Schneier on Security

Looks like Mifare technology has been used in the Milano, Italy, public transport system as well.

Given how Tube journeys can cost £4 each way, it can't be long before people in trenchcoats start selling phony Oyster cards all over London.

Yes, that's the same card/chip as the one used in the Dutch public transport system. The attack uses bias in a random number generator to predict keys. Note that yet another (older) version of this chip is used in access-cards used for many Dutch government buildings. It was reportedly completely cracked last week by a professor at Nijmegen University in the Netherlands. The Dutch government is now posting human guards at buildings and locations where these passes are used.

Link to dutch article discussing cracked access-cards:

http://www.nu.nl/news/1475480/50/rss/Toegangspassen_overheidsgebouwen_gekraakt.html

As an aside, the Dutch government was already planning to replace these cards by the end of this year, and is now scrambling to move this forward to ASAP.

Biases in the output, how hard is that to check for?

Wow, Jan. If it really is used for the Milan public transit system, I think it's now pretty much guaranteed that bogus fare cards will outnumber real ones there in the very near future. Italians tend to be much quicker on the uptake than the Dutch or British on opportunities to stick it to their own public institutions.

> "When will people learn not to
> invent their own crypto?"

... meh. That's pretty ironic, coming from a guy who invented not one, but TWO crypto algorithms.

(Obviously, I am kidding. Don't kill me)

@ Bruce:

Your answer is: Economics.

The company came out with a new card that uses AES, but it's more expensive than the existing card.

They probably got the contract due to the price of the cards, and the AES cards would have been too expensive.

Occam's razor.

"That's pretty ironic, coming from a guy who invented not one, but TWO crypto algorithms."

*lol* YMMD!

I'm writing a RTS game as hobby. I was going to AES, but that is not fun.

Its far far more fun to invent your own. So i did. Case in point i was using helix......

Now someone of note in the crypto comunity said that its easy to design a crytpo algo that you yourself can't break.

In that case I'm a retard. Design iteration 4, I fix a guess and determin attack and give up.

Getting it to pass the die hard and other tests of randimness was easy. Apparantly they didn't even do that.

@Mailman

Bruce is not people. Bruce is THE man. THE man can invent crypto daydreaming.

it gets interesting when you consider this latest offering from Visa that offers a 'wave and pay' payment function presumably using a similar (or the same) technological unerpinnings.

http://www.wave-and-pay.co.uk/visa-contactless.html

By the way... people will not learn "not to invent their own crypto" until they get compromised and it ends up costing them huge, huge amounts of money.

As long as there is no economic incentive for them to get it right, they will not get it right. As long as they can give contracts to the cheapest bidder and not be held financially and criminally liable for losing millions of customer records in a privacy breach, they will not get it right.

We need to put the accountability on the organizations that actually collect and store and allow the compromise of confidential info. Until then security will continue to be trumped by market forces.

This scary for many reasons; one of which is that during the Olympics, Master Card (MC) and Oyster Card (OC) penned a deal that would allow you to pay for lower priced items with your OC. Free coke and sweets for all! I'm surprised MC did not ask more questions about their (OC's) system.

(sorry I love ()s they are fun)

Another case of lousy crypto implementation:
http://www.heise-online.co.uk/security/features/110280

USB devices with biometrics are vulnerable to a simple device level attack.

There is an upside to all of these many weaknesses and vulnerabilities: it balances the excesses of governments and corporations.

As David mentioned, the reason transit authorities go with Classic instead of Desfire is cost. When you're rolling out a system with millions of cards, and you're in no position to charge customers for those cards, and each expense is public and has to go through the Board, and the card costs go into your operational, not capital budget, you want the cards to cost not single dollars, but pennies (if at all possible) or a few dimes at the most. Classic costs close to 50c each. Desfire is something like 2-3 bucks. This difference is enough for the management to ignore all warnings from the engineers.

Just do what governments always do. Pass a law making it illegal to hack. That's why the U.S. DMCA is so effective.

Rob,

Even Bruce has had a "bad crypto" day or two as he will no doubt confirm. And has produced a stream generator with bias.

The sign of a top notch crypto bod is not how many systems (good or bad) they have designed but how many they have gone on to subsiquently crack themselves or produce an accepted proof of why it cannot be broken (and there are very few of the latter).

Or to put it another way people at the "bleeding edge" learn best by their own mistakes as there is no other lesson as instructive to an enquiring mind 8)

The replacement card is the Mifare Plus, which appears to be a costed down Mifare Desfire, the features a subset. Makes you wonder about testing costs. http://www.nxp.com/news/content/file_1418.html
NXP Mifare Plus news release.

The real problem in replacing the card is infrastructure upgrade cost - communications links or card readers with fast enough crypto. Increasing the time required to use the card is a no win. Note that the new card is backward compatible, which infers the possibility of security through obscurity - the new cards are adopted and the infrastructure upgrade lags for the likes of transit systems or businesses making cost versus risk decisions. The problem was fixed, we read about it in the news.

@myke,

At least "Oyster" has some (all be it bad) crypto.

It would appear that "Chip-n-Pin" does not have any at all.

The crypto in C-n-P starts at the card reader output. So hack the input and you can "Clone UR own".

How ever the bigest fraud sector even with C-n-P is still "Mag Stripe" fraud. Basicaly C-n-P has a "fall back to Mag Stripe" mode for two reasons

1) For use outside of C-n-P area.
2) In case the chip fails.

As a fraudster you have two choices after reading the mag stripe and pin.

1) Use it outside of the area.
2) Blow the chip on a C-n-P card and over write the mag stripe.

So it's business as usuall for the fraudsters, oh and you the unfortunate card holder get told it's your fault by the card issuer. Oh and if you go to the police they point you back to the card company.

Bruce refers to it as the banks having "externalised their risk" I have a different term for it but there might be people under 21 reading ;)

Anonymous wrote:
As David mentioned, the reason transit authorities go with Classic instead of Desfire is cost. When you're rolling out a system with millions of cards, and you're in no position to charge customers for those cards, and each expense is public and has to go through the Board, and the card costs go into your operational, not capital budget, you want the cards to cost not single dollars, but pennies (if at all possible) or a few dimes at the most. Classic costs close to 50c each. Desfire is something like 2-3 bucks. This difference is enough for the management to ignore all warnings from the engineers.

I respond:
They charge 3 GBP for a new Oyster card. Even at US$2-3 manufacturing costs, they would still be turning at least a 100% profit (on the card itself).

Just a thought,

Even if the more expensive cards use DES or AES what is the betting that they will leak the key via quite simple EMSec issues.

Think back to Diff Power Analysis on smart cards of last century and now bolt an RF based power supply on (as all RFIDs use). Whats the betting there will be a key related signiture fairly readibly detected?

All these "RFID" systems are designed to a price, and as the complexity of the chip equates to "silicon real estate" the extra bits to prevent EMSec issues is not going to get onto even an engineers wish list, let alone into a provisonal product spec.

Oh and don't forget "fall back" or "legacy" attacks even on new chips due to having to have "interim backward compatability" due to problems updating the inferstructur...

It will always be more cost effective to wave your hands and externalise the costs and hire good PR specialists than do a "Proper job".

I believe that Boston's MBTA uses the same system. Discussion on UniversalHub

TW@

"all be it" is, in fact, one word: albeit

Lets just hope that it would not be a problem for everyone.....

It isn't "London Tube smart card" hacked, its Mifare Classic that is hacked, and the published hack is only partial (but they will get all the way there in the end). The way that a scheme uses the card can and does make a huge difference to the overall risk. If you use plain keys in a Mifare Classic environment (same keys for every card), you are much less secure than if you use diversified keys; if you have an on-card crypto signature over significant data items, that's another layer of security to crack; and so it goes on. If, in a building access scheme, all that you do is recover the Mifare card's serial number from the initialisation sequence and then compare that number with your database, then you are in deep, deep trouble now if its worth hacking your access scheme (financially or just because its there). And (1) DESFire DES-only is not that much more expensive than Classic, but DESFire with AES will be costlier; (2) Mifare Plus is not available even in small quantities for at least 6 months.

dreamingspire wrote:

> It isn't "London Tube smart card" hacked, its Mifare Classic that is hacked, and the published hack is only partial

Good point, though the demonstrated attack on our university access control system (http://www.ru.nl/ds/research/rfid/) is no longer partial.

We have started a wiki on the use of RFID for mass public transport (https://ovchip.cs.ru.nl/) to collect information on technical and privacy issues of the existing Dutch system - minus the media hype and associated inaccurate claims - and to collect and develop ideas about better designs of such systems, in an open and transparent way.

You guys need to get out more!!!

Does anyone know if the same system is used for the Multivia card on the Santiago (Chile) metro?

And now add to this the information that the MI5 seeks to gain full access to datamine the travel records of the Oyster card in London (http://www.guardian.co.uk/uk/2008/mar/16/uksecurity.terrorism).
The idea of datamining those records is already horrible enough but combined with the broken security of those cards it gets even worse... :-(

@mfluch

"MI5 seeks to gain full access"

Why are cards bound to individuals like this? (Wikipedia says that monthly or longer cars _must_ be registered to a person).

This is completely unnecessary: the system would function (or could be made to function) correctly if the "registration" tables in their databases were deleted entirely.

Not only unnecessary, but it seems to me that as soon as it is known there is such a binding, third parties -- like MI5, but also lawyers, the police, and so forth -- are going to start hassling the operators on a regular basis for the data. This means the system operator will need to hire more people, buy more equipment, and generally spend more money than they would need to do if they just focused on their core business needs.

@mfluch,

It is worse than MI5, have a look at my several past postings on Oyster / MiFare and the backend DB.

One thing that has come to light is that there is insuficient background checks being run on people who have access to either the DB or the card readers.

What some readers may not be aware of is that they are effectivly trying to force every child in London to have one either via a carrot (free/reduced cost transport) or hidden stick (School attendance).

Effectively it is being used to get the next few generations used to being "identified" prior to ramming National ID cards down their throats.

Also there are more than a couple of reported cases of the Met Police demanding a minors Oyster card as proof of ID etc.

Sorry folks the above anon is mine. I'm bashing this out on a Motorola SideKick Slide, and lets just say the screen is only six times the area of my thumb nail and my thumb covers around fourteen of the keys... It sure aint prity folks thats for sure 8)

"one of which is that during the Olympics, Master Card (MC) and Oyster Card (OC) penned a deal that would allow you to pay for lower priced items with your OC. Free coke and sweets for all!"

Wrong. You don't pay for lower priced items (or, in fact, any items) with the OC. And if you did, it still wouldn't be free coke, because OC has not been hacked, MiFare Classic has. OC has its own cryptography.

The oyster cards are registered so that you have some recourse if your card is lost or stolen.

For example, if I have paid close to £2000/$4000 for a travel card, I want to know that if I somehow lose it/get it stolen/accidentally wash it/etc I can simply phone up and get it replaced because both me and they know who I am.

If they didn't know who I was I wouldn't be able to get the old card canceled and whoever has stolen/found the card can carry on using it, whilst I'd be out of pocket by another 2 grand.

There are of course non-personally identifiable ways of doing this, but people are crap and only really remember their name and address.

@Londoner

"The oyster cards are registered so that you have some recourse if your card is lost or stolen."

Piffle. Trivial non-identifying systems are implementable at almost no cost to the operator. Off the top of my head: the operator can sell "insurance cards" for some fee that, when presented to the operator, cancel the associated high-value card, refund temporary cards purchased to cover a loss, and/or issue a new one to the bearer.

The traveler stores the insurance card in a safe place of their choosing. If they screw up on a $4k card, their problem, not the operators.

But the deeper question is the one you ignore: registration is forced for monthly cards. Why? I know of two systems where monthly transit cards are unattached to individuals, and no one complains if they can't recover a lost card. If someone wants to invest $4k at the risk of losing it, who are you to say they can't?

Folks originally used the Mifare Classic card because NXP made it very easy for them to design systems using this card. Many of the security problems with this card were known 13 years ago, but the designers chose to ignore these issues or didn't bother employing security analysts to check out the card. And the system owners never asked for proper security evaluations from their system suppliers. So the system owners only have themselves to blame for what has happened.

Sweet! Melbourne, Australia are about to start a new ticketing system called Miki (mykey), I wonder if it's based on Mifare Classic.

The point here is not if you can crack the key, given enough time and money you can do anything! These are transit systems, typically the fare is a a dollar or two. The sytems can change their keys on demand, they have transaction tracking and remaining value integity. You can pick up a fraud in way less than 24 hrs. Why would any body even spend $50 (let alone $9000!) trying to crack it when by the time you get off the bus your card will be invalid! And before you get too excited transactions more than a couple of dollars undergo and back end processing check before processing. Even then the transit authorities dont care they had your money in the first place!

If you clone the card you get one free trip on the bus or train, how much is going to cost you to create the card. The real crooks understand a business proposition , cracking keys is not a business and the smart person would be going after the more valuable targets.

if you are going to crack something crack the back end not the card ah lah Soc Gen

People have been claiming cracking smart card transit system for more than 10 years, how many have actually done it, we may never know but the back end reports cash reconcillation are telling you it hasnt happened yet. Its also unlikley while there is no business case for it, the mafia are not dumb!

"These are transit systems, typically the fare is a a dollar or two."

A single journey to zone 1 (the center of london) costs £4.00 or $8.00, not that it makes much of a difference but I just wanted to get that out there

@Anon: as far as I can establish, yes the Melbourne Myki is using Mifare.

I've written about the privacy issues here: http://www.itwire.com/content/view/16933/1154/ although a few of the comments here have given food for thought for an update.

I wonder if the closed LEGIC architecture suffers from the same problems. They rely on a closed encryption algorithm in their chips.

Isn't it easier just to jump over the turn style?

No, they have instant capital punishment for that here in London.

@ fred nerk
While you are correct, if you investigate exactly how transit back-end systems audit transit transactions and blacklist cards, you will find many security weaknesses and a general inability to blacklist lots of cards out of circulation.
So if lots of cards are cloned or altered, many back-end systems could easily be overloaded and unable to cope.
Also let's not forget the important issue of perception - if the general public perceive that a transit system has serious security flaws, will they continue to use the cards? Or will they demand their replacement?

Olesmartie,
Dont think this is the forum to discuss back ends but it is security related. As for you point about blacklists (and white and grey lists for that matter), true, but there are easy ways to cover 40% + of the cardbase now and why is someone going to fraud 40% of a couple million cards! Again the business case is missing for transit.
As you point out the problem is perception. By stating someone has cracked a card does not mean the system is cracked, we should be acting responsibly for security matters and presenting the true picture. For low value low impact transaction cracking a card is irrelevant.

Perhaps the case for access control needs better back ends!You are better off spending your money on back ends and keeping the cost of consumables (cards) low.

>@ Bruce:
>Your answer is: Economics.
>... the AES cards would have been too expensive.
>Occam's razor.

Maybe "The Market for Lemons" is a better explanation...
http://en.wikipedia.org/wiki/The_Market_for_Lemons

I still don't understand why transit systems don't use the slightly more expensive DESFire or Sony FeliCa cards. There is not that much difference in card cost, particularly the DESFire as compared to the Classic; the DESFire is a lot easier to use, has built-in anti-tear, more storage space and far better security.

Who is to blaim the chipmaker NXP or the project team selecting the chip for this purpose? I agree it is not clever to create your own crypto algorithm, but selecting a card with a 48 bit key protection is also a remarkable choice since we already changed over from DES to 3DES and AES because of its too short 56 bit key.
This is not a consumer to vendor relation, but two equal discussion partners.

The melbourne myki system is not using Mifare classic, it is using DESFire.... please be careful about making negative claims like this until you have the facts david.