<!--[if gte mso 9]><xml> <o:shapedefaults v:ext="edit" spidmax="1026" /> </xml><![endif]--><!--[if gte mso 9]><xml> <o:shapelayout v:ext="edit"> <o:idmap v:ext="edit" data="1" /> </o:shapelayout></xml><![endif]-->
If you can get back to me as soon as you can that’d be great.
From: Erhart, Ulrich [mailto:[email address]]
Sent: Monday, 9 September 2013 9:47 p.m.
To: David Stenhouse
Cc: Gorenflo, Bernd; Wirthmann, Michael
Subject: AW: Private disclosure of vulnerability
got your email; will trigger to meet internally and see if I can provide a milestone plane for the migration.
After briefly talking to Michael, we think, that at least it would be possible to detect Metrocard fraud
from the back office side of the system and block the cards.
We meanwhile moved on with the development of our card portfolio.
I want to let you know, that these days we successfully passed a FAT with a system,
where we use DESfire cards for ticketing. Now we want it to be deployed to see, if everything works fine.
The ECAN migration will benefit from this.
Von: David Stenhouse [mailto:[email address]]
Gesendet: Montag, 9. September 2013 08:34
An: Erhart, Ulrich
Cc: Gorenflo, Bernd
Betreff: FW: Private disclosure of vulnerability
Can you please give me a timeframe for the introduction of 4K DESfire cards into Christchurch and Timaru. Per the email, we’ve known of the risk from the PHD student in Holland but this is the first time that someone local has highlighted it. I’d like to be able to give a timeframe to our Commissioners to at least demonstrate that we are down the track of mitigating the risk.
Sent: Monday, 26 August 2013 10:15 a.m.
To: David Stenhouse; Darryl Gay
Subject: FW: Private disclosure of vulnerability
Hi Guys .. received this Saturday
Private disclosure of vulnerability
While conducting recent research, I have discovered a number of quite serious security issues with the Metro Card system.
Before getting into the details of the issues, I want to explain the nature and purpose of this communication. I am informing you as a courtesy, in the hopes that it will help you address the issues. It is not in any way intended as a threat.
At this point, I have not told anyone else of these issues, to avoid malicious parties exploiting the vulnerabilities before you can fix them; however, I have a hard deadline where I must publish my findings on 9th Nov 2013.
Another reason it is important to fix these issues as soon as possible is that there could be malicious parties already exploiting them.
1. Ability to arbitrarily increase/decrease credit on a Metro Card
2. Ability to add new unauthorised cards to the system
3. Ability to copy any other user�s card and use their credit
You will hopefully already know everything in this section, but I want to cover some background about the technology used by the Metro Card system.
The contactless card used for the Metro Card is called Mifare Classic. The Mifare Classic was first released in 1994, which means it is quite old now, at least by technology standards.
Each Mifare Classic card is divided into 16 �sectors� of data. The system uses two authentication keys per sector to only allow authorised reader devices to access the data on the card; these are called A and B keys. This makes for a total of 32 keys per card. Most of the sectors on a card can be rewritten, however the first part of the first sector contains a special number called the UID, the UID is unique to each card and cannot be changed.
In 2008 researchers reverse engineered the Mifare Classic and were able to copy cards. For more details see http://en.wikipedia.org/wiki/MIFARE#MIFARE_Classic
The researchers found a number of weaknesses with the Mifare Classic system. One of the weaknesses allowed anyone with access to a card to retrieve the authentication keys used on the card. To do this however took significant time. There is another weakness where if an attacker already knows at least one key for one sector, they can retrieve all the remaining keys very quickly i.e. in less than a minute. This is called the �nested attack�.
There is also an important vulnerability involving the card reader device. The attack allows the keys used by the reader device to be retrieved if the attacker can record, �snoop�, the failed (or successful) authentication traffic between a card and reader. To read the details of these attacks see http://www.sos.cs.ru.nl/applications/rfid/2008-esorics.pdf
There are two notable tools which were used to take advantage of these weaknesses. The first is called a �proxmark3�; it is a general purpose reader/writer device. It also allows eavesdropping on other reader/card transactions.
The second device is called a �magic Chinese card�. These are special Mifare Classic cards which allow the UID to be changed; effectively making them appear to be any other card.
As you can see, the Mifare Classic system is very insecure. Using the first weakness listed above, we could retrieve the keys from any Metro Card in a number of hours, which would allow us to read the data stored on the card and to change the data.
This task is made harder by the fact the each metro card uses different keys, so we would need to rerun the attack for every card we wanted to access. However, every metro card uses the same A key for sector 0 i.e. FFFFFFFFFFFF, which means we can use the �nested attack� to find the keys for any metro card in under a minute.
This allows us to easily read and change the data on any Metro Card we have physical access to. Since the data on Metro Cards is not encrypted, it is easy to find and change the important values, such as the card etched number and the balance. It seems there is no online checking of balance when a card is presented to a reader, so changing the balance on the card will make the reader accept the new value. Worse is the fact that there seems to be no server side balance verification either, which means that changing the balance on a card also updates the balance stored by the server the next time the reader device on the bus is synced.
As mentioned there is another attack against Mifare Classic involving a reader device. With this attack we can get the keys a reader tried to authenticate with when it attempts to read a card. Using this attack we can present the reader with a blank Mifare Classic card and find out what keys the card should be programmed with to allow other Metro Card readers to access it, we can then format the card to appear to be a valid metro card and it will work just like a legitimate card i.e. we can add unauthorised cards to the Metro Card system and use the first issue described above to set whatever balance we want.
The final issue is that we can �clone� any other user�s Metro Card without ever having physical access to it. Each metro card has two different IDs, the number printed on the top left of the card, and UID.
Although there is a mapping from the card number to the UID, the UID is the id which the balance is associated with. By loading the url https://metrocard.metroinfo.co.nz/account/get_balance/card:<card number>?callback=x, where <card number> is any six digit number, the server will return the UID and balance for the card, if it is active. This means that we can get the card number, UID and balance for every card in the Metro Card system. Using one of the �magic Chinese cards� we can clone any card in the Metro Card system and use that user's credit. Because of the first vulnerability mentioned, when the owner of the card next uses the card, the system balance will be reset, in effect making the legitimate user commit fraud.
As mentioned above I have not told anyone else of these security issues, so that you have a chance to fix them before the public and any malicious parties become aware of them. I will be releasing all information related to this research on 9th Nov 2013. Although I won't release any details before then, the title/summary of this research will be released prior to the publication. It is therefore possible others may attempt to recreate what I have found. I suggest fixing these issues as soon as possible.
Companies and governments are informed about security issues everyday by independent researchers like myself, how you react to this information is of cause up to you, but below I outline the recommended response.
The professorial response to being informed about security issue in one's system is to thank the researcher, fix the issue as soon as possible, and then inform the researcher when it is safe to let the public know. The benefits to this type of response are: other researchers will feel comfortable about informing you if they find issues in the future. Good public relations as people see you fixing a problem as soon as you learn of it.
I assume you have skilled technical staff that will be able fix these issues. If you need further advice you might think of asking me, although I happy to provide more details of what I have discovered in this research, I do not work for you and am under no obligation to help fix these issues. You might think of hiring me to do contract work, but that would be very inappropriate. If you do need technical advice on how to fix these issues, I recommend contacting Lateral Security (http://www.lateralsecurity.com) or Insomnia Security (http://www.insomniasec.com), both well respected local computer security companies.
Please respond to this email to confirm you received it.
Yours, James Turner