<!--[if !mso]><style>v\:* {behavior:url(#default#VML);} o\:* {behavior:url(#default#VML);} w\:* {behavior:url(#default#VML);} .shape {behavior:url(#default#VML);} </style><![endif]--><!--[if gte mso 9]><xml> <o:shapedefaults v:ext="edit" spidmax="2050" /> </xml><![endif]--><!--[if gte mso 9]><xml> <o:shapelayout v:ext="edit"> <o:idmap v:ext="edit" data="1" /> </o:shapelayout></xml><![endif]-->

Hi David,


Have had a look at this.


There is no doubt that the best way forward is for you to adjust security level so that this can not occur. This obviously has costs and is threfore a commercial decision for you and your company to make.


The 'hacker' has committed an offence against Section 252 Crimes Act 1961.


The issue will then be identifying the hacker - especially if he has routed email through other country servers.


Possible way forward is to send an email to the 'hacker' that you have sought advice from Police and that Police have confirmed an offence committed. That Metro Bus acknowledge security issues with their bus cards and are in process of rectifying and won't make a complaint to Police unless the 'hacker' proceeds with releasing information about the security issue.


Happy to discuss in person - next week not available but clear after that


Let me know









<!--[if gte vml 1]><v:shapetype id="_x0000_t75" coordsize="21600,21600" o:spt="75" o:preferrelative="t" path="m@4@5l@4@11@9@11@9@5xe" filled="f" stroked="f"> <v:stroke joinstyle="miter" /> <v:formulas> <v:f eqn="if lineDrawn pixelLineWidth 0" /> <v:f eqn="sum @0 1 0" /> <v:f eqn="sum 0 0 @1" /> <v:f eqn="prod @2 1 2" /> <v:f eqn="prod @3 21600 pixelWidth" /> <v:f eqn="prod @3 21600 pixelHeight" /> <v:f eqn="sum @0 0 1" /> <v:f eqn="prod @6 1 2" /> <v:f eqn="prod @7 21600 pixelWidth" /> <v:f eqn="sum @8 21600 0" /> <v:f eqn="prod @7 21600 pixelHeight" /> <v:f eqn="sum @10 21600 0" /> </v:formulas> <v:path o:extrusionok="f" gradientshapeok="t" o:connecttype="rect" /> <o:lock v:ext="edit" aspectratio="t" /> </v:shapetype><v:shape id="Picture_x0020_2" o:spid="_x0000_s1026" type="#_x0000_t75" alt="crest(1)" style='position:absolute;margin-left:-30pt;margin-top:0;width:31.9pt;height:45.2pt;z-index:-1;visibility:visible;mso-wrap-style:square;mso-wrap-distance-left:9pt;mso-wrap-distance-top:0;mso-wrap-distance-right:9pt;mso-wrap-distance-bottom:0;mso-position-horizontal:absolute;mso-position-horizontal-relative:text;mso-position-vertical:absolute;mso-position-vertical-relative:text' wrapcoords="-1016 0 -1016 20788 21329 20788 21329 0 -1016 0"> <v:imagedata src="cid:image001.png@01CEC0F8.2DFB4F30" o:title="crest(1)" /> <w:wrap type="tight"/> </v:shape><![endif]--><![if !vml]>crest(1)<![endif]>John Gallagher

Detective Senior Sergeant
Crime Strategy Manager | Crime Strategy Group | Canterbury Police | Cnr St Asaph and Antigua Streets | DX WX10057 | ' 64 3 363 7723 | Ext: 36723 | : [email address]



From: David Stenhouse [mailto:[email address]]
Sent: Tuesday, 24 September 2013 17:26
Cc: Darryl Gay
Subject: Metrocard


Hi John

Here is the correspondence with the hacker to date.











From: David Stenhouse
Sent: Monday, 23 September 2013 1:51 p.m.
To: 'James Turner'
Subject: RE: Private disclosure of vulnerability



Thanks for the feedback, and for identifying the vulnerability around the hotlist. This is one we weren’t aware of and really should have been. Our ticketing supplier is working on a fix.

We are aware of the second issue and our ticketing supplier has been working on a fix.


As for the priority. We are now in a slightly better space than we have been over the last 2 and half years and yes we are giving the issue a higher priority.






From: James Turner [mailto:[email address]]
Sent: Saturday, 21 September 2013 12:19 p.m.
To: David Stenhouse
Subject: Re: Private disclosure of vulnerability


I see. I suggest you reprioritize the importance of security.

I have since found more vulnerabilities. Firstly, it is trivial to bypass card hotlisting by changing the etched number stored in block 0. Secondly, if a card is not already registered on the web site, anyone can register it and thereby access the card owner's private details e.g. name, address and date of birth. 

-----Original Message-----
From: David Stenhouse <[email address]>
To: 'James Turner' <[email address]>
Sent: Fri, Sep 20, 2013 3:37 pm
Subject: RE: Private disclosure of vulnerability


We started to learn of the vulnerabilities during 2009 and gathered as much information as we could over the subsequent period. By that time we had entered into a contract with a new ticketing supplier and the new system was deployed on buses in August 2010. Together with the supplier we felt that the large number of active cards in use meant that we would be best placed to have a progressive migration from 1K Classic to 4K DESfire rather than a single moment in time where all existing 1K cards ceased to operate. Thus we worked on a plan whereby the ticketing supplier developed to read and write to both card types. This made our situation fairly unique as at that time the majority of ticketing systems being deployed around the world were being deployed from scratch with a specific card type.


We had some issues related to software deployment which we were working through at the time of the earthquakes. We also had the bus exchange, service centre and website deployment which we were working on at that time. The earthquakes, as you will appreciate, set us back a long way and the metrocard transition was dropped down the priority list a bit while we recovered the network.

On our ticketing suppliers side they continued to work on development to roll out the DESfire cards in other centres.


Re the research, it’s best that you investigate further to understand the full extent of what has been discovered.












From: James Turner [mailto:[email address]]
Sent: Monday, 16 September 2013 7:02 p.m.
To: David Stenhouse
Subject: Re: Private disclosure of vulnerability


I also have a couple of questions. 
You said you were already aware of the research done in Europe and are planning to switch to the desfire cards. when did you first learn of the vulnerabilities in mifare classic? I ask because it was reported in 2011 that metro cards would switch to desfire. Why didn't that happen?

You said what I informed you of has already been discovered and published in Europe, are you only referring to the research on mifare classic cards I cited in my initial email? Because if so, the three vulnerabilities I discussed are not covered in that research. If there is other research I'm not aware of please let me know as there is no point in publishing my findings if they are already public.



-----Original Message-----
From: David Stenhouse <[email address]>
To: '[email address]' <[email address]>
Cc: Darryl Gay <[email address]>
Sent: Fri, Sep 13, 2013 11:57 am
Subject: FW: Private disclosure of vulnerability


Thanks for advising us of your findings. We are already aware of the findings of the researchers in Holland and have several mitigation strategies in place. The primary strategy is to transition to the Mifare 4K DESfire card which has a greater level of security. Our ticketing system provider has developed the software to allow our on-bus devices to read and write to the 4K DESfire cards and this is currently undergoing Factory Acceptance Test before deployment with another city.

We are also able to identify transactions that are of the nature you describe through routine analysis of the ticketing system reports which we have available. Once transactions of the nature you describe are identified we can then hotlist the offending card.


We would be interested in the reason why you have a timeframe for releasing the information by 9th of November. Are you able to clarify this for us? We would also be interested in understanding why you have undertaken the research when it has already been undertaken and publicised in Europe?





David Stenhouse

Manager Passenger Services

Environment Canterbury


021 226 6987




From: James Turner [mailto:[email address]]
Sent: Saturday, 24 August 2013 3:50 p.m.
To: [email address]
Subject: Private disclosure of vulnerability


Private disclosure of vulnerability

Dear sir/madam

While conducting recent research, I have discovered a number of quite serious security issues with the Metro Card system.

Before getting into the details of the issues, I want to explain the nature and purpose of this communication. I am informing you as a courtesy, in the hopes that it will help you address the issues. It is not in any way intended as a threat.

At this point, I have not told anyone else of these issues, to avoid malicious parties exploiting the vulnerabilities before you can fix them; however, I have a hard deadline where I must publish my findings on 9th Nov 2013.

Another reason it is important to fix these issues as soon as possible is that there could be malicious parties already exploiting them.


1. Ability to arbitrarily increase/decrease credit on a Metro Card

2. Ability to add new unauthorised cards to the system

3. Ability to copy any other users card and use their credit



You will hopefully already know everything in this section, but I want to cover some background about the technology used by the Metro Card system.

The contactless card used for the Metro Card is called Mifare Classic. The Mifare Classic was first released in 1994, which means it is quite old now, at least by technology standards. 

Each Mifare Classic card is divided into 16 sectors of data. The system uses two authentication keys per sector to only allow authorised reader devices to access the data on the card; these are called A and B keys. This makes for a total of 32 keys per card. Most of the sectors on a card can be rewritten, however the first part of the first sector contains a special number called the UID, the UID is unique to each card and cannot be changed.

In 2008 researchers reverse engineered the Mifare Classic and were able to copy cards. For more details see http://en.wikipedia.org/wiki/MIFARE#MIFARE_Classic

The researchers found a number of weaknesses with the Mifare Classic system. One of the weaknesses allowed anyone with access to a card to retrieve the authentication keys used on the card. To do this however took significant time. There is another weakness where if an attacker already knows at least one key for one sector, they can retrieve all the remaining keys very quickly i.e. in less than a minute. This is called the nested attack.

There is also an important vulnerability involving the card reader device. The attack allows the keys used by the reader device to be retrieved if the attacker can record, snoop, the failed (or successful) authentication traffic between a card and reader. To read the details of these attacks see http://www.sos.cs.ru.nl/applications/rfid/2008-esorics.pdf

There are two notable tools which were used to take advantage of these weaknesses. The first is called a proxmark3; it is a general purpose reader/writer device. It also allows eavesdropping on other reader/card transactions.

The second device is called a magic Chinese card. These are special Mifare Classic cards which allow the UID to be changed; effectively making them appear to be any other card.



Vulnerability 1:

As you can see, the Mifare Classic system is very insecure. Using the first weakness listed above, we could retrieve the keys from any Metro Card in a number of hours, which would allow us to read the data stored on the card and to change the data.

This task is made harder by the fact the each metro card uses different keys, so we would need to rerun the attack for every card we wanted to access. However, every metro card uses the same A key for sector 0 i.e. FFFFFFFFFFFF, which means we can use the nested attack to find the keys for any metro card in under a minute.

This allows us to easily read and change the data on any Metro Card we have physical access to. Since the data on Metro Cards is not encrypted, it is easy to find and change the important values, such as the card etched number and the balance. It seems there is no online checking of balance when a card is presented to a reader, so changing the balance on the card will make the reader accept the new value. Worse is the fact that there seems to be no server side balance verification either, which means that changing the balance on a card also updates the balance stored by the server the next time the reader device on the bus is synced.

Vulnerability 2:

As mentioned there is another attack against Mifare Classic involving a reader device. With this attack we can get the keys a reader tried to authenticate with when it attempts to read a card. Using this attack we can present the reader with a blank Mifare Classic card and find out what keys the card should be programmed with to allow other Metro Card readers to access it, we can then format the card to appear to be a valid metro card and it will work just like a legitimate card i.e. we can add unauthorised cards to the Metro Card system and use the first issue described above to set whatever balance we want.


Vulnerability 3:

The final issue is that we can clone any other users Metro Card without ever having physical access to it. Each metro card has two different IDs, the number printed on the top left of the card, and UID.

Although there is a mapping from the card number to the UID, the UID is the id which the balance is associated with. By loading the url https://metrocard.metroinfo.co.nz/account/get_balance/card:<card number>?callback=x, where <card number> is any six digit number, the server will return the UID and balance for the card, if it is active. This means that we can get the card number, UID and balance for every card in the Metro Card system. Using one of the magic Chinese cards we can clone any card in the Metro Card system and use that user's credit. Because of the first vulnerability mentioned, when the owner of the card next uses the card, the system balance will be reset, in effect making the legitimate user commit fraud.




As mentioned above I have not told anyone else of these security issues, so that you have a chance to fix them before the public and any malicious parties become aware of them. I will be releasing all information related to this research on 9th Nov 2013. Although I won't release any details before then, the title/summary of this research will be released prior to the publication. It is therefore possible others may attempt to recreate what I have found. I suggest fixing these issues as soon as possible.


Companies and governments are informed about security issues everyday by independent researchers like myself, how you react to this information is of cause up to you, but below I outline the recommended response.

The professorial response to being informed about security issue in one's system is to thank the researcher, fix the issue as soon as possible, and then inform the researcher when it is safe to let the public know. The benefits to this type of response are: other researchers will feel comfortable about informing you if they find issues in the future. Good public relations as people see you fixing a problem as soon as you learn of it. 

I assume you have skilled technical staff that will be able fix these issues. If you need further advice you might think of asking me, although I happy to provide more details of what I have discovered in this research, I do not work for you and am under no obligation to help fix these issues. You might think of hiring me to do contract work, but that would be very inappropriate. If you do need technical advice on how to fix these issues, I recommend contacting Lateral Security (http://www.lateralsecurity.com) or Insomnia Security (http://www.insomniasec.com), both well respected local computer security companies.


Please respond to this email to confirm you received it.

Yours, James Turner



David Stenhouse
Passenger Services Manager
Environment Canterbury

Image removed by sender. Logo

021 226 6987
[email address]

PO Box 345, Christchurch 8140
Customer Services:
0800 324 636
Pollution Hotline:
0800 76 55 88
Image removed by sender. Facebook  Image removed by sender. Twitter  Image removed by sender. YouTube

Facilitating sustainable development in the Canterbury region





The information contained in this email message is intended for the addressee only and may contain privileged information. It may also be subject to the provisions of section 50 of the Policing Act 2008, which creates an offence to have unlawful possession of Police property. If you are not the intended recipient of this message or have received this message in error, you must not peruse, use, distribute or copy this message or any of its contents.

Also note, the views expressed in this message may not necessarily reflect those of the New Zealand Police. If you have received this message in error, please email or telephone the sender immediately