iTnews
  • Home
  • News
  • Technology
  • Security

Students crack state transport system

By Darren Pauli
Oct 22 2012 1:23PM
Follow google news

Copied cards enable free rides.

An Australian state public transport system has been cracked by a group of security researchers who were able to replicate cards to enable free travel.

Students crack state transport system

Theo Juleene, Karla Brunett, Damon Stacey, and Dougall Johnston used flaws in the system's decades-old custom cryptographic scheme to access transport data and reproduce tickets.

A team of four security researchers, using the group name TrainHack, presented their work in a talk dubbed Reverse Engineering a Mass Transit Ticketing System at the Ruxcon security conference in Melbourne last week.

It cost only a few hundred dollars to buy a card reader and equipment to crack the cards.

They chastised the use of weak custom encryption but in line with disclosure agreements did not name the type of cryptography used or identify the affected organisation.

But they said the transport organisation faced such an onerous task in fixing the massive distributed transport system – which spread across multiple modes of travel including trains and buses – it may withold a fix and wait for a scheduled upgrade of the system.

“It was independent research, done through curiosity,” Johnston said. "The custom cryptography was made before I was born".

The transport organisation did not reveal the cost of repairing the flaws.

After about a week's worth of research, drawn out over months, the students sent their findings including a string of ticketing data extracted from the cards to the transport organisation as part of responsible disclosure.

About two months ago, they met the organisation's chief information officer and resident subject matter experts to discuss the flaws.

Their research was made using purchased tickets rather than the public transport hardware to avoid breaching computer crime laws.

They said following a cursory examination that Victoria's MyKi transport system, which upgraded to use Mifare DESFIRE EV1 cards, was built with rugged security that made it hard to crack.

The affected transport organisation in a written statement said it viewed security as a priority.

Johnston said the group still pays for tickets.

Add iTnews as your trusted source

Add iTnews As Your Trusted Source Add iTnews As Your Trusted Source
Got a news tip for our journalists? Share it with us anonymously here.

Copyright © SC Magazine, Australia

Tags:
hackingruxconruxcon 2012securitytransportit

Related Articles

  • Anthropic releases Mythos-class model for public use Anthropic releases Mythos-class model for public use
  • Apple bumps up security in fresh operating system releases Apple bumps up security in fresh operating system releases
  • Meta accuses NSO Group of violating court order by WhatsApp spear phishing Meta accuses NSO Group of violating court order by WhatsApp spear phishing
  • Researchers build self-replicating AI worm with BYO LLM Researchers build self-replicating AI worm with BYO LLM
Join our WhatsApp Channel

Partner Content

Take control of your connectivity with Telstra’s Adaptive Networks Centre
Partner Content Take control of your connectivity with Telstra’s Adaptive Networks Centre
AI is delivering business value today
Partner Content AI is delivering business value today
The hidden economics of AI: Why token usage matters more than you think
Partner Content The hidden economics of AI: Why token usage matters more than you think
Scalable AI solutions: secure delivery
Scalable AI solutions: secure delivery

Sponsored Whitepapers

Agile in the AI Era: why projects still fail
Agile in the AI Era: why projects still fail
When Technology Becomes the Blocker: Unlocking Real Outcomes from AI and Cloud
When Technology Becomes the Blocker: Unlocking Real Outcomes from AI and Cloud
High-volume data sources for AI-driven security analytics
High-volume data sources for AI-driven security analytics
How healthcare organisations can get more value from cloud
How healthcare organisations can get more value from cloud
1 in 3 companies lose SaaS data. Here’s how to prevent it
1 in 3 companies lose SaaS data. Here’s how to prevent it

Events

  • iTnews State of Security Breakfast iTnews State of Security Breakfast
  • iTnews State of Data & AI Breakfast iTnews State of Data & AI Breakfast
  • The 2026 iAwards The 2026 iAwards
  • Integrate 2026 Integrate 2026
  • Security Exhibition & Conference Security Exhibition & Conference
Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

Anthropic opens Claude Mythos Preview AI program to Australia

Anthropic opens Claude Mythos Preview AI program to Australia
Defence says Palantir is "sandboxed" in its environment

Defence says Palantir is "sandboxed" in its environment
Services Australia describes fraud, debt-related machine learning use cases

Services Australia describes fraud, debt-related machine learning use cases
Researchers build self-replicating AI worm with BYO LLM

Researchers build self-replicating AI worm with BYO LLM
techpartner.news logo
Sydney-based AI-cloud waste startup raises $3m
Sydney-based AI-cloud waste startup raises $3m
Brennan uses NiCE to modernise its contact centre
Brennan uses NiCE to modernise its contact centre
Impact Awards: Tecala slashes customer response times for fintech IQumulate
Impact Awards: Tecala slashes customer response times for fintech IQumulate
Interactive introduces private cloud platform
Interactive introduces private cloud platform
Digital61 expands cybersecurity portfolio
Digital61 expands cybersecurity portfolio
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.