Security researchers hack the London underground train for free ride

A group of Dutch security researchers were able to clone the "smartcards" that commuters use to pay fares in the London Underground system, allowing the group to ride for free.  This is an interesting attack vector that I actually talked to Adam Laurie about when I was at Black Hat Amsterdam.  I've spoken about similar hacks with a number of security researchers, and there's been some interesting ideas proposed on the subject.  In fact, I may just try this on the laundry cards used in my apartment complex.  I promise a full write up on how it was done if I manage to pull something off.

I originally saw this story commented on in an article on Wired by Alexander Lew, which commented that:

There are more than 17 million of the transit cards, called Oyster Cards, in circulation. Transport for London says the breach poses no threat to passengers and "the most anyone could gain from a rogue card is one day's travel." But this is about more than stealing a free fare or even cribbing any personal information that might be on the cards.

Oyster Cards feature the same Mifare chip used in security cards that provide access to thousands of secure locations. Security experts say the breach poses a threat to public safety and the cards should be replaced.

 "The cryptography is simply not fit for purpose," security consultant Adam Laurie told the Telegraph. "It's very vulnerable and we can expect the bad guys to hack into it soon if they haven't already."

For those not familiar, Adam Laurie is a major player in the computer security research field and has done a ton of interesting research on all number of wireless technology.  I'm working on getting Adam to write up a guest editorial or two on what he's been working on lately. 

Read on...

[Images courtesy of Transport For London]

The Wired article continues:

The Dutch government has taken the breach seriously and says it is upgrading the smartcard system that secures its buildings. "It's a national security issue," a spokesman for the Dutch Interior Ministry told reporters. "We're in the process of replacing the cards of all 120,000 civil servants at central government level."

According to the Times, Radboud University researcher Bart Jacobs and his team used an ordinary laptop to clone an access card to a building in the Netherlands. When that worked, they went to London to test the technique on the Underground.

The hackers scanned one of the Underground's many card readers to collect the cryptographic keythat purportedly keeps the system secure. The keys were uploaded to a laptop, essentially turning them into portable card readers. The hackers then brushed up against passengers to wirelessly upload the information on their Oyster cars. That information in hand, it was a simple matter of using it to program new cards.

Jacobs says the same technique can clone smartcards that provide access to secure buildings. "An employee can be cloned by bumping into that person with a portable card reader," he told the Times. "The person whose identity is being stolen may then be completely unaware that anything has happened. At the technical level there are currently no known countermeasures."

Read that again... "no known countermeasures".  Crazy.  Keep your eyes open for a guest editorial from Adam Laurie, hopefully coming soon.  We're negotiating how many beers I'll owe him at Black Hat Vegas this year.

-Nate