Entries Tagged "public transit"

Page 3 of 7

Hacking Mifare Transport Cards

London’s Oyster card has been cracked, and the final details will become public in October. NXP Semiconductors, the Philips spin-off that makes the system, lost a court battle to prevent the researchers from publishing. People might be able to use this information to ride for free, but the sky won’t be falling. And the publication of this serious vulnerability actually makes us all safer in the long run.

Here’s the story. Every Oyster card has a radio-frequency identification chip that communicates with readers mounted on the ticket barrier. That chip, the “Mifare Classic” chip, is used in hundreds of other transport systems as well—Boston, Los Angeles, Brisbane, Amsterdam, Taipei, Shanghai, Rio de Janeiro—and as an access pass in thousands of companies, schools, hospitals, and government buildings around Britain and the rest of the world.

The security of Mifare Classic is terrible. This is not an exaggeration; it’s kindergarten cryptography. Anyone with any security experience would be embarrassed to put his name to the design. NXP attempted to deal with this embarrassment by keeping the design secret.

The group that broke Mifare Classic is from Radboud University Nijmegen in the Netherlands. They demonstrated the attack by riding the Underground for free, and by breaking into a building. Their two papers (one is already online) will be published at two conferences this autumn.

The second paper is the one that NXP sued over. They called disclosure of the attack “irresponsible,” warned that it will cause “immense damages,” and claimed that it “will jeopardize the security of assets protected with systems incorporating the Mifare IC.” The Dutch court would have none of it: “Damage to NXP is not the result of the publication of the article but of the production and sale of a chip that appears to have shortcomings.”

Exactly right. More generally, the notion that secrecy supports security is inherently flawed. Whenever you see an organization claiming that design secrecy is necessary for security—in ID cards, in voting machines, in airport security—it invariably means that its security is lousy and it has no choice but to hide it. Any competent cryptographer would have designed Mifare’s security with an open and public design.

Secrecy is fragile. Mifare’s security was based on the belief that no one would discover how it worked; that’s why NXP had to muzzle the Dutch researchers. But that’s just wrong. Reverse-engineering isn’t hard. Other researchers had already exposed Mifare’s lousy security. A Chinese company even sells a compatible chip. Is there any doubt that the bad guys already know about this, or will soon enough?

Publication of this attack might be expensive for NXP and its customers, but it’s good for security overall. Companies will only design security as good as their customers know to ask for. NXP’s security was so bad because customers didn’t know how to evaluate security: either they don’t know what questions to ask, or didn’t know enough to distrust the marketing answers they were given. This court ruling encourages companies to build security properly rather than relying on shoddy design and secrecy, and discourages them from promising security based on their ability to threaten researchers.

It’s unclear how this break will affect Transport for London. Cloning takes only a few seconds, and the thief only has to brush up against someone carrying a legitimate Oyster card. But it requires an RFID reader and a small piece of software which, while feasible for a techie, are too complicated for the average fare dodger. The police are likely to quickly arrest anyone who tries to sell cloned cards on any scale. TfL promises to turn off any cloned cards within 24 hours, but that will hurt the innocent victim who had his card cloned more than the thief.

The vulnerability is far more serious to the companies that use Mifare Classic as an access pass. It would be very interesting to know how NXP presented the system’s security to them.

And while these attacks only pertain to the Mifare Classic chip, it makes me suspicious of the entire product line. NXP sells a more secure chip and has another on the way, but given the number of basic cryptography mistakes NXP made with Mifare Classic, one has to wonder whether the “more secure” versions will be sufficiently so.

This essay originally appeared in the Guardian.

Posted on August 7, 2008 at 6:07 AMView Comments

Random Killing on a Canadian Greyhound Bus

After a random and horrific knife decapitation on a Greyhound bus last week, does this surprise anyone:

A grisly slaying on a Greyhound bus has prompted calls for tighter security on Canadian bus lines, despite the company and Canada’s transport agency calling the stabbing death a tragic but isolated incident.

Greyhound spokeswoman Abby Wambaugh said bus travel is the safest mode of transportation, even though bus stations do not have metal detectors and other security measures used at airports.

Despite editorials telling people not to overreact, it’s easy to:

“Hearing about this incident really worries me,” said Donna Ryder, 56, who was waiting Thursday at the bus depot in Toronto.

“I’m in a wheelchair and what would I be able to do to defend myself? Probably nothing. So that’s really scary.”

Ryder, who was heading to Kitchener, Ont., said buses are essentially the only way she can get around the province, as her wheelchair won’t fit on Via Rail trains. As it is her main option for travel, a lack of security is troubling, she said.

“I guess we’re going to have to go the airline way, maybe have a search and baggage check, X-ray maybe,” she said.

“Really, I don’t know what you can do about security anymore.”

Of course, airplane security won’t work on buses.

But—more to the point—this essay I wrote on overreacting to rare risks applies here:

People tend to base risk analysis more on personal story than on data, despite the old joke that “the plural of anecdote is not data.” If a friend gets mugged in a foreign country, that story is more likely to affect how safe you feel traveling to that country than abstract crime statistics.

We give storytellers we have a relationship with more credibility than strangers, and stories that are close to us more weight than stories from foreign lands. In other words, proximity of relationship affects our risk assessment. And who is everyone’s major storyteller these days? Television.

Which is why Canadians are talking about increasing security on long-haul busses, and not Americans.

EDITED TO ADD (8/4): Look at this headline: “Man beheads girlfriend on Santorini island.” Do we need airport-style security measures for Greek islands, too?

EDITED TO ADD (8/5): A surprisingly refreshing editorial:

Here is our suggestion for what ought to be done to upgrade the security of bus transportation after the knife killing of Tim McLean by a fellow Greyhound bus passenger: nothing. Leave the system alone. Mr. McLean could have been murdered equally easily by a random psychopath in a movie theatre or a classroom or a wine bar or a shopping mall—or on his front lawn, for that matter. Unless all of those venues, too, are to be included in the new post-Portage la Prairie security crackdown, singling out buses makes no sense.

Posted on August 4, 2008 at 6:19 AMView Comments

Washington DC Metro Farecard Hack

Clever:

Thieves took a legitimate paper Farecard with $40 in value, sliced the card’s magnetic strip into four lengthwise pieces, and then reattached one piece each to four separate defunct paper Farecards. The thieves then took the doctored Farecards to a Farecard machine and added fare, typically a nickel. By doing so, the doctored Farecard would go into the machine and a legitimate Farecard with the new value, $40.05, would come out.

My guess is that the thieves were caught not through some fancy technology, but because they had to monetize their attack. They sold Farecards on the street at half face value.

Posted on July 22, 2008 at 12:29 PMView Comments

Random Stupidity in the Name of Terrorism

An air traveler in Canada is first told by an airline employee that it is “illegal” to say certain words, and then that if she raised a fuss she would be falsely accused:

When we boarded a little later, I asked for the ninny’s name. He refused and hissed, “If you make a scene, I’ll call the pilot and you won’t be flying tonight.”

More on the British war on photographers.

A British man is forced to give up his hobby of photographing buses due to harrassment.

The credit controller, from Gloucester, says he now suffers “appalling” abuse from the authorities and public who doubt his motives.

The bus-spotter, officially known as an omnibologist, said: “Since the 9/11 attacks there has been a crackdown.

“The past two years have absolutely been the worst. I have had the most appalling abuse from the public, drivers and police over-exercising their authority.

Mr McCaffery, who is married, added: “We just want to enjoy our hobby without harassment.

“I can deal with the fact someone might think I’m a terrorist, but when they start saying you’re a paedophile it really hurts.”

Is everything illegal and damaging now terrorism?

Israeli authorities are investigating why a Palestinian resident of Jerusalem rammed his bulldozer into several cars and buses Wednesday, killing three people before Israeli police shot him dead.

Israeli authorities are labeling it a terrorist attack, although they say there is no clear motive and the man—a construction worker—acted alone. It is not known if he had links to any terrorist organization.

New Jersey public school locked down after someone saw a ninja:

Turns out the ninja was actually a camp counselor dressed in black karate garb and carrying a plastic sword.

Police tell the Asbury Park Press the man was late to a costume-themed day at a nearby middle school.

And finally, not terrorism-related but a fine newspaper headline: “Giraffe helps camels, zebras escape from circus“:

Amsterdam police say 15 camels, two zebras and an undetermined number of llamas and potbellied swine briefly escaped from a traveling Dutch circus after a giraffe kicked a hole in their cage.

Are llamas really that hard to count?

EDITED TO ADD (7/2): Errors fixed.

Posted on July 3, 2008 at 12:57 PMView Comments

Kill Switches and Remote Control

It used to be that just the entertainment industries wanted to control your computers—and televisions and iPods and everything else—to ensure that you didn’t violate any copyright rules. But now everyone else wants to get their hooks into your gear.

OnStar will soon include the ability for the police to shut off your engine remotely. Buses are getting the same capability, in case terrorists want to re-enact the movie Speed. The Pentagon wants a kill switch installed on airplanes, and is worried about potential enemies installing kill switches on their own equipment.

Microsoft is doing some of the most creative thinking along these lines, with something it’s calling “Digital Manners Policies.” According to its patent application, DMP-enabled devices would accept broadcast “orders” limiting their capabilities. Cellphones could be remotely set to vibrate mode in restaurants and concert halls, and be turned off on airplanes and in hospitals. Cameras could be prohibited from taking pictures in locker rooms and museums, and recording equipment could be disabled in theaters. Professors finally could prevent students from texting one another during class.

The possibilities are endless, and very dangerous. Making this work involves building a nearly flawless hierarchical system of authority. That’s a difficult security problem even in its simplest form. Distributing that system among a variety of different devices—computers, phones, PDAs, cameras, recorders—with different firmware and manufacturers, is even more difficult. Not to mention delegating different levels of authority to various agencies, enterprises, industries and individuals, and then enforcing the necessary safeguards.

Once we go down this path—giving one device authority over other devices—the security problems start piling up. Who has the authority to limit functionality of my devices, and how do they get that authority? What prevents them from abusing that power? Do I get the ability to override their limitations? In what circumstances, and how? Can they override my override?

How do we prevent this from being abused? Can a burglar, for example, enforce a “no photography” rule and prevent security cameras from working? Can the police enforce the same rule to avoid another Rodney King incident? Do the police get “superuser” devices that cannot be limited, and do they get “supercontroller” devices that can limit anything? How do we ensure that only they get them, and what do we do when the devices inevitably fall into the wrong hands?

It’s comparatively easy to make this work in closed specialized systems—OnStar, airplane avionics, military hardware—but much more difficult in open-ended systems. If you think Microsoft’s vision could possibly be securely designed, all you have to do is look at the dismal effectiveness of the various copy-protection and digital-rights-management systems we’ve seen over the years. That’s a similar capabilities-enforcement mechanism, albeit simpler than these more general systems.

And that’s the key to understanding this system. Don’t be fooled by the scare stories of wireless devices on airplanes and in hospitals, or visions of a world where no one is yammering loudly on their cellphones in posh restaurants. This is really about media companies wanting to exert their control further over your electronics. They not only want to prevent you from surreptitiously recording movies and concerts, they want your new television to enforce good “manners” on your computer, and not allow it to record any programs. They want your iPod to politely refuse to copy music to a computer other than your own. They want to enforce their legislated definition of manners: to control what you do and when you do it, and to charge you repeatedly for the privilege whenever possible.

“Digital Manners Policies” is a marketing term. Let’s call this what it really is: Selective Device Jamming. It’s not polite, it’s dangerous. It won’t make anyone more secure—or more polite.

This essay originally appeared in Wired.com.

Posted on July 1, 2008 at 6:48 AMView Comments

Bus Defended Against Terrorists Who Want to Reenact the Movie Speed

We’re spending money on this?

…a new GPS device enables authorities to remotely control a bus—slowing it down to 5 mph and preventing it from restarting once it has stopped. The device has been installed on thousands of local commuter and tourist buses.

The technology is designed to prevent a terrorist from ramming a bus filled with people and explosives into buildings or tunnels.

Private bus companies have received millions of dollars from the Department of Homeland Security for the security systems. It costs $1,500 to equip each bus, with $50-per-bus monthly maintenance costs.

Gray Line double-decker tourist buses and Coach USA have spent hundreds of thousands of dollars in federal funds to install 3,000 devices. After receiving a $124,000 federal grant, DeCamp Bus Lines is installing the device on its 80 commuter buses, which travel routes from northern New Jersey to the Port Authority Bus Terminal in Midtown.

New Jersey Transit is currently in the process of equipping all of its roughly 3,000 buses with the technology. NJ Transit Chief of Police Joseph Bober said: “This enhanced technology helps us protect our bus drivers and customers. It’s another proactive tool to protect our property, employees and customers.”

Posted on June 10, 2008 at 12:31 PMView Comments

Great Fear-Mongering Product: Subway Emergency Kit

Is Subivor even real?

Whether it is a train fire, a highrise building fire or worse. People should have more protection than a necktie, their shirt or paper towel to cover their mouth, nose and eyes. As you know an emergency can happen at anytime and in anyplace, leaving one vulnerable. Don’t be a sitting duck. The Subivor® Subway Emergency Kit can aid you in seeing and breathing while exiting. This all-in-one compact, portable and easy to use subway emergency kit contains some items never seen before in a kit.

This could have won my Third Movie-Plot Threat Contest.

Posted on June 9, 2008 at 12:11 PMView Comments

Filming in DC's Union Station

This video is priceless. A Washington, DC, news crew goes down to Union Station to interview someone from Amtrak about people who have been stopped from taking pictures, even though there’s no policy against it. As the Amtrak spokesperson is explaining that there is no policy against photography, a guard comes up and tries to stop them from filming, saying it is against the rules.

EDITED TO ADD (6/7): More.

Posted on June 3, 2008 at 1:57 PMView Comments

Sidebar photo of Bruce Schneier by Joe MacInnis.