OV-Chip card can be cracked
Every Dutch citizen can now travel free of charge with public transport. Already in 2008 the department of Digital Security of the Institute for Computer and Information Sciences of the Radboud Universiteit Nijmegen has revealed serious security flaws in the code of the chip. Thanks to the efforts of a small group of students and staff, under the supervision of Bart Jacobs, professor for Computer Security, the use of transport as we know it may never be the same anymore. By now a simple card reader (retail price: 30 euro) combined with a recent Windows software programme enables every public transport traveller to upgrade the amount on his card; thus travelling free of charge.
Joep Derksen
Trans Link Systems (TLS) is the organisation responsible for the introduction of the OV-chip card. The Radboud University cracked the security code of the system already in 2008 and strongly advised not to proceed with the introduction of this card. The junior transport minister and TLS neglected this advice and gradually introduced the payment system throughout the country. As was to be expected, easy-to-use Windows-software for card manipulation is now freely accessible on the internet (without any involvement from the Radboud University). The public transport companies may loose hundreds of millions in income.
TLS claims that a cracked card will be detected within 24 hours. However, journalists and politicians from the SP (Socialist Party) used such a card at railway stations, in trams and buses. Even after 36 hours, they were still not caught. The computer magazine PC-Active claims that this OV-chip card system should be abolished. “The means to crack the code are now within reach of the common user. It is not a question whether, but when people will start using these card readers en masse.
Security
When one of his students, Roel Verdult, asked for a research subject, professor Jacobs suggested the Mifare Classic chip, used in the OV-chip and in many other cards: “At the time of the introduction of OV-chip cards in the Netherlands, we were very interested in the system. TLS was not open to our offer for assistance to check the security, so we did it on our own. It turned out that the chip used for the cards is also part of our university access passes. The chip was developed in the early ‘90s and has a lousy security. When you’re able to read and write in the memory, the amount on the card can be altered. We never made the software to do so public, but forewarned that ultimately details would appear on the internet. Thanks to this recent scriptkiddysoftware even people who don’t understand anything about the system can still use it.”
The cracked chip goes way beyond public transport, warns Jacobs. The Mifare Classic chip is also used for access control in sensitive buildings, such as nuclear power plants and military bases. He stresses that his team is not a group of hackers: “We are active in academic security evaluations.” When Jacobs and his students find a flaw in a security system, they warn the organisation so that security can be improved.
Open wallet
As far as Jacobs is concerned, the current OV-chip card should be taken off the market as soon as possible. “It is an open wallet; I was told that tens of thousands of those card readers were sold in the past couple of weeks. It is not hard to predict what will happen in the future: everybody will start using the card readers. Public transport will go the same track as music and movies: why pay for it if you can get it free of charge?” TLS wants to introduce a new card, but the time frame does not please the professor: “That company only starts the introduction at the end of this year. However, the current cards can still be used. Therefore, nobody will want to have those new cards, since everybody wants to continue travelling free of charge. The OV-chip project should have been halted in 2008 until new OV-cards were available. Moreover, these new cards should be set up in such a way that the privacy of the traveller is not invaded. Nobody needs to know where I get on the train and where I get off. I know halting the project now is an even more difficult decision, as it will be political suicide, but it is the only right decision.”
Minister Melanie Schultz van Haegen (Infrastructure and Environment) does not give up on the current system yet. Although the introduction of this system was postponed for a month in Zuid-Holland, she still backs the national distribution of this easy to crack OV-chip card. The NS refuses to change the cracked OV-chip cards and states that the expenses for changing all cards in a new, more secure, version will be too high. Travellers by train will have to wait until their card is expired, which can in some cases be five years from now.
Joep Derksen
Trans Link Systems (TLS) is the organisation responsible for the introduction of the OV-chip card. The Radboud University cracked the security code of the system already in 2008 and strongly advised not to proceed with the introduction of this card. The junior transport minister and TLS neglected this advice and gradually introduced the payment system throughout the country. As was to be expected, easy-to-use Windows-software for card manipulation is now freely accessible on the internet (without any involvement from the Radboud University). The public transport companies may loose hundreds of millions in income.
TLS claims that a cracked card will be detected within 24 hours. However, journalists and politicians from the SP (Socialist Party) used such a card at railway stations, in trams and buses. Even after 36 hours, they were still not caught. The computer magazine PC-Active claims that this OV-chip card system should be abolished. “The means to crack the code are now within reach of the common user. It is not a question whether, but when people will start using these card readers en masse.
Security
When one of his students, Roel Verdult, asked for a research subject, professor Jacobs suggested the Mifare Classic chip, used in the OV-chip and in many other cards: “At the time of the introduction of OV-chip cards in the Netherlands, we were very interested in the system. TLS was not open to our offer for assistance to check the security, so we did it on our own. It turned out that the chip used for the cards is also part of our university access passes. The chip was developed in the early ‘90s and has a lousy security. When you’re able to read and write in the memory, the amount on the card can be altered. We never made the software to do so public, but forewarned that ultimately details would appear on the internet. Thanks to this recent scriptkiddysoftware even people who don’t understand anything about the system can still use it.”
The cracked chip goes way beyond public transport, warns Jacobs. The Mifare Classic chip is also used for access control in sensitive buildings, such as nuclear power plants and military bases. He stresses that his team is not a group of hackers: “We are active in academic security evaluations.” When Jacobs and his students find a flaw in a security system, they warn the organisation so that security can be improved.
Open wallet
As far as Jacobs is concerned, the current OV-chip card should be taken off the market as soon as possible. “It is an open wallet; I was told that tens of thousands of those card readers were sold in the past couple of weeks. It is not hard to predict what will happen in the future: everybody will start using the card readers. Public transport will go the same track as music and movies: why pay for it if you can get it free of charge?” TLS wants to introduce a new card, but the time frame does not please the professor: “That company only starts the introduction at the end of this year. However, the current cards can still be used. Therefore, nobody will want to have those new cards, since everybody wants to continue travelling free of charge. The OV-chip project should have been halted in 2008 until new OV-cards were available. Moreover, these new cards should be set up in such a way that the privacy of the traveller is not invaded. Nobody needs to know where I get on the train and where I get off. I know halting the project now is an even more difficult decision, as it will be political suicide, but it is the only right decision.”
Minister Melanie Schultz van Haegen (Infrastructure and Environment) does not give up on the current system yet. Although the introduction of this system was postponed for a month in Zuid-Holland, she still backs the national distribution of this easy to crack OV-chip card. The NS refuses to change the cracked OV-chip cards and states that the expenses for changing all cards in a new, more secure, version will be too high. Travellers by train will have to wait until their card is expired, which can in some cases be five years from now.
posted by Joep J.B. Derksen @ 10:41 a.m.
0 Comments:
Een reactie posten
<< Home