Exclusive: Researchers crack Aussie state transport system, get free rides

Powered by SC Magazine
 

Ancient custom crypto defeated.

View larger image View larger image View larger image

See all pictures here »

 

credit: SC
(left-right) Theo Julienne, Karla Burnett, Damon Stacey, and Dougall Johnson

 

An Australian state public transport system has been cracked by a group of security researchers who were able to replicate cards to enable free travel.

Theo Julienne, Karla Brunett, Damon Stacey, and Dougall Johnson used flaws in the system's decades-old custom cryptographic scheme to access transport data and reproduce tickets.

A team of four security researchers, using the group name TrainHack, presented their work in a talk dubbed Reverse Engineering a Mass Transit Ticketing System at the Ruxcon security conference in Melbourne today.

It cost only a few hundred dollars to buy a card reader and equipment to crack the cards.

They chastised the use of weak custom encryption but in line with disclosure agreements did not name the type of cryptography used or identify the affected organisation.

But they said the transport organisation faced such an onerous task in fixing the massive distributed transport system – which spread across multiple modes of travel including trains and buses – it may withold a fix and wait for a scheduled upgrade of the system.

“It was independent research, done through curiosity,” Johnston said.

"The custom cryptography was made before I was born".

The transport organisation did not reveal the cost of repairing the flaws.

After about a week's worth of research, drawn out over months, the students sent their findings including a string of ticketing data extracted from the cards to the transport organisation as part of responsible disclosure.

About two months ago, they met the organisation's chief information officer and resident subject matter experts to discuss the flaws.

Their research was made using purchased tickets rather than the public transport hardware to avoid breaching computer crime laws.

They said following a cursory examination that Victoria's MyKi transport system, which upgraded to use Mifare DESFIRE EV1 cards, was built with rugged security that made it hard to crack.

The affected transport organisation in a written statement said it viewed security as a priority.

Johnston said the group still pays for tickets.

Copyright © SC Magazine, Australia


 
 
 
Top Stories
Westpac interim CIO resigns
Group CIO yet to be appointed.
 
Earning the right to innovate
Breaking down the barriers to innovation is a long, but rewarding process, says Bank of Queensland Group CIO, Julie Bale.
 
A call for timely reporting
[Blog post] Businesses need incentives to keep customer data secure.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
What is delaying adoption of public cloud in your organisation?







   |   View results
Lock-in concerns
  26%
 
Application integration concerns
  3%
 
Security and compliance concerns
  28%
 
Unreliable network infrastructure
  9%
 
Data sovereignty concerns
  22%
 
Lack of stakeholder support
  3%
 
Protecting on-premise IT jobs
  5%
 
Difficulty transitioning CapEx budget into OpEx
  3%
TOTAL VOTES: 888

Vote