Dutch Public Transit Card Broken

RFID replay attack allows free travel in The Netherlands

If all goes well, the Dutch public transit system will soon use special plastic tickets with an embedded RFID chip to allow passengers to use all the train, subways, trams, and buses throughout the entire country without having to buy individual tickets. The are two kinds of tickets, the "normal" one, which Dutch residents will use, and a single-use ticket, mostly aimed at tourists. With the normal one, people can load money onto the RFID chip on the ticket in advance. Whenever they enter a train, tram, subway, or bus, they place the card near an RFID reader at the entrance, which records on the card where they began their journey. When they leave the system, they hold the card near another reader, which is connected to a computer that determines the cost of the journey and debits the amount of money stored on the card. Optionally, passengers can also provide the transit authorities with their bank account number so that when the amount of money on the card dips below a certain threshold, it is automatically reloaded. In this way the person can travel any where in the country without ever having to stand in line to buy a ticket again.

The single-use ticket can be purchased from vending machines and is anonymous and good for a single ride. The cost per kilometer is higher than for the normal ticket and no discount is available for senior citizens.

The normal card uses the Mifare Classic chip, which uses cryptography to protect the money stored on it. The single-use card uses the Mifare Ultralite, which does not use cryptography. Recently, students and hackers have launched successful attacks on both of these cards.

The first reported attack was designed by two students at the University of Amsterdam, Pieter Siekerman and Maurits van der Schee. They analyzed the single-use ticket and showed its vulnerabilites in a report. They also showed how a used single-use card could be given eternal life by resetting it to its original "unused" state. For this work they won the Joop Bautz award.

The next attack was on the Mifare Classic chip, used on the normal ticket. Two German hackers, Karsten Nohl and Henryk Plotz, were able to remove the coating on the Mifare chip and photograph the internal circuitry. By studying the circuitry, they were able to deduce the secret cryptographic algorithm used by the chip. While this alone does not break the chip, it certainly gives future hackers a stepping stone on which to stand. On Jan. 8, 2008, they released a statement abut their work.

The idea of keeping the design of a security system secret is known in the trade as "security by obscurity". Long experience has shown it almost never works because the secret invariably leaks out and then the security is gone. All serious security professionals now believe in Kerckhoffs Principle, the idea that the design of all security systems should be fully public, with all the security residing in a secret key. This idea was first published by Dutch military cryptographer Auguste Kerckhoffs in 1883. If the Mifare Classic card is soon broken, it will be due to the designers failure to adhere to Kerckhoffs Principle.

The third attack on the Dutch transit ticket was again on the single-use Mifare Ultralite card. It done by Roel Verdult, an MSc. student from the Raboud University of Nijmegen. Roel built an RFID tag emulator to perform a successful practical relay attack on the Ultralite card. He gained instant national publicity when he successfully demonstrated his attack on a national television station Jan. 14, 2008. Roel's homemade tag emulator was modeled after Kfir and Wool's "ghost and leech," to perform a simple relay attack. However, anyone can perform the same attack using Melanie Rieback's RFID Guardian, whose open-source HW/SW design is freely available at www.rfidguardian.org.

Given that the government has invested about $2 billion in ths new system, the country was instantly in an uproar and a huge amount of media attention followed. It has been on the front page of every newspaper in the country all week, in one case under a front-page headline "OV-shitkaart" (OV is the abbreviation for Public Transit and kaart means card; the rest is not easily translatable). The company that designed the system for the government, Trans Link System, initially pooh poohed the three attacks but has since come to realize that they may have a problem. They have also issued several press releases which can be found here, here, and here.

Researchers from RU and VU testified before the Parliament 16-17 Jan. 2008. The photo on the right below shows Flavio Garcia (RU), Roel Verdult (RU), Ruben Muijrers (RU), Melanie Rieback (VU) standing. In front of them are Wouter Teepe (RU) and Rop Gonggrijp.

During the Parliamentary debate, a member of Parliament from the GroenLinks party, Wijnand Duyvendak, said (translated into English):

"The debate about the OV-Chipcard is symbolic, as we discovered yesterday at the hearing, for the choice: open or closed software. The bankruptcy of closed source software shone solidly in the limelight yesterday. GroenLinks [a Dutch political party] has urged for a long time that the government should work with open-source software. Yesterday it became painfully obvious that we may pay a high price due to the fact that this advice was not followed for the OV Chipcard. It seems like the responsibility for the risks surrounding the use of closed secret software has not been accepted in any fashion."

An English-language description of Roel's attack is available here.

An official press release describing the meeting between security experts from Radboud Universiteit and Vrije Universiteit and people from Trans Link Systems is available in English and in Dutch. The researchers also released their own statement in English and Dutch.

In March 2008, researchers from the Raboud Universiteit of Nijmegen reimplemented Karsten Nohl and Hendryk Plotz's brute force attack against MIFARE Crypto-1 using cryptographic rather than hardware-based means. They released a press release (http://www.sos.cs.ru.nl/applications/rfid/pressrelease.en.html) and a proof-of-concept video (http://www.youtube.com/watch?v=NW3RGbQTLhE&eurl=http://www.sos.cs.ru.nl/applications/rfid/main.html) demonstrating the cloning of access passes from their university.

Other links can be found below. Many are in Dutch but Google has a translation service that may help.