Exclusive: Researchers crack Aussie state transport system, get free rides

Powered by SC Magazine
 

Ancient custom crypto defeated.

View larger image View larger image View larger image

See all pictures here »

 

credit: SC
(left-right) Theo Julienne, Karla Burnett, Damon Stacey, and Dougall Johnson

 

An Australian state public transport system has been cracked by a group of security researchers who were able to replicate cards to enable free travel.

Theo Julienne, Karla Brunett, Damon Stacey, and Dougall Johnson used flaws in the system's decades-old custom cryptographic scheme to access transport data and reproduce tickets.

A team of four security researchers, using the group name TrainHack, presented their work in a talk dubbed Reverse Engineering a Mass Transit Ticketing System at the Ruxcon security conference in Melbourne today.

It cost only a few hundred dollars to buy a card reader and equipment to crack the cards.

They chastised the use of weak custom encryption but in line with disclosure agreements did not name the type of cryptography used or identify the affected organisation.

But they said the transport organisation faced such an onerous task in fixing the massive distributed transport system – which spread across multiple modes of travel including trains and buses – it may withold a fix and wait for a scheduled upgrade of the system.

“It was independent research, done through curiosity,” Johnston said.

"The custom cryptography was made before I was born".

The transport organisation did not reveal the cost of repairing the flaws.

After about a week's worth of research, drawn out over months, the students sent their findings including a string of ticketing data extracted from the cards to the transport organisation as part of responsible disclosure.

About two months ago, they met the organisation's chief information officer and resident subject matter experts to discuss the flaws.

Their research was made using purchased tickets rather than the public transport hardware to avoid breaching computer crime laws.

They said following a cursory examination that Victoria's MyKi transport system, which upgraded to use Mifare DESFIRE EV1 cards, was built with rugged security that made it hard to crack.

The affected transport organisation in a written statement said it viewed security as a priority.

Johnston said the group still pays for tickets.

Copyright © SC Magazine, Australia


 
 
 
Top Stories
The iTnews Benchmark Awards
Meet the best of the best.
 
Telstra hands over copper, HFC in new $11bn NBN deal
Value of 2011 deal remains intact.
 
Photos: iTnews Benchmark 2015 finalists revealed
Awards alumni gather to celebrate.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Who do you trust most to protect your private data?







   |   View results
Your bank
  39%
 
Your insurance company
  4%
 
A technology company (Google, Facebook et al)
  8%
 
Your telco, ISP or utility
  7%
 
A retailer (Coles, Woolworths et al)
  2%
 
A Federal Government agency (ATO, Centrelink etc)
  20%
 
An Australian law enforcement agency (AFP, ASIO et al)
  14%
 
A State Government agency (Health dept, etc)
  6%
TOTAL VOTES: 1746

Vote
Do you support the abolition of the Office of the Information Commissioner?