Rides Free on the London Underground for a day

What does it take to force the Dutch government to deploy armed guards at its public access buildings? How hard is it to hop a free ride on the London Underground?

If you're Radboud University's Bart Jacobs, all that's required is a laptop and a bit of RFID know-how.

Jacobs says that he and his team used a "commercial laptop" to crack the encryption of and clone a widely-deployed Mifare Classic RFID smartcard. Classic cards are often found in office-building access control systems, wireless payment cards, and public transportation ticketing systems used by a number of municipalities worldwide, including the London Underground.

Using a circular antenna and data receiver hooked up to a standard laptop, Jacobs' team was able to download encryption keys from Mifare RFID scanners stationed for ordinary use. They were then able to steal smartcard data by waving the antenna -- which looks like a loopy wand -- within a couple of inches of a legitimate card carrier, a process called "skimming". Using sleight-of-hand techniques usually practiced by pickpockets, the process of scanning a victim with the wand can be done without their knowledge.

RFID smartcards transmit data wirelessly over a low-strength signal usually limited to a couple of feet. A video describing the process used for the Classic cards, originally discovered in April, was posted to YouTube.

Jacobs' team tested the hack in two scenarios: entering restricted-access areas of public-access, government buildings in the Netherlands and hopping a day's worth of free rides on London's subway system. Both tests ended successfully.

The Dutch government says it has embarked on a campaign to replace the smartcards of its entire workforce since learning of the attack, and stationed armed guards outside all its buildings. Over 120,000 smartcards will have to be replaced, at a cost of "about €5 ($8 USD) for each card."

"We take this extremely seriously," said a spokesman for the Dutch Interior Ministry. "It’s a national security issue."

The Times Online notes that over ten million of the Mifare smartcards are sold in the UK each year, including six million given to pensioners for free access to public transportation. CNET's Defense in Depth says that the same model smartcards are used in Boston transit's CharlieCard reusable ticket system, as well as public transportation systems in Beijing, Madrid, Hong Kong, Bangkok, and New Delhi. While newer, more secure systems are out, writes blogger Robert Vamosi, there are still half a billion Classic smartcards in use worldwide.

The team's page on Radboud University's website says that they are not aware of any technical solutions, short of replacing applicable systems, for fixing the Classic's vulnerabilities.

"The cryptography is simply not fit for purpose," said security researcher Adam Laurie. "It’s very vulnerable and we can expect the bad guys to hack into it soon, if they haven’t already."

"You only have to walk down the street to see contactless access control systems everywhere ... it used to be a magnetic strip, now it’s a card held up to a reader on the wall. A large percentage of these will have Mifare technology and are very vulnerable to attack. They should all be replaced."

With RFID finding an increasing amount of use worldwide -- including in the United States, where it's seeing use in the next and latest generations of U.S. passports -- privacy advocates are voicing their concern over the technology, which can often be read at distances over 20 feet and can contain sensitive biometric data. Recent legislation in the state of Washington outlawed the practice of "skimming" for the purposes of identity theft and fraud, but critics argue that the law will do little to actually stop the practice.

"So, I think the same thing of the music industry. They can't say that they're losing money, you know what I'm saying. They just probably don't have the same surplus that they had." -- Wu-Tang Clan founder RZA
Related Articles

Most Popular Articles

Copyright 2018 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki