Dutch RFID Transit Card Hacked
The Dutch RFID public transit card, which has already cost the government $2B—no, that’s not a typo—has been hacked even before it has been deployed:
The first reported attack was designed by two students at the University of Amsterdam, Pieter Siekerman and Maurits van der Schee. They analyzed the single-use ticket and showed its vulnerabilities in a report. They also showed how a used single-use card could be given eternal life by resetting it to its original “unused” state.
The next attack was on the Mifare Classic chip, used on the normal ticket. Two German hackers, Karsten Nohl and Henryk Plotz, were able to remove the coating on the Mifare chip and photograph the internal circuitry. By studying the circuitry, they were able to deduce the secret cryptographic algorithm used by the chip. While this alone does not break the chip, it certainly gives future hackers a stepping stone on which to stand. On Jan. 8, 2008, they released a statement abut their work.
Most of the links are in Dutch; there isn’t a whole lot of English-language press about this. But the Dutch Parliament recently invited the students to give testimony; they’re more than a little bit interested how $2B could be wasted.
My guess is the system was designed by people who don’t understand security, and therefore thought it was easy.
EDITED TO ADD (2/13): More info.
Clive Robinson • January 21, 2008 7:12 AM
Bruce,
The MiFare chip is made by Phillips which used to be the largest electronics company in Holand. So much so that their Sports Club Football team (PSV Eindhoven) is internationaly regarded like the U.K. Manchester United…
Also of more interest is the MiFare chips are also used in the Transport For London “Oyster” Travel Card system that likewise has cost hundreds if not thousands of millions of USD to impliment. TfL are currently spending upto 100million USD more trying to get the overground train operators to adopt it as well…
Also a major U.K. bank has gone into business with TfL to make a combined travel / credit / micro-payment card. The worying thing about the micro payment is that for transactions below 20USD no PIN or other autherisation is required (just put areader close by)…
Oh from the security point of view the MiFare cards hold the last 25 journies / transactions.
It looks like very bad news for the 13million or so people who have to use public transport in London…