Schneier on Security
A blog covering security and security technology.
« Cryptanalysis of SHA-1 |
| Hunter S. Thompson »
February 21, 2005
Hacking a Bicycle Rental System
CallABike offers bicycles to rent in several German cities. You register with the company, find a bike parked somewhere, and phone the company for an unlock key. You enter the key, use the bike, then park it wherever you want and lock it. The bike displays a code, and you phone the company once again, telling them this code. Thereafter, the bike is available for the next person to use it. You get charged for the time between unlock and lock.
Now read this site, from a group of hackers who claim to have changed the code in 10% of all the bikes in Berlin, which they now can use for free.
Posted on February 21, 2005 at 8:00 AM
• 13 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Just for the records: the bikes are all in service for the winter break, CallABike has been informed about the backdoors, and it will be no longer possible to use the bikes for free.
"given the level of effort..."
Interesting project. They have some useful suggestions for improving the code, but overall it seems the real vulnerability is physical access to the hardware.
CallABike seems to be about a service in an a fairly safe environment. In other words, they made a fairly tamper-proof system, but perhaps they should have deployed military grade "hostile zone" black-box hardware to prevent physical compromise. I guess the question is whether the cost of such a box would be more than the expected loss (or the claim of 10%), and whether the company would gain notoriety (free marketing) by having a contest to see if anyone could break the box.
Davi, I agree that any hardware that is in the hands of other people cannot be fully secured. It seems (in this case) that if you wanted to steal the bikes then removing all of the equipment would have been a lot easier than doing what these people did. (It sounds like a torx driver does the job).
However, the big mistake that they made was just not enabling the hardware protection that would have made it a lot herder to read the code out of the system. Fixing that one issue would probably have stopped them doing what they did.
prevent physical compromise --> make it harder to physically compromise
I have heard rumors about hardware devices which contain explosives that go off when they are opened, but even these can be tampered with.
Interesting! Seems a few coins' worth of a high-grade thread locking product (http://makeashorterlink.com/?I11F2178A) would have prevented the Torx screws from coming off without drilling, thus increasing the time and difficulty level for the hack. This stuff is available from 'vibration resisting' to 'gotta break off the bolt' grades.
"Layering" comes to mind ... but of course, one could always cut the whole device off, but is the $ value of the item worth it? And the lost revenue of up to 10% of their fleet?
just my .02,
It's not nearly 10% of their income. The bikes still work like designed. you can use them for free only if you know the secret code.
Making it impossible to physically compromise hardware is all but impossible - particularly if you have any expectation of servicing the equipment (in this case, maybe just to completely replace a lock which is broken without having to throw the whole bicycle away).
Perhaps a better goal is to make any compromise visible and therefore potentially traceable. For example, one could use difficult to replace seals across the screw heads. They wouldn't prevent anybody from getting in but would make it obvious that they had.
If they locked the screws in to place then technicians would not be able to open the box and replace dying batteries (unless I missed another way to replace the batteries).
One thing that CallABike got right was having different keys for every bike. As a result, the bikes have to be compromised one at a time, instead of a system compromise. And because of this, the attack is not economical - the crackers admit that it cost them much more to do it than they saved in bike rental. Even then, the 10% of devices they attacked were all ones which had not been set up correctly, i.e. the IP bit was unset. Lessons learned:
o Having diverse keys instead of a system key eliminated a "single point of failure" and created a system that degraded gracefully when attacked;
o Making an attack uneconomical didn't stop people attacking for kudos or curiosity!
o Poor quality control can seriously affect security. 10% of units getting shipped without programming being completed is BAD. This might have been eliminated if they had multiple layers of defence, so that one such error did not compromise the whole device.
o Torx ("tamper resistant") screws contributed negligibly to security because the device could be taken away by the attacker. I suppose they help to reduce casual vandalism, though.
o The potting compound was also useless, although it sounds like a water barrier rather than anti-tamper potting compound.
My own recommended improvement would be to put the key and as much as possible of the "scramble" routine into RAM instead of flash, and add several sensors to cut the power if tampering was detected. Not foolproof but quite cheap and would certainly have thwarted this team. Of course, to fit the key and algorithm into RAM, they might have to change from their home grown system to, say, XTEA or somesuch!
Almost every system we use in the modern world depends on some level of public trust. The security put in place was sufficient to stop 99.9% of crooks, leaving an acceptable loss rate. It was not designed to stop 0.00001th percentile hackers, who used their extraordinary ability to compromise the system and then published their exploit.
Do we really want Hobbes' war of all against all in our society? With my technical training and industrial background I COULD do a lot of damage to a lot of things. I don't and never will. If I am otherwise a person of goodwill (not a criminal), should I go around breaking things I can break just to prove it can be done?
There aren't a lot of criminals who will spend 7 years in engineering school and 10 years in industrial jobs just to learn to be better crooks. But if we build a society and physical environment to that level of prevention, I suspect it will be a very ugly place to live. Do those of us who aren't crooks but have the ability to be system hackers have a responsibility not to do what we could do?
---Do those of us who aren't crooks but have the ability to be system hackers have a responsibility not to do what we could do?
Well, I guess 7 years of engineering school didn't teach semester 1 of the Great Books. Perhaps that's what's lacking -- any notion that these questions have been asked and answered for thousands of years.
Yes, we have such a responsibility Pretty clear, right? I mean, we all have the ability to murder, rape or torture, and yet we refrain. Some of us have the ability to build nukes, and yet we refrain. Others have the ability to derail all trains, blow up bridges, poison water supples, etc.
Societal order in a free society is not maintained by laws. So if you want to keep having a free society, then you need to inculcuate enough civility--enough belief in the value of civic responsibility--to maintain that order. If you can't, then authoritarian systems will be created to maintain that order.
Very impressing. I'm fairly impressed too that there is still reactions about this pivotal event in Berlin, exactly (!) 2 years after it actually happened. :)
(NB the info about the success of the hacked bikes was sent out by the Chaos Computer Club exactly on Dec 15, 2004)
Technically, it's a great achievement. This was an Atmel RISC 8bit uC, hence nothing too common, requiring the hackers to understand its function first.
BTW: everyone please note that THERE WAS *NO* CODE CRACKING INVOLVED AT ALL.
Cracking a code means to remove the security barrier for good, so that ANY code will work henceforth. This was *NOT* the case here. They simply managed to understand the code and *add* some additional code which formed the aforementioned "backdoor."
This backdoor code is ONE single code and you must know it to use the bike free of charge.
Moreover, it would be nice to know whether the attack would be as successful as it was 2 years ago - now.
does anyone happen to know which company is manufacturing these bikes?
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.