Print 21 comment(s) - last by plinkplonk.. on Jul 1 at 6:35 AM

Rides Free on the London Underground for a day

What does it take to force the Dutch government to deploy armed guards at its public access buildings? How hard is it to hop a free ride on the London Underground?

If you're Radboud University's Bart Jacobs, all that's required is a laptop and a bit of RFID know-how.

Jacobs says that he and his team used a "commercial laptop" to crack the encryption of and clone a widely-deployed Mifare Classic RFID smartcard. Classic cards are often found in office-building access control systems, wireless payment cards, and public transportation ticketing systems used by a number of municipalities worldwide, including the London Underground.

Using a circular antenna and data receiver hooked up to a standard laptop, Jacobs' team was able to download encryption keys from Mifare RFID scanners stationed for ordinary use. They were then able to steal smartcard data by waving the antenna -- which looks like a loopy wand -- within a couple of inches of a legitimate card carrier, a process called "skimming". Using sleight-of-hand techniques usually practiced by pickpockets, the process of scanning a victim with the wand can be done without their knowledge.

RFID smartcards transmit data wirelessly over a low-strength signal usually limited to a couple of feet. A video describing the process used for the Classic cards, originally discovered in April, was posted to YouTube.

Jacobs' team tested the hack in two scenarios: entering restricted-access areas of public-access, government buildings in the Netherlands and hopping a day's worth of free rides on London's subway system. Both tests ended successfully.

The Dutch government says it has embarked on a campaign to replace the smartcards of its entire workforce since learning of the attack, and stationed armed guards outside all its buildings. Over 120,000 smartcards will have to be replaced, at a cost of "about €5 ($8 USD) for each card."

"We take this extremely seriously," said a spokesman for the Dutch Interior Ministry. "It’s a national security issue."

The Times Online notes that over ten million of the Mifare smartcards are sold in the UK each year, including six million given to pensioners for free access to public transportation. CNET's Defense in Depth says that the same model smartcards are used in Boston transit's CharlieCard reusable ticket system, as well as public transportation systems in Beijing, Madrid, Hong Kong, Bangkok, and New Delhi. While newer, more secure systems are out, writes blogger Robert Vamosi, there are still half a billion Classic smartcards in use worldwide.

The team's page on Radboud University's website says that they are not aware of any technical solutions, short of replacing applicable systems, for fixing the Classic's vulnerabilities.

"The cryptography is simply not fit for purpose," said security researcher Adam Laurie. "It’s very vulnerable and we can expect the bad guys to hack into it soon, if they haven’t already."

"You only have to walk down the street to see contactless access control systems everywhere ... it used to be a magnetic strip, now it’s a card held up to a reader on the wall. A large percentage of these will have Mifare technology and are very vulnerable to attack. They should all be replaced."

With RFID finding an increasing amount of use worldwide -- including in the United States, where it's seeing use in the next and latest generations of U.S. passports -- privacy advocates are voicing their concern over the technology, which can often be read at distances over 20 feet and can contain sensitive biometric data. Recent legislation in the state of Washington outlawed the practice of "skimming" for the purposes of identity theft and fraud, but critics argue that the law will do little to actually stop the practice.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

Solution is very inexpensive
By waltaugust on 6/27/2008 10:21:28 AM , Rating: 2
A simple solution would be to block the skimming of the card. Identity Stronghold makes a Secure Sleeve(tm) that you keep your card or passport in and it blocks all RF communication with the chip. The US Federal Government uses it on their employee ID cards. They also have a Secure Badgeholder that can block the RF while leaving the face of the card visible. You can see them on

RE: Solution is very inexpensive
By JasonMick on 6/27/2008 12:01:52 PM , Rating: 5
Yes, but at some point if the card is to be used, you have to take it out of its secure sleeve. Its not hard to imagine an employee taking their card out and then forgetfully leaving it in your pocket. I'd imagine if you skimmed 5 or 6 employees who used such cards regularly, one would have done such.

In a way such measures might worsen things, because they create a false sense of security.

The only resolution is better cryptography and redesign.

RE: Solution is very inexpensive
By HighWing on 6/27/2008 3:53:56 PM , Rating: 3
Its not hard to imagine an employee taking their card out and then forgetfully leaving it in your pocket.

I can't help but think this is very similar to the scenario where an employee writes down a password on a sticky note and leaves it by their computer.

And in that case the fault/blame lies with the employee

RE: Solution is very inexpensive
By TomCorelis on 6/28/2008 6:07:41 AM , Rating: 2
Honestly, I find myself doing that with my ATM card and its paper sleeve all the time. I'll get home, empty out my pockets, and realize I lazily forgot to put the card back into its sleeve in my wallet. Sometimes, one will be smooshed in there right in front of the other.

RE: Solution is very inexpensive
By JustTom on 6/28/2008 6:42:21 PM , Rating: 2
While it might be the fault of the employee the fact is it still leaves an easily exploitable vulnerability. If you have 200 employees using a particular access point I can guarentee someone will leave their card out of its protective sleeve.

RE: Solution is very inexpensive
By Sunbird on 6/27/2008 12:16:47 PM , Rating: 2
Just what is wrong with a magnetic strip card? Why do the cards HAVE to be RFID?

That's even a cheaper and more effective solution...

RE: Solution is very inexpensive
By tdawg on 6/27/2008 1:22:04 PM , Rating: 2
Correct me if I'm wrong, but if we were to use magnetic readers, we wouldn't be able to keep our access cards in our wallets, along with our credit/debit cards, and scan the card without taking it out of our wallet.

RE: Solution is very inexpensive
By Sunbird on 6/27/2008 1:32:26 PM , Rating: 2
No, you are correct.

There are other ways to solve that convenience problem, but I guess it will never be as convenient. But like with any PC security, the more secure, the less convenient in some manner*.

*DailyTech can quote me on that. If Rush can be quoted, I can too :p

By plinkplonk on 7/1/2008 6:35:49 AM , Rating: 2
FFS!!!!! YOU ARE SO LAZY - it takes two seconds to take it out scan it and put it back in. why is everyone in the world so focused on doing as little for themselves as possible?

RE: Solution is very inexpensive
By neothe0ne on 6/27/2008 3:17:54 PM , Rating: 2
Cell phones?

RE: Solution is very inexpensive
By TSS on 6/27/2008 7:20:09 PM , Rating: 3
no see, the solution isn't inexpensive. first, a commitee has to be appointed to find out whats wrong with the current system, then a comittee has to be appointed to appoint the new order to a company (which *will* be given to a friend of the chairman via some way), as there are multiple company's gunning for the order they haved to be screened and determined by said comittee(s), by which time enough money will have been burned to replace the system 3 times.

and once a company has been decided upon, usually several so that everybody get's a piece, the project will be delayed several times due to internal miscommunication until it's considered a faillure and will be replaced by the next project.

the dutch, though i'm proud to be one, aren't good at managing big projects. the betuwelijn is a railroad from the west of holland to germany, calculated cost 1 billion, final cost 5 billion. today there was a news message on a dutch techsite about the UWV, the orginazation that handles unempoyment and such, had burned 87 million euro's on a system which was eventually to complex to be used and had to be abandoned. and this hacked news, isn't news to us. these things have been hacked through several times now, yet the dutch goverment will still implement this technology for our public transportation, like in london (called the OV chipkaart). within a timeframe which guarrantee's faillure.

only thing where good at is making money, not spending it :P

what I want to know
By omnicronx on 6/27/2008 11:50:25 AM , Rating: 2
What I want to know is who was the poor sap walking into a government building that did not see the guy waving a wand within 3 feet of him. Its one thing to do so on a crowded subway, but I think I would notice if a guy holding a laptop was waving an antenna beside me.

RE: what I want to know
By JasonMick on 6/27/2008 12:04:27 PM , Rating: 2
Its not really hard to imagine. The laptop could be in the guys backpack and the wand could be literally up his sleeve if he wearing a long sleeve shirt or a jacket. It might look strange if the skimming was done in a uncoordinated fashion, but to a practiced skimmer it would like be remarkably subtle.

RE: what I want to know
By mindless1 on 6/28/2008 2:18:04 AM , Rating: 2
Unless you are the really paranoid type (always wearing a tinfoil hat and spinning around to look behind yourself), no you would not notice if someone walked up behind you in a crowded area and merely got a wand within 3 feet of your card. Why? Because your eyes are in the front of your head and usually looking where you are walking or at least within that 180' field.

RE: what I want to know
By Ticholo on 6/29/2008 12:16:17 PM , Rating: 2
The article clears that up for you:
"Using sleight-of-hand techniques usually practiced by pickpockets, the process of scanning a victim with the wand can be done without their knowledge."
If someone can get your wallet from your pocket without you noticing it, getting close enough to scan the card must be child's play!
I have to agree with everyone asking why this is better than magnetic stripe cards. Takes a few more seconds, but at least it's harder to copy without you noticing it on most places where you use it.

By amanojaku on 6/27/2008 9:21:13 AM , Rating: 2
"The cryptography is simply not fit for purpose," said security researcher Adam Laurie. "It’s very vulnerable and we can expect the bad guys to hack into it soon, if they haven’t already."

I'm surprised it took this long, too. Are these things susceptible to replay attacks? Why bother cracking the cryptography?

RE: Interesting
By oab on 6/27/2008 12:10:48 PM , Rating: 2
The cryptography that was used was very weak, and have previously been broken. The encryption was high-bit, but it has some rather significant vulnerabilities that allow it to be broken very quickly.

The purpose of cracking it, is to crack it! If a legitimate researcher could break it, why can the TERRORISTS~! not be able to do so as well? Or diplomats performing "actions not consistent with their diplomatic profile" aka: spying by getting into areas they should not be able to get into.

The swipe card, with the same flaws is inherently more secure (because you need the physical card to skim it, not just being within a few inches).

By Spivonious on 6/27/2008 9:32:57 AM , Rating: 2
Is this referring to the Oyster card in London?

RE: Oyster?
By amanojaku on 6/27/2008 9:38:53 AM , Rating: 2
The Oyster card is one of many that uses MIFARE technology. They would all be affected.

By barjebus on 6/27/2008 10:10:07 AM , Rating: 2
I hope the cost of replacing these systems is absurdly expensive and I hope dearly that the tens of millions of dollars of tax payer money will hopefully require some blood letting of various government administration's who have ever supported these RFID systems. It's so wonderfully delicious when finally these bureaucrats get a solid boot up the ass for trusting the marketing department of a company rather than people from the engineering and computer science academia.

The next event that I'm excited for is the failure of OOXML a few years down the road when someone wants to move away from MS products.

RE: Yeah.
By dever on 6/27/08, Rating: 0
"Well, we didn't have anyone in line that got shot waiting for our system." -- Nintendo of America Vice President Perrin Kaplan
Related Articles

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki