<!--[if gte mso 9]><xml> <o:shapedefaults v:ext="edit" spidmax="1026" /> </xml><![endif]--><!--[if gte mso 9]><xml> <o:shapelayout v:ext="edit"> <o:idmap v:ext="edit" data="1" /> </o:shapelayout></xml><![endif]-->
Here is what I had drafted for Rex.
At this stage this is just for your information and so you are aware of the potential risk and the actions we have taken.
On the 24th of August we were contacted by someone who appears to be a student. His email is below where he essentially details the findings of some research carried out by a group of Dutch PHD students back in 2008. The research done in Europe was published at the time so it is a bit strange that the person is taking the approach he is unless he is standing to gain by us engaging either of the two companies he suggests to help. What makes it as strange is that many cities around the world continue to purchase and use the cards and this is largely because only really IT savvy people are going to attempt to exploit the vulnerability, and because there is net gain financially for those people as they can simply put a high value on a card which they will then be able to use to travel with.
In terms of our risk mitigation strategies we have a number in place as obviously we have known for sometime. Because it would be next to impossible to swap out the current 300,000 odd cards we’ve worked on a progressive migration plan. INIT (our ticketing provider) have advised recently that they are currently in the Factory Acceptance Test phase of the software that will allow our ticket machines to read and write to both our current card type and the 4K DESfire card type which has a higher level of security. This will allow us to transition out of the current card type progressively.
The other strategies we have in place involve the use of various forms of reporting to detect fraudulent use. Once an instance of fraudulent use is detected we can then hotlist the card in question so it can’t be used.
At this stage we have identified one card value error which may or may not be related (INIT are currently investigating) and we have hotlisted the card in question so it cannot be used. I’ve also responded to James Turner (the researcher) per the email directly below. Katherine is also aware of the situation from a comms perspective and I’ll keep her updated on any return correspondence.
If there is anything else you think we should be doing just let me know.
From: David Stenhouse
Sent: Friday, 13 September 2013 11:54 a.m.
To: '[email address]'
Cc: Darryl Gay
Subject: FW: Private disclosure of vulnerability
Thanks for advising us of your findings. We are already aware of the findings of the researchers in Holland and have several mitigation strategies in place. The primary strategy is to transition to the Mifare 4K DESfire card which has a greater level of security. Our ticketing system provider has developed the software to allow our on-bus devices to read and write to the 4K DESfire cards and this is currently undergoing Factory Acceptance Test before deployment with another city.
We are also able to identify transactions that are of the nature you describe through routine analysis of the ticketing system reports which we have available. Once transactions of the nature you describe are identified we can then hotlist the offending card.
We would be interested in the reason why you have a timeframe for releasing the information by 9th of November. Are you able to clarify this for us? We would also be interested in understanding why you have undertaken the research when it has already been undertaken and publicised in Europe?
Manager Passenger Services
021 226 6987
Private disclosure of vulnerability
While conducting recent research, I have discovered a number of quite serious security issues with the Metro Card system.
Before getting into the details of the issues, I want to explain the nature and purpose of this communication. I am informing you as a courtesy, in the hopes that it will help you address the issues. It is not in any way intended as a threat.
At this point, I have not told anyone else of these issues, to avoid malicious parties exploiting the vulnerabilities before you can fix them; however, I have a hard deadline where I must publish my findings on 9th Nov 2013.
Another reason it is important to fix these issues as soon as possible is that there could be malicious parties already exploiting them.
1. Ability to arbitrarily increase/decrease credit on a Metro Card
2. Ability to add new unauthorised cards to the system
3. Ability to copy any other user�s card and use their credit
You will hopefully already know everything in this section, but I want to cover some background about the technology used by the Metro Card system.
The contactless card used for the Metro Card is called Mifare Classic. The Mifare Classic was first released in 1994, which means it is quite old now, at least by technology standards.
Each Mifare Classic card is divided into 16 �sectors� of data. The system uses two authentication keys per sector to only allow authorised reader devices to access the data on the card; these are called A and B keys. This makes for a total of 32 keys per card. Most of the sectors on a card can be rewritten, however the first part of the first sector contains a special number called the UID, the UID is unique to each card and cannot be changed.
In 2008 researchers reverse engineered the Mifare Classic and were able to copy cards. For more details see http://en.wikipedia.org/wiki/MIFARE#MIFARE_Classic
The researchers found a number of weaknesses with the Mifare Classic system. One of the weaknesses allowed anyone with access to a card to retrieve the authentication keys used on the card. To do this however took significant time. There is another weakness where if an attacker already knows at least one key for one sector, they can retrieve all the remaining keys very quickly i.e. in less than a minute. This is called the �nested attack�.
There is also an important vulnerability involving the card reader device. The attack allows the keys used by the reader device to be retrieved if the attacker can record, �snoop�, the failed (or successful) authentication traffic between a card and reader. To read the details of these attacks see http://www.sos.cs.ru.nl/applications/rfid/2008-esorics.pdf
There are two notable tools which were used to take advantage of these weaknesses. The first is called a �proxmark3�; it is a general purpose reader/writer device. It also allows eavesdropping on other reader/card transactions.
The second device is called a �magic Chinese card�. These are special Mifare Classic cards which allow the UID to be changed; effectively making them appear to be any other card.
As you can see, the Mifare Classic system is very insecure. Using the first weakness listed above, we could retrieve the keys from any Metro Card in a number of hours, which would allow us to read the data stored on the card and to change the data.
This task is made harder by the fact the each metro card uses different keys, so we would need to rerun the attack for every card we wanted to access. However, every metro card uses the same A key for sector 0 i.e. FFFFFFFFFFFF, which means we can use the �nested attack� to find the keys for any metro card in under a minute.
This allows us to easily read and change the data on any Metro Card we have physical access to. Since the data on Metro Cards is not encrypted, it is easy to find and change the important values, such as the card etched number and the balance. It seems there is no online checking of balance when a card is presented to a reader, so changing the balance on the card will make the reader accept the new value. Worse is the fact that there seems to be no server side balance verification either, which means that changing the balance on a card also updates the balance stored by the server the next time the reader device on the bus is synced.
As mentioned there is another attack against Mifare Classic involving a reader device. With this attack we can get the keys a reader tried to authenticate with when it attempts to read a card. Using this attack we can present the reader with a blank Mifare Classic card and find out what keys the card should be programmed with to allow other Metro Card readers to access it, we can then format the card to appear to be a valid metro card and it will work just like a legitimate card i.e. we can add unauthorised cards to the Metro Card system and use the first issue described above to set whatever balance we want.
The final issue is that we can �clone� any other user�s Metro Card without ever having physical access to it. Each metro card has two different IDs, the number printed on the top left of the card, and UID.
Although there is a mapping from the card number to the UID, the UID is the id which the balance is associated with. By loading the url https://metrocard.metroinfo.co.nz/account/get_balance/card:<card number>?callback=x, where <card number> is any six digit number, the server will return the UID and balance for the card, if it is active. This means that we can get the card number, UID and balance for every card in the Metro Card system. Using one of the �magic Chinese cards� we can clone any card in the Metro Card system and use that user's credit. Because of the first vulnerability mentioned, when the owner of the card next uses the card, the system balance will be reset, in effect making the legitimate user commit fraud.
As mentioned above I have not told anyone else of these security issues, so that you have a chance to fix them before the public and any malicious parties become aware of them. I will be releasing all information related to this research on 9th Nov 2013. Although I won't release any details before then, the title/summary of this research will be released prior to the publication. It is therefore possible others may attempt to recreate what I have found. I suggest fixing these issues as soon as possible.
Companies and governments are informed about security issues everyday by independent researchers like myself, how you react to this information is of cause up to you, but below I outline the recommended response.
The professorial response to being informed about security issue in one's system is to thank the researcher, fix the issue as soon as possible, and then inform the researcher when it is safe to let the public know. The benefits to this type of response are: other researchers will feel comfortable about informing you if they find issues in the future. Good public relations as people see you fixing a problem as soon as you learn of it.
I assume you have skilled technical staff that will be able fix these issues. If you need further advice you might think of asking me, although I happy to provide more details of what I have discovered in this research, I do not work for you and am under no obligation to help fix these issues. You might think of hiring me to do contract work, but that would be very inappropriate. If you do need technical advice on how to fix these issues, I recommend contacting Lateral Security (http://www.lateralsecurity.com) or Insomnia Security (http://www.insomniasec.com), both well respected local computer security companies.
Please respond to this email to confirm you received it.
Yours, James Turner