Federal judge halts Defcon talk on subway card hacking

The Title of the Talk

Sheesh! What amateurs! Everyone knows that the more important and contentious a presentation, the more innocuous the title you give it.

Had they titled the talk "Recent Results in the Investigation of Place-to-Place Transit Protocols" or something even duller and more boring, no one would have noticed in time to stop the presentation.

Look at Andrew Wiles' famous proof of Fermat's Last Theorem: he gave his presentation the title "Modular Forms, Elliptic Curves, and Galois Representations." Nothing in the title about the ultimate objective, the proof of Fermat's theorem.

The art of modern management

If you shoot the messenger it proves that there's no problem.

This beggars belief

I can only wonder why they don't want a secure system. Apart from the obvious, 'We don't want to fix it because it will cost money and we have share holders to worry out.'

I agree with Will Godfrey, now the world knows where the problem lies the crackers will soon be at it. A Federal judge saying they cant discuss it at Defcon is as effective as highlighting it with neon signs saying "DO NOT LOOK FOR OUR BIG SECURITY PROBLEM. PLEASE IGNORE IT'S NOT THERE. HONESTLY AND WE'RE GOING TO SUE THOSE PESKY STUDENTS FOR BREAKING OUR NICE SECURE SYSTEM.

Well I'm convinced. Aren't you?

They Did Violate the Law

I reviewed the slides that were to be shown at the conference. Apparently, these students did violate the law:

1. They claim to have engaged in social engineering techniques that included trespassing on MBTA property.

2. They used some equipment to remotely monitor communications going on inside the MBTA building.

Both of these have nothing (directly) to do with farecard security, and they are illegal, it is Keven Mitnick-style hacking. This is NOT a good test case to maintain free speech rights on pointing out security vulnerabilities.

@ John Widger and James Woods

@ John Widger:

'I can only wonder why they don't want a secure system. Apart from the obvious, 'We don't want to fix it because it will cost money and we have share holders to worry out.'

To answer your question, this isn't just a small thing. I think I read somewhere on The Register that Philips Semiconductor (now NXP) have issued over 10 billion (10,000,000,000) of these Mifare Classic (hackable) items worldwide.

To make it really clear: in the US, if you make a defective product (such as a car component), by law you're supposed to notify each purchaser about the defect. Here's the rub: 10,000,000,000 x (letter explaining defect + current stamp cost). Plus time and manpower to print and send it all. And that's not including replacing the product itself. Now you see why they're fighting tooth and nail. Granted that most companies would buy in bulk, it would still probably bankrupt them to replace the defective units (for free), so they're trying to keep a high, er low, profile and coast along until they can fix it in-house and sell the updated versions to their unsuspecting customers in order to stay afloat.

In their minds, why should they fix it if they lose their jobs in the process? So, they screw people.

@ James Woods:

"The last time I checked, I wasn't in china, and merely talking about something can't put you in jail."

Not true. Yelling "FIRE!" in a theater can get you arrested, and if you were to give a full-scope presentation of how to make home-grown explosives or bio-chem weapons on a street corner, you'd probably be arrested there too. And God forbid anyone should talk about doing nasty things to a politician or the President in public these days. Over-reacting is the watchword of the times. It's not Orwell yet, but give it time.

The Bottom Line

This applies equally to the MBTA, the California tollway providers, the Dutch transportation authority, the Oyster Card folks, et.al.:

The blame can ONLY be placed on the companies and governments that OPERATE these transport systems that are using the flawed security measures. The failure of these companies and government agencies to constantly review the security of their systems AND PLAN FOR UPGRADES TO DEAL WITH THESE THREATS AS THEY OCCUR is an egregious management error that MUST be addressed by their stockholders/governments.

Companies like NXP semi are really NOT to blame, especially if they can show that they were actively attempting to upsell their clients to newer technology when the old systems became vulnerable. On the other hand, if they were assuring their customers that the Mifare Classic was still secure, then they ALSO need to be part of the guilty crowd.

I fully expect the outcome of all this publicity to be criminal suits filed by government law enforcement agencies against the managers of the failed agencies and their vendors - for completely failing to do their jobs. And another round of fare hikes and taxes to pay for complete overhauls of the transport systems that are affected.

Finally, an example. If a bank were to build a vault with a screen door and pronounce it "secure" because no one had broken into it yet, the management would be behind bars in a heartbeat - or at least fired and fined. The actions of these agencies and companies is the equivalent of the screen door on a bank vault.

Article title

I read the title of the article as 'Feral judge....'

Mine's the one with the spectrum analyser in the pocket

Ummm someone tell the washington post

http://www.washingtonpost.com/wp-dyn/content/article/2008/07/18/AR2008071801912_pf.html

Oooops! Seems the washington post managed to scoop the defcon team, and if their description of the hack is correct it was done in a way more ghetto way than cloning cards with a magstripe reader, respect for that, if its true:

"Thieves took a legitimate paper Farecard with $40 in value, sliced the card's magnetic strip into four lengthwise pieces, and then reattached one piece each to four separate defunct paper Farecards. The thieves then took the doctored Farecards to a Farecard machine and added fare, typically a nickel. By doing so, the doctored Farecard would go into the machine and a legitimate Farecard with the new value, $40.05, would come out."

It would appear that that is basically the substance of the defcon talk, and the bit about mifare vulnerabilities appears to be mostly theoretical based on the recent mifare flaws.

Since all of this information is already public domain taking the speakers to court has only had the effect of publicising the flaws more widely than would otherwise have happened, if the transit authority had kept quiet then some geeks would have known of the problem, now the world+dog knows.

Paris because even she knows you cant put the genie back in the bottle

“whistleblower” protections

One of the problems with the current laws when it comes to security and computer research is that there is no “whistleblower” protections, unlike those that are in place for people that expose fraud and things in other systems.

The U.S. Government wants sides with companies that make products or produce software for the most part. The lawmakers are paranoid about the internet (mostly because they don't understand it) and believe anyone who uses it is involved in either child porn or downloading movies/music or software. Anyone who researches security and exposes the chinks in the armor is a person that is a "dangerous hacker" bent on destroying the system and costing a company money.

We are not allowed to tell people that "the emperor has no clothes".

Crap security is everywhere

If the company was previously aware of the weakness in their security, and didn't warn the customers it sounds like fraud to me.

If the company wasn't previously aware of the weakness in their security it sounds like incompetence.

Either way, the company doesn't get a free pass by pointing at the messenger and shouting "He did it!".

Looks like TG Daily took the slides down

Chickens

I can't believe it's called the CharlieCard

Has it got nice sharp edges for cutting up white powder?

@Brett Brennan

So let me see if I get this right - you are suggesting that the operators of public transport systems be held liable because of a failure of their VENDORS?

Firstly, you haven't proven that there is a non-rectifiable problem of any great magnitude. Most of what I have seen from the slides and in other discussions on the crackable cards is in the same category of people boarding buses from the exit doors - minor fair jumping. It is not something that will stop the transport system from working, and not something that the vast majority of users are going to bother to do, especially if any detection mechanisms are put in place and violators prosecuted.

For example, it is fairly easy to monitor the transaction systems for purchased fares, and cross-correlate with the value on a card as it is used - maybe not in real-time, but certainly as a data mining operation. A card ID that is used repeatedly with an amount that is not shown to have been purchased can have the card de-activated perhaps, or CCTV can be queued to detect people using those cards and have them stopped in by security.

Even if you take exception to the methods above, my point is that there are certainly valid ways of combating this fare jumping that do NOT require the wholesale replacement of the entire card system - just a few more tools in the belt of the system security. Now as to the systems passing that cost on to the original card vendor, THAT makes a lot of sense, and if the card vendor is smart they will be working with the systems for fraud detection and prosecution tools that can be rolled out to all systems using the cracked cards...

Lastly, I don't find the actions or management of the transport systems in any way flawed - they all purchased a system that was advertised and designed as secure, and hadn't been publically broken TO THAT POINT. It was designed to hit a price/performance goal, and there was no real business case that I can see for buying more expensive cards that _might_ be more secure but at a much higher cost - and they need to buy a LOT of cards, so the cost difference would quickly add up. Given that what is being protected here is not biowarfare secrets, but common fare jumping, their actions were perfectly rational and probably even good business if you run the numbers of card costs versus potential fare jumping via cracked cards...

For frick sake, get a grip

Look, let's start with some basics here. I'm pretty positive that none of the card manufacturers started out with the idea of deliberately releasing a substandard card. What they failed to do was to have proper research into its security, but I refuse to believe they decided to build a global business on a deliberately weak product (and techniques improve, so you're always sitting a bit on a time bomb).

However, where they went off the rails (and in principle pulled a Streisand) was by trying to halt the talk. What should have happened was invitations to talk about the issue and working out a way to address it - like you would expect with responsible disclosure.

Question: was the company notified in time to give them at least a chance? Not so sure, but I wasn't there. Observation: yup, I can see this company being well & truly stuffed for having a cracked product (depends on the nature of that hack), but you need to incorporate that risk in supplying ANY security product, and given the reaction of most suppliers so far that wasn't the case. To me it smacks of panic more than sense (default US panic button: sue someone?).

Trying to sue anyone who publishes is not going to make the problem go away. If you're a company using such cards, would you still go and buy more? Not until you've heard someone addressing the PROBLEM, rather than the messenger..

I personally hope that the researchers find a way to turn that judgment against the suppliers and make them think. Every time a researcher gets successfully halted in court, security weakens. Or is that the goal?

in response to kevin and free speach

Yelling fire in a cinema will only get you arrested if there isn't one.

Intend / Prior Knowledge and NXP

One thing that seems a little odd if NXP were not aware of this potential issue is that they appear to have submitted th controllers for Common Criteria EAL5+ certification (http://www.commoncriteriaportal.org/products_IC.html#IC) but not the Myfare cards (unless they did it under a different name).

Perhaps there were some doubts on their part as to the security of the cards, long before any university students showed this to be the case?

--

Martin

They may get a job with TFL

Well the boy are in look as TFL will be looking for a replacement for the 'Oyster'

http://www.theregister.co.uk/2008/08/08/oyster_card_cancelled/

Now the 'Charlie Card' has GOT to be a contender

@rich My first thoughts too lol

Does Clveland RTA system use these cards?

These cards look exactly like the cards that the Cleveland RTA uses. ???

@ Rich

Kingston Trio, early 1960's

"Will he ever return, no, he'll never return and his fate is still unlearned

(poor Old Charlie)

He'll ride forever ne'eth the streets of Boston, he's the man who'll never return.

Ok, not the same as Bolivian marching powder and all its wonders, but at least historically correct.

Peace, man

Paris, cus she relates to both.

@M

Good research! That little bit of information is very powerful, possibly worthy of its own article...

@Rich and A/C

It is gratifying to learn that the miscreants added "one more nickel" to the CharileCard.

http://www.mit.edu/~jdreed/t/charlie.html