Alarming Suburban Ticketing System Hack

Techtree News Staff, Aug 14, 2008 1630 hrs IST

In an alarming development, a bunch of young researchers at Radboud University Nijmegen, Netherlands have managed to crack the ticketing system used by major suburban transportation systems around the world.

E-Mail Print

In this age of terrorism and cyber crime, here is one more news that could send security analysts and researchers in a tizzy.

A bunch of young researchers at Radboud University Nijmegen, Netherlands have managed to crack the ticketing system used by major suburban transportation systems around the world. The chip in question is called the "MiFare" and is manufactured by NXP Semiconductors. Generally considered very safe, the system is being used by transit solutions in cities around the world - including Delhi, where it is used in the Metro Railway. Apart from suburban rail networks, MiFare cards are also to control access to buildings.

The hackers and their weapons

The researchers claim that the proprietary CRYPTO1 encryption system used by these cards can be easily retrieved, especially when a common key is used for all RFID (Radio-Frequency Identification) readers and cards. Common keys are used on a large scale in large buildings and organizations. The hack itself is a simple affair, at least theoretically. What the hack does is to retrieve the secret key from the MiFare reader, which takes a while. Once the key is retrieved, the data is taken offline and then decrypted. Once this is done, the cracked key can be used to predict other random keys as well. The retrieved cryptographic key can provide various possibilities for abuse depending on the situation. For example, if all the cards share the same key, the card of a genuine employee/personnel can be cloned just by close contact and the affected person might not be even aware that his identity has been stolen. In case different keys are used, things become a lot safer - but it still remains vulnerable.

Earlier, two German researchers Karsten Nohl and Henryk Plotz had also reported security flaws in the technology. These two had actually managed to reconstruct CRYPT01 and had announced the same at a hackers' conference back in 2007. The Dutch team however did not replicate the encryption system - they simply exploited the weaknesses in the armor. This had happened in March 2008, and the news was immediately not revealed owing to security concerns. They wanted to ensure basic steps are taken to counter the vulnerability before the flaws were discussed. The Dutch Government was involved and kept in the loop. Later, the Dutch General Intelligence and Security Service confirmed that the hack was as effective as an attack. Post this, the companies involved - NXP and Trans Link Systems - were briefed and technical representatives from the company are working with the researchers to analyze the impact of the security breach and develop countermeasures to patch the weaknesses.

The researches cited security concerns for the delay in reporting this security flaw.

Read more here.

A video by the team:

USER COMMENTS

cheers .....great !!!!

by Fifanomore, Pune, on Aug 14, 2008 06:56 PM, Report abuse Reply

by Nil, Mumbai, on Aug 15, 2008 03:48 PM, Report abuse

what is CRYPTO1 encryption system?

by Parag Joshi, Mumbai, on Aug 15, 2008 03:47 PM, Report abuse Reply

And they even made a video of it? Haha!!

by Gdn | TD, Chennai, on Aug 14, 2008 07:23 PM, Report abuse Reply

VIEW ALL LATEST

RBI Delibrates On E-Wallets And Cash Card Norms

News > Internet , November 22, 2008 0830 hrs IST

Approach paper readied ...

LiveJournal Gets India Focused Communities

News > Internet , November 22, 2008 0938 hrs IST

For all you movie and sports buff ...

Indians Big in Online Spending

News > Internet , November 21, 2008 1857 hrs IST

Surprisingly 76% spend on digital downloads ...

Flash Drives Surpasses Blu-ray Capacity

News > Gadgets , November 21, 2008 1831 hrs IST

Kingston new offing the -- DT150 USB drives ...

Search Gets Personal With Google SearchWiki

News > Internet , November 21, 2008 1748 hrs IST

A service giving search power to the user ...

Vista Tips n Tricks

Techtree.com India > Guides > Software Guides , November 23, 2008 1000 hrs IST

Want to know how long Windows has been running? Make Windows Explorer a lot more responsive to your commands and disable Internet Explorer warnings. ...

Best Business Phones

Techtree.com India > Guides > Peripherals/Gadgets Buying Guides , November 21, 2008 1602 hrs IST

Here are some of the best business phones that have been selected because of their power and functionality. ...

Phillips DVP5996K DVD Player

Reviews > Entertainment > Cool Tools , November 21, 2008 1910 hrs IST

The latest DVD player from Philips has stunning looks and offers a whole lot of features. ...

Logitech diNovo Mini

Reviews > Basics > Keyboards , November 20, 2008 1342 hrs IST

Get the convenience of a full functionality keyboard and mouse right in the palm of your hands. ...

Sennheiser HD 201 G4ME

Reviews > Peripherals > Speakers , November 20, 2008 1759 hrs IST

These casual headphones are tuned for gaming. ...

Samsung - U800 Soul b

User Reviews , November 22, 2008 0341 hrs IST

Samsung has produced some great-looking and affordable quality mobile phones through out the years, Samsung was one of the first company to deliver the first music phone and its also one of the first to introduced internet enabled phone, Samsung also is known for their quality phones and the Samsung U800 is probably one of the best they have ever made. The Samsung U800 has a mettalic finish which gives it a classy look, the phones feel solid and doesn't feel like cheap plastic like some of the mobile phones out in the market. Samsung also used a very good keypad on the Samsung U800 similar to the ones used in Motorola Razr's handsets except the ones on Samsung U800 is ver reposive, the keys are large which is very convenient for texting, specially when you have large fingers. Feature wise the Samsung U800 has all the things you need on a basic phones today plus a little bit more, the Samsung U800 is a Tri- Band phone it supports GPRS and HSPDA, its has dual cameras one in front for video calling and on at the back the main camera a 3 mega pixel resolution camera, the image quality of the 3MP cameras is very good, The processing, sharpening and colour detail produces good results and the camera interface is easy to use and quick for finding settings so you don?t miss anything, however video recording fared less, at a frame rate of 15 fps doesn't really impress. Playback of the recorded video showed footage that was jumpy and bitty, the Samsung U800 also has a built in FM rreceiver, Samsung U800 also supports MP3, WMA, AAC, AAC+,e-ACC playback and it has a 1000mb internal memory and expandable using a Micro SD, the Samsung U800 has Bluetooth v2.0 conncectivity, the Samsung U800 handles all the common types of messages, SMS, EMS, MMS and emails, and you can store 500 SMS, 30 push messages, 200 broadcast messages and 30 configuration messages on the available 1GB memory., it also has an bult in speaker phone. As for the interface it has a standard Samsung mobile phone interface it is easy to navigate and understand. The 2 inch screen has the full colour at 16 million colours at 240 x 320 pixels , the images are sharp and of good quality. The main menu displays a grid base menu system or a standard list whichever you prefer both are easy and simple to use, so if your looking for a simple but feature pack, user friendly, classy, solid looking the Samsung U800 is a good phone, with a very good batery life (5 hours talk time), I would suggest you take a look at Samsung U800 it might just be the phone for you. ...

Creative - ZEN X-Fi

User Reviews , November 21, 2008 1717 hrs IST

LOVE IT ...

HTC - P3400

User Reviews , November 10, 2008 1122 hrs IST

ert ...

Nokia - 5320 XpressMusic

User Reviews , November 07, 2008 1154 hrs IST

I loved this phone for its feature fast OS and music capablities.I m an audiophile even ipods sound quality cant satisfy me.But when i plugged my headset into my phone it satisfied to gud extend.Its unfair that Frazier have reviewed phone on default headset which i thought were only of average quality.I started chosing my phone with primary condition that it should have 3G . I u also start with that condition here is my advice. U want symbi.+music go for it. U want camera+big screen go for 5610 U want loudspeaker go for 6233 ...