Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


freitasm

BDFL - Memuneh
73976 posts

Uber Geek

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

#133977 10-Nov-2013 19:23
Send private message

From "Christchurch transport card flaws", a video of Kiwicon 2013:

 

To demonstrate the flaws, software developer and security hobbyist William Turner had taken advantage of security weaknesses and hacked a transport card to boost its monetary value to a staggering $167,769.85, and by the same means ran it into the red to the tune of nearly three million dollars.

"If we have physical access to a card we can reprogram it with a balance (because) they are using old standards, default keys and there's no encryption stored on the data on the cards," Turner told delegates at Kiwicon in Wellington."

 

 

 





Are you happy with Geekzone? Consider subscribing or making a donation.

 

 

 

freitasm on Keybase | My technology disclosure 

 

These links are referral codes: Sharesies | Mighty Ape | Norton 360 | Lenovo laptops | GoodsyncGeekzone Blockchain Project


View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
Affiliate link
 
 
 

Affiliate link: Life360 protects each family member with advanced driving, digital, and location safety features. Choose the plan that fits your family’s size and life stage.
tardtasticx
3032 posts

Uber Geek


  #930397 10-Nov-2013 21:03
Send private message

Wonder if they'll shut the whole system down first thing Monday to start fixing it?
Only way I can see the public trusting them after this goes out.

Also, how long do MetroCards last? I no longer have my physical card but last time I went maybe a year ago or so, I registered it to my Uncles house, who lives in Chch and I'd hate any of their details to go out there.




Bachelor of Computing Systems (2015)

 

--

 

Late 2013 MacBook Pro with Retina Display (4GB/2.4GHz i5/128GB SSD) - HP DV6 (8GB/2.8GHz i7/120GB SSD + 750GB HDD)
iPhone 6S + (64GB/Gold/Vodafone NZ) - Xperia Z C6603 (16GB/White/Spark NZ)

Sam, Auckland 


michaelmurfy
/dev/ttys0
10979 posts

Uber Geek

Moderator
ID Verified
Trusted
Lifetime subscriber

  #930409 10-Nov-2013 21:20
Send private message

tardtasticx: Wonder if they'll shut the whole system down first thing Monday to start fixing it?
Only way I can see the public trusting them after this goes out.

Also, how long do MetroCards last? I no longer have my physical card but last time I went maybe a year ago or so, I registered it to my Uncles house, who lives in Chch and I'd hate any of their details to go out there.


Metrocards last forever.

A few years back I found the balance was stored on the card and managed to write to it with a RFID writer and a python script on a Linux computer, I didn't put too much on it ($20) but also told Metroinfo about the flaw. I also found some major flaws in their online topup system which still exist today meaning free topups if you find them. The whole setup is more or less based on convenience and not security as there will be very few people in Christchurch that will be looking out for these. I was personally surprised how easy it was to alter the balance on these cards, but am not surprised they have not fixed it yet.

Sorry guys, I remember posting this to Twitter quite a few years back so you're a bit late to the game here ;)




Michael Murphy | https://murfy.nz | https://keybase.io/michaelmurfy - Referral Links: Sharesies | Electric Kiwi
Are you happy with what you get from Geekzone? Please consider supporting us by making a donation.


CruciasNZ
863 posts

Ultimate Geek

Trusted

  #930444 10-Nov-2013 22:03
Send private message

That was rather amusing




Professional Forum Lurker




Kyanar
3440 posts

Uber Geek

Trusted
Subscriber

  #930493 11-Nov-2013 06:48
Send private message

Well, on the flip side, it beats the AT HOP system where you can't even alter the balance on the card by topping it up.

Oblivian
6618 posts

Uber Geek

ID Verified

  #930703 11-Nov-2013 14:18
Send private message

As predicted, they have taken it offline (ecan electronic topup site) now that it has gone viral
http://www.stuff.co.nz/the-press/news/transport/9386649/ECan-public-transport-card-hacked

And indicating they want to charge the guy!...

l43a2
1687 posts

Uber Geek

ID Verified
Trusted

  #930707 11-Nov-2013 14:27
Send private message

ecan should be charged with privacy law violations and piss poor management of customer information





freitasm

BDFL - Memuneh
73976 posts

Uber Geek

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #930709 11-Nov-2013 14:28
Send private message

Obviously the guy has no clue when it comes to security. The update project was to be released by June 2014?





Are you happy with Geekzone? Consider subscribing or making a donation.

 

 

 

freitasm on Keybase | My technology disclosure 

 

These links are referral codes: Sharesies | Mighty Ape | Norton 360 | Lenovo laptops | GoodsyncGeekzone Blockchain Project




shrub
654 posts

Ultimate Geek

ID Verified

  #930802 11-Nov-2013 16:00
Send private message

thats how ecant works. Wait until the media gets word then fix it.

jpoc
1031 posts

Uber Geek


  #930842 11-Nov-2013 16:25
Send private message

This does not add up. The ecan spokesman says that they had planned to fix the issues by June 2014 and that the upgrades to do this were interrupted by the the earthquakes. So that was a three year upgrade process to fix some security holes in their systems?

Even that broken auction site, waddle or whatever they called it, was able to fix their bugs in a few months.

Either ecan are more incompetent than waddle raised to the power of novapay or they are telling a pack of lies.

As for the threat to prosecute the whistle-blower, that would be a good laugh. I would expect the EFF to fund some hot shot lawyer for the defence. Do ecan really want to be subject to that?

Shock
534 posts

Ultimate Geek

Trusted

  #930983 11-Nov-2013 19:10
Send private message

It is good to see they responded so quickly this time. The lack of verification at both business process level & webpage level was mind blowing especially given none of their limits applied!

Next cab off the rank those mobile banking app issues that were raised. I hope.




 

Connecting to UFB? Go with Bigpipe and use this link for free credit!


sbiddle
30853 posts

Uber Geek

Retired Mod
Trusted
Biddle Corp
Lifetime subscriber

  #930988 11-Nov-2013 19:15
Send private message

According to ECAN it seems he hadn't actually told them of the flaw he exposed at the weekend. If so this is definitely bad form. While the security is clearly a joke, you should at least give a company the right to fix something or put steps in place to mitigate risk to end users if you're going public.


As for hacking the mifare 1k's - this is nothing new. People in Chch have been doing this for a few years now. Mifare 1k was fully compromised many years ago, so anything based on it is considered insecure.

mikerussellnz
283 posts

Ultimate Geek


  #931044 11-Nov-2013 21:37
Send private message

If you read the SC magazine article you will know that ECan were made aware of the issues 3 months before the conference and even that it would be presented at the conference.   ECan did nothing.

ECan are hopeless, I would not be surprised if the site is down for months.   They promised the online topup site for years.  Just look at the new bus routes launched last year,  it shows that they are only interested in saving money.   Many buses have been reduced from half hourly to hourly in the weekend and after 6pm weekdays.

LennonNZ
2444 posts

Uber Geek

Trusted

  #931106 11-Nov-2013 23:21
Send private message



I was at kiwicon where this was released and yes as you can see in the video (around 28:00) he had made it aware to Ecan of the problems a while ago.

Comments from MM said as well I presume it (At least the ability to add credit to the cards part) was a well known issue (in the right community) and I presume more than a few people have been getting free trips around Christchurch for a while.


LennonNZ
2444 posts

Uber Geek

Trusted

  #931112 11-Nov-2013 23:43
Send private message

I guess there are a few parts to this..

- the ability to just add whatever value you wanted to the cards (or remove) and it seems Ecan did have systems to try and mitigate against this but it didn't pick some of it up from what you can see in the video. (Also a lot of it was off-net processing)

- the online problem  . Before Ecan restricted services (after I guess someone took down the website - it wasnt very clear on the stuff article what happened) the online version someone could have easily in maybe 10 mins blacklisted everyones cards (who had not registered their card online already) and caused a lot of problems. Imagine 90% of people in christchurch who used the busses suddenly finding their card stop working.

The Privacy issue also of the ability to leak personal details out of it from a lot of the users even after Ecan had been told of the problem.  This may be the biggest issue...


Maybe the first problem of adding/removing funds external to the system was risk they where happy about and not easily resolved due to a hardware limitation of what they where using , but the 2nd/3rd online issue could have been resolved privately I guess before public disclosure was done.

mikerussellnz
283 posts

Ultimate Geek


  #931176 12-Nov-2013 08:08
Send private message

Just adding a captcha to the registration page would have made automated signups significantly more difficult.

 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic





News and reviews »

D-Link G415 4G Smart Router Review
Posted 27-Jun-2022 17:24


New Zealand Video Game Sales Reaches $540 Million
Posted 26-Jun-2022 14:49


Github Copilot Generally Available to All Developers
Posted 26-Jun-2022 14:37


Logitech G Introduces the New Astro A10 Headset
Posted 26-Jun-2022 14:20


Fitbit introduces Sleep Profiles
Posted 26-Jun-2022 14:11


Synology Introduces FlashStation FS3410
Posted 26-Jun-2022 14:04


Intel Arc A380 Graphics First Available in China
Posted 15-Jun-2022 17:08


JBL Introduces PartyBox Encore Essential Speaker
Posted 15-Jun-2022 17:05


New TVNZ+ streaming brand launches
Posted 13-Jun-2022 08:35


Chromecast With Google TV Review
Posted 10-Jun-2022 17:10


Xbox Gaming on Your Samsung Smart TV No Console Required
Posted 10-Jun-2022 00:01


Xbox Cloud Gaming Now Available in New Zealand
Posted 10-Jun-2022 00:01


HP Envy Inspire 7900e Review
Posted 9-Jun-2022 20:31


Philips Hue Starter Kit Review
Posted 4-Jun-2022 11:10


Sony Expands Its Wireless Speaker X-series Range
Posted 4-Jun-2022 10:25









Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.