Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
Processing registration... Please wait.
This process can take up to a minute to complete.
A confirmation email has been sent to your email address - SUPPLIED EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @scmagazine.com.au to your white-listed senders.
An Australian state public transport system has been cracked by a group of security researchers who were able to replicate cards to enable free travel.
Theo Julienne, Karla Brunett, Damon Stacey, and Dougall Johnson used flaws in the system's decades-old custom cryptographic scheme to access transport data and reproduce tickets.
A team of four security researchers, using the group name TrainHack, presented their work in a talk dubbed Reverse Engineering a Mass Transit Ticketing System at the Ruxcon security conference in Melbourne today.
It cost only a few hundred dollars to buy a card reader and equipment to crack the cards.
They chastised the use of weak custom encryption but in line with disclosure agreements did not name the type of cryptography used or identify the affected organisation.
But they said the transport organisation faced such an onerous task in fixing the massive distributed transport system – which spread across multiple modes of travel including trains and buses – it may withold a fix and wait for a scheduled upgrade of the system.
“It was independent research, done through curiosity,” Johnston said.
"The custom cryptography was made before I was born".
The transport organisation did not reveal the cost of repairing the flaws.
After about a week's worth of research, drawn out over months, the students sent their findings including a string of ticketing data extracted from the cards to the transport organisation as part of responsible disclosure.
About two months ago, they met the organisation's chief information officer and resident subject matter experts to discuss the flaws.
Their research was made using purchased tickets rather than the public transport hardware to avoid breaching computer crime laws.
They said following a cursory examination that Victoria's MyKi transport system, which upgraded to use Mifare DESFIRE EV1 cards, was built with rugged security that made it hard to crack.
The affected transport organisation in a written statement said it viewed security as a priority.
Johnston said the group still pays for tickets.
Copyright © SC Magazine, Australia
To begin commenting right away, you can log in below or register an account if you don't yet have one. Please read our guidelines on commenting. Offending posts will be removed and your access may be suspended. Abusive or obscene language will not be tolerated. The comments below do not necessarily reflect the views or opinions of SC Magazine, Haymarket Media or its employees.