Christchurch transport card flaw

Forums › Off topic › Christchurch transport card flaw

freitasm

BDFL - Memuneh
79250 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#133977 10-Nov-2013 19:23

From "Christchurch transport card flaws", a video of Kiwicon 2013:

To demonstrate the flaws, software developer and security hobbyist William Turner had taken advantage of security weaknesses and hacked a transport card to boost its monetary value to a staggering $167,769.85, and by the same means ran it into the red to the tune of nearly three million dollars.

"If we have physical access to a card we can reprogram it with a balance (because) they are using old standards, default keys and there's no encryption stored on the data on the cards," Turner told delegates at Kiwicon in Wellington."

1 | 2

3075 posts

Uber Geek

#930397 10-Nov-2013 21:03

Wonder if they'll shut the whole system down first thing Monday to start fixing it?
Only way I can see the public trusting them after this goes out.

Also, how long do MetroCards last? I no longer have my physical card but last time I went maybe a year ago or so, I registered it to my Uncles house, who lives in Chch and I'd hate any of their details to go out there.

michaelmurfy

meow
13240 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#930409 10-Nov-2013 21:20

tardtasticx: Wonder if they'll shut the whole system down first thing Monday to start fixing it?
Only way I can see the public trusting them after this goes out.

Also, how long do MetroCards last? I no longer have my physical card but last time I went maybe a year ago or so, I registered it to my Uncles house, who lives in Chch and I'd hate any of their details to go out there.

Metrocards last forever.

A few years back I found the balance was stored on the card and managed to write to it with a RFID writer and a python script on a Linux computer, I didn't put too much on it ($20) but also told Metroinfo about the flaw. I also found some major flaws in their online topup system which still exist today meaning free topups if you find them. The whole setup is more or less based on convenience and not security as there will be very few people in Christchurch that will be looking out for these. I was personally surprised how easy it was to alter the balance on these cards, but am not surprised they have not fixed it yet.

Sorry guys, I remember posting this to Twitter quite a few years back so you're a bit late to the game here ;)

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

CruciasNZ

879 posts

Ultimate Geek

Trusted

#930444 10-Nov-2013 22:03

That was rather amusing

Professional Forum Lurker

Kyanar

4089 posts

Uber Geek

ID Verified

Trusted

#930493 11-Nov-2013 06:48

Well, on the flip side, it beats the AT HOP system where you can't even alter the balance on the card by topping it up.

Oblivian

7296 posts

Uber Geek

ID Verified

#930703 11-Nov-2013 14:18

As predicted, they have taken it offline (ecan electronic topup site) now that it has gone viral
http://www.stuff.co.nz/the-press/news/transport/9386649/ECan-public-transport-card-hacked

And indicating they want to charge the guy!...

l43a2

1779 posts

Uber Geek

ID Verified

Trusted

#930707 11-Nov-2013 14:27

ecan should be charged with privacy law violations and piss poor management of customer information

freitasm

BDFL - Memuneh
79250 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#930709 11-Nov-2013 14:28

Obviously the guy has no clue when it comes to security. The update project was to be released by June 2014?

Equinox IT

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.

shrub

775 posts

Ultimate Geek

ID Verified

#930802 11-Nov-2013 16:00

thats how ecant works. Wait until the media gets word then fix it.

jpoc

1043 posts

Uber Geek

#930842 11-Nov-2013 16:25

This does not add up. The ecan spokesman says that they had planned to fix the issues by June 2014 and that the upgrades to do this were interrupted by the the earthquakes. So that was a three year upgrade process to fix some security holes in their systems?

Even that broken auction site, waddle or whatever they called it, was able to fix their bugs in a few months.

Either ecan are more incompetent than waddle raised to the power of novapay or they are telling a pack of lies.

As for the threat to prosecute the whistle-blower, that would be a good laugh. I would expect the EFF to fund some hot shot lawyer for the defence. Do ecan really want to be subject to that?

Shock

534 posts

Ultimate Geek

Trusted

#930983 11-Nov-2013 19:10

It is good to see they responded so quickly this time. The lack of verification at both business process level & webpage level was mind blowing especially given none of their limits applied!

Next cab off the rank those mobile banking app issues that were raised. I hope.

Connecting to UFB? Go with Bigpipe and use this link for free credit!

sbiddle

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#930988 11-Nov-2013 19:15

According to ECAN it seems he hadn't actually told them of the flaw he exposed at the weekend. If so this is definitely bad form. While the security is clearly a joke, you should at least give a company the right to fix something or put steps in place to mitigate risk to end users if you're going public.

As for hacking the mifare 1k's - this is nothing new. People in Chch have been doing this for a few years now. Mifare 1k was fully compromised many years ago, so anything based on it is considered insecure.

mikerussellnz

283 posts

Ultimate Geek

#931044 11-Nov-2013 21:37

If you read the SC magazine article you will know that ECan were made aware of the issues 3 months before the conference and even that it would be presented at the conference. ECan did nothing.

ECan are hopeless, I would not be surprised if the site is down for months. They promised the online topup site for years. Just look at the new bus routes launched last year, it shows that they are only interested in saving money. Many buses have been reduced from half hourly to hourly in the weekend and after 6pm weekdays.

LennonNZ

2459 posts

Uber Geek

ID Verified

Trusted

#931106 11-Nov-2013 23:21

I was at kiwicon where this was released and yes as you can see in the video (around 28:00) he had made it aware to Ecan of the problems a while ago.

Comments from MM said as well I presume it (At least the ability to add credit to the cards part) was a well known issue (in the right community) and I presume more than a few people have been getting free trips around Christchurch for a while.

LennonNZ

2459 posts

Uber Geek

ID Verified

Trusted

#931112 11-Nov-2013 23:43

I guess there are a few parts to this..

- the ability to just add whatever value you wanted to the cards (or remove) and it seems Ecan did have systems to try and mitigate against this but it didn't pick some of it up from what you can see in the video. (Also a lot of it was off-net processing)

- the online problem . Before Ecan restricted services (after I guess someone took down the website - it wasnt very clear on the stuff article what happened) the online version someone could have easily in maybe 10 mins blacklisted everyones cards (who had not registered their card online already) and caused a lot of problems. Imagine 90% of people in christchurch who used the busses suddenly finding their card stop working.

The Privacy issue also of the ability to leak personal details out of it from a lot of the users even after Ecan had been told of the problem. This may be the biggest issue...

Maybe the first problem of adding/removing funds external to the system was risk they where happy about and not easily resolved due to a hardware limitation of what they where using , but the 2nd/3rd online issue could have been resolved privately I guess before public disclosure was done.

mikerussellnz

283 posts

Ultimate Geek

#931176 12-Nov-2013 08:08

Just adding a captcha to the registration page would have made automated signups significantly more difficult.

1 | 2