rugged security that made it hard to crack.

The affected transport organisation in a written statement said it viewed security as a priority.

Johnston said the group still pays for tickets.

Copyright © SC Magazine, Australia


 
 
 
Top Stories
Meet FABACUS, Westpac's first computer
GE225 operators celebrate gold anniversary.
 
NSW Govt gets ready to throw out the floppy disks
[Opinion] Dominic Perrottet says its time for government to catch up.
 
iiNet facing new copyright battle with Hollywood
Fighting to protect customer details.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
In which area is your IT shop hiring the most staff?




   |   View results
IT security and risk
  26%
 
Sourcing and strategy
  12%
 
IT infrastructure (servers, storage, networking)
  21%
 
End user computing (desktops, mobiles, apps)
  15%
 
Software development
  26%
TOTAL VOTES: 340

Vote
Would your InfoSec team be prepared to share threat data with the Australian Government?

   |   View results
Yes
  58%
 
No
  42%
TOTAL VOTES: 143

Vote