DEFCON 16: The Anatomy of a Subway Hack: Breaking Crypto RFID's and Magstripes of Ticketing Systems

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
good afternoon everybody i'm a beginner de winter and i would like to tell you a random story about technology we use in the netherlands with these transportation cards I'm a journalist and i started covering this case actually by accident and I never wanted it to cover in the first place but you know what happened i was at house computer club and i'll tell you that in a second i'm going to dive into from the netherlands i started programming it the age of five I focus go figure on security and privacy and i'll write about it I talk about it and I teach about it if you want to know more about me then buy me a beer and that always works work yesterday by the way and I want to say one thing on the record and this is article 10 of the european constitution of human rights everybody has the right to freedom of expression this right should include freedom to hold opinions to receive and impart information and ideas without interference by public authority regardless of frontiers and you guys you know what you've got one too so let's get started and I want to make one step back I came back last year in the Netherlands and one day after def con I found myself arrested for photographing somebody driving on a Segway why because the Segway is outlawed in the Netherlands or it was outlawed in the Netherlands and this one was driving not this one but this this thing that I saw was driving through the train station of each raft I felt like oh cool that's so cool for the block of the magazine now right for so I took a picture this guy went berserk phone the police I was detained and they erased my photo boy did I make a mistake together with the Federation of journalists we sue the police and guess what within two weeks they apologized they reimburse me blah blah blah blah blah sorry sorry sorry then I came to the station of Amsterdam and I told this guy who I was and he remembered the case to it in front of me and Abed go ahead take a picture I love this man but this was a wake-up call for me that we have to be vigilant for freedom of speech all the times this is why I'm here okay last year at ccc the conference the house communication camp always held between Christmas and New Year's yeah I use Twitter and they were short of goons and goons in Germany are called angels so I volunteered and they said like can you do the my fat talk no way I'm going to go to this other thing I want to report on that and they like kept bugging me like we're really short of people please do this so i went to the stage because they always announce who's talking and i went like these two guys they correct apparently rfid and it's kind of interesting so guys take the floor away and i thought you i went down setting set in the room and was typing with my editor in chief apologizing and after the second thought slide I thought oh this is real they've got a story and this is a story to report what did these guys do they took the chips out of these cards they scratched it off layer by layer they photographed it and then started analyzing the cryptographic alpha algorithm called crater one basically showing that security through obscurity does not work so what do we do because now here's a story and to be honest that might kill the company that's making the chip so I found him and when I was back I waited this a story normally you would report it right away but I thought let's be careful on this one so on December 31st when I was back I found time and I went like hey this is brenna dwindle from the Netherlands um I've got a question for you and you know just before New Year's Eve that's not a nice question so right after New Year's january second i started publicizing it and thought this is the end of it this is it DOM and nice story and then the second comment by a reader was like hey do you know that this cart is being used in the Dutch transportation cut the one that we are introducing the one that we already spend more than a billion euros that's like 1.6 billion dollars on so yeah you go like you know that that might be your story and then I started digging a lot more you know I started spending a lot of time over on it and I found find out that we are also introducing a way of paying with your cell phone it's called these these things with new field communications they use my a classic but it turns out they use something else in encryption so you go out and you ask why you know it's crypto one aren't you happy with that and they go like well you know we don't trust it it's kind of old it's kind of closed its kind of unreliable so they only used my fav part for the communications and that part is kind of good and then I found also that we have at shell if you're at the Shell station you drive in you've got this payment system you press a button you give your pink out and that was my fear classic using crypto one well then January 17th group home have restated the obvious that security through obscurity does not work and we kind of found it out and then all of sudden a second case started developing and this is what we called call in the Netherlands to house a case because this was a public bit this story is a total sideline it is important because I started to work with this auto reporter and we started to file a whole bunch of Freedom of Information Act requests I rarely hadn't done that before but you know 1.6 billion dollars that is something you want to spend some time on and at least you know file some for us so I met them through this case just that might angle in it and the story went on and I hope there are no Duchess in the room and I know that at least two because they are working with the transportation system that built these cards and I want to give a big hand to them because they basically said that I should go ahead and do this and I think that's great but here we are we have these broken cards something has to be done about this so what did i do they started a research a study like okay what can we do with this card still is it broken should we replace it and you know this company called Tino they started to study this and they said you've got to replace the cards in two years I always thought broken is broken and then you've got to replace it but they thought we had still two years of time because you needed to do a brute force and attack and that basically for them would say like okay that's so much work we've got two years of heads up kind of a strange thing and when this was presented I had something like you know this is not right this is not correct and then they said something else there is no criminal business case in you know cloning these cards you only can drive a trifle for free so don't worry about it if there's any damages it's only damages for the company that runs the card and you know those all that I I know that you know that's not what everybody thinks but they weren't too worried about it and together with that the Secretary of Transportation announced a so called a tech plan an dat eggplants you wanted to attack the negative image of the cards so polish up the you know the damage done by all these stupid journalist thats basically make up all these stories at that point I had a hard time because the company that did this study and the company that order to study is not government and you can't use a Freedom of Information Act request on such a report so what can you do and then there's secretary announced a contra expertise so they would re study the case and they would hire this london-based University the royal holloway university of london and that is kind of interesting because if the Department of Transportation does it that's the government and that's something you can do about it and before that study was published the german attackers announced that they would publish parts of the algorithm and a march 10th they did and I know much the teens something very interesting happens all of a sudden there's this announcement we can open doors with my a classic we've known that since last Friday we found the dirt secret surface they verified our attack and the dirt Secret Service has warned all the governments of befriended nations and we label this a matter of national security and that is kind of interesting on one hand we have got a card that still can live for another two years on the other hand the same technology to open doors is apparently an issue of national security well them right it is because you can walk into any ministry or department basically do the Jedi wave and the door will open I have a little movie to show this and its really a very very simple attack you can see I you know I didn't have much time to prepare so it's kind of chaotic but there we go you see I'm the guy from nightmare had explaining that they made this little device you can hold it in front of a reader and then it does does it I'm not going into the technical part it doesn't magic thing hold it in front of a door corrects the key now it's on there don't you like these lights and they do something magical and all of a sudden you can clone cards and what was once secure is no longer secure and this is the height highly secured data center oh I'm not going to start all over again don't worry so now we've got two storylines we've got the doors and we've got transportation cards and slowly it starts to hit the United Kingdom that might be an issue here so mi5 and starts to make announcements on the oyster card which is the same this is Kota of cheap cars and the oyster cart is basically the same card as they have in the United Kingdom and basically those two companies are kind of sister companies you know they work together a lot and technology is the same system is the same so or similar at the ditch is a little bit more advanced because they also use it in buses and stuff and in trains they want to use it but mi5 fonts used travel data to spy on their citizens or no sorry to find terrorists that wastes from death raced for me the question gee would we do the same in the Netherlands meanwhile there was this debate in Parliament on the door issue and nearly unanimous I think it was unanimous though everybody agreed that the next system should be at least an open-source security system because then you can repair it and then you can have a look at it you know why because part of the tea now reports that said that we still had two years of heads up what secret and we still don't know what's in there the company that's behind it VIP wouldn't release it and in a second statement and that is very interesting our Minister of the Interior said in response to a question of somebody of one of the Christian parties you cannot silence researchers they have a right to publish they have a right to research and the government is not there to stop them this socialist woman is kind of cool even though she's a social is that so I raise questions and I was telling you about the dirt Secret Service oh I found that already we've got two chambers second chamber first chamber that already the first the second chamber passed the law that the secret surface good gather intelligence on telephone data and on travel data so my question was like hey this distance portation cart is coming up they are storing the data for seven years are you interested in that no they're not yet then on April 12 claimed a big breakthrough on April 12 the researchers of the nightmare university announced that they found a new way to attack the Mifare classic in such a way that they can crack a key in seconds and they think below 10 seconds or as this researcher has numerous times explain to me your iPhone will be your heir of ID device in the future don't worry about it so you can crack a cut in seconds now and now the whole bowl game changes now I can stand in the bus walk through the bus and everybody that has a bad for classic card I can clone it by having an iphone in my pocket I'm so sure that nobody here has an iphone in their pocket so this is of course purely theoretical sons travel slow that way they're together with new attack scenario the same day the report was released nevis this was kind of interesting the Department of Transportation must have had to report at least for a couple of days and they were supposed to release it around noon noon became one o'clock two o'clock three o'clock four o'clock five o'clock six o'clock 630 I got a short message on my cell phone can you come to the Hague because in 30 minutes there's a press conference The Hague is over 80 miles away from me I haven't developed that Jedi skill yet so I went you know I was walking the dog I was running home you know because i was watching the press conference on the internet and you know as soon as they published a report i filed together with the other journalists my freedom of information act request could you please give me all the information related to the conv expertise because if i do it like that I automatically ask all the information on the first report because the second report was studying the first report so this basically gives you all the information and i can tell you later on we got it and it was a pile like this but we'll get to that in a second all the time so far the Secretary of Transportation has set TransLink the company behind the cart is responsible for everything I cannot change that I cannot do anything and all of a sudden it was like I believe one a.m. in the morning somebody rang me out of bed and it went like hi I'm an anonymous source and I got to tell you something I sent you a link and you probably want to open it right now so I went down open the link and there was this report that stated that the Secretary of Transportation can if she wants to influence the Dutch railways closed all funding like you have had a issue on the highways in the US she can do that on the ditch transportation system and then only and at the ditch railways but um the Dutch railways have been funding for I guess not sure but I guess for about fifty percent of translink they are like a 50-percent shareholder I don't know this exactly because they won't tell me because they say it's none of my peepers they've been funded by the way by public money but that's a different story and so if you close down them the money to watch the Dutch railways then basically you know you're influencing policies so I wrote this up and then something very interesting habit emergency debate in Parliament and they said we'd want to do and vote of no confidence that fault was really determined by the opposition forces the reigning parties but one of the reigning party said we have full support we fully supports the Secretary of State but as of now every step you take you've got a report to us how much trust is dead so we call her now a lame duck you know among journalists because everybody knows she will step down and we don't know for what it would have been cool though because that would have been the first time that somebody loses their job offer a field IT project and filled security that would have been cool april twenty seconds my mic applause is announced by nxp and XP the company behind it used to be Phillips and they say no okay we have the basic infrastructure we have what we have that's broken we know that which we add ma es encryption to it so you have a smooth migration path and now very interesting during one of the talks with an expedia said like you know if we would like to deliver this to the netherlands if it lost probably about two years before we can deliver this i heard that before I'm not saying that it is because I'm just purely speculating but it might be on April 29th totally as a surprise to me I didn't know this was coming this new report came out and apparently we have somebody who is the public transportation and best and this political woman she made the report and she basically said that if we want to save the cards I would say you know fixed the security but basically she said like we had we have to be customer friendly so we're solving security with customer friendly is now I'm so sorry you lost your money on your card and the second thing and that was kind of issue that was kind of interesting she also wrote privacy is not a root cause of concern until the media starts writing about it at first that was my response and I actually you know basically she was saying that brenno and the other guy vincent were the cause of it so i was pretty offended you no secret report all of sudden it's there and you know it's an indirect personal-tech then you know you drink a couple of beers and you think about an Ingo like no she's right people in the street do not need to know if they have a payment system they do not have to think about all the consequences if you get on a bus shoe to be thinking gee that might even end up in a database for the next seven years have you big coward cameras when you went to the toilet here no you don't i mean you don't want to worry about it its role of the media indeed to put this on the agenda to discover this and to write about it so I didn't report about it but I wrote a column about it and I told basically that she was so right and then she was a Finland and maybe you remember April 29th because that was the day that hence riser was found guilty on june fifth we had all the information of the Freedom of Information Act request and the report the conv expertise was labeled one dot 00 now I was reading that and I thought like okay I know this document I turned it around and I was document 1 dot 0 now I went back and I looked at Microsoft you know whenever it's about security i look at Microsoft and you I saw windows three dots zero window street at one windows three dot 11 and here I've got a report and it's labeled 1 dot nil and what the nil nil that's strange that would nearly raise the suspension that has something to hide and if anything is to both reports were reports were the very same there are only three differences two sentences and the final conclusion the first one is that the royal holloway university feared a denial-of-service attack on the transportation system and this was from me this was the most important sentence that disappeared why because that gives me the opportunity to make a criminal business case if you give me 100 thousand euros I will not disrupt the morning rush in Amsterdam that is a criminal business case this changes the entire report data was before all of a sudden I can do something that makes it very interesting to abuse the cards now the ball game has changed the second thing was that a printer to make these cards because you know you can clone the chip but then you would still have a white cards but by to copy this could be very cheap you know I checked XD today I checked on ebay and it's less than one hundred dollars if you're looking good and that means that it would be interesting for a family of four you know a criminal business case doesn't have to be like massive no more you can do it like out of the comfort or the leisure of your own home both both statements basically borrowed boiled down to a change conclusion the first conclusion was if we were you I would basically sees the current project get a new card and then start over and go you know move on which from a security perspective to me make sense the new conclusion was you know what carry on what you're doing birds do start and I must say to be honest to them I must say they did state do start to change two new cards as soon as possible but the difference is fundamental seized and then continue or continue and then replace you know that that's big difference and if you have a secretary of transportation that nearly lost her head politically that's a very big difference so I was writing this up and then I got a very negative response by the Department of Transportation and of course you can expect negative response but also very emotional like we did not all today's you know we didn't do this and they showed me extra documents and that basically indicated that they started a very thorough procedure to select the university that was doing the conf expertise they hired even this company for it that that's kind of strange and then what I found out is that the royal holloway university is advising to transport for london and transport for london is the company behind the oyster card to the earth card is the Cystic art of the dutch of chip card but you know that's not a smoking gun neither is the smoking gun that the guy who wrote a report used to work for Phillips to say the division that's now nxp because he wasn't involved in smart cards back then neither in itself is it a smoking gun when your company received or your university receives money from Transport for London to redo XY research for them but you know it starts to get itchy at the moment that somebody is part of the board of Transport for London you know that with journalists that raises questions so I'm not saying that they did force the conclusions maybe something else happened maybe they did get scared about the denial of service attack and I say it in a second why they should be afraid for that but it does raise questions and at least it might have happened you know by being over enthusiastic on jun 18th there was this session in Parliament and two things were discussed there one of that this was the night Mary researchers they were like hurt and they had to make a formal statement on what they did how they did it blah blah blah blah blah and then all of a sudden that they asked like did you apply your research in any other city anywhere in the world kind of strange question all of a sudden but their answer was like oh yes we were on holiday in London and we traveled the tube for free for a day but we had to figure out which car to use because um the first card kind of ruined the first gate and later on you know when you start to hear the stories and you start like like digging into this day explained that the first gate went down and they didn't think much of it the second gate went down and that the third gate don't do that don't do that and they realized they basically had a denial of surface I'll make a jumpin in the time because within a month the Transport for London decided to surface display surface a a new patch and that was in July fifteenth and this patch basically was meant to resolve the issue although all the gates went down and the people that were using the gates anyhow you know holding the cut in front of it the cards were damaged they had to replace on the Saturday morning or at least at the only saturday morning out of over 40,000 cards were ruined this is your denial of service attack I'm not emotional by the way I'm just trying to shout probably the beer that I had yesterday so all of a sudden there is this situation now you know we we have this real-life scenario it's happening for real in London and it didn't happen in the Netherlands because we are not using this for officially yet the system is only in use in Rotterdam and in Amsterdam it's being tested on the subway and the derailers haven't got jumped on the bandwagon really it's kind of a remarkable if you don't number one sponsor I think they're really afraid to do so at this point there is no emergency plan so if you were to roll it out fully well what is still the plan the ambition then if it were react really broken you know if food service attack or open source tools would surface or anything of that were to happen then we wouldn't have a plan a contingency plan so what are you supposed to do then what the Secretary of Transportation are demanded that that there is a contingency plan and as far as I'm aware just before I left I verified and they don't have one yet but they have supposed they're due to deliver dad's next week or the next week thereafter so they should think of something I by the way I gave the department free advice I would say like you know in case of emergency go for paper on jun 20th the University of nijmegen ounce that they are starting an open source project to make a secure smart card and that has been funded by an l nett to do it in a secure and privacy friendly way at this point if you want to have a discount in the Netherlands I've this is my discount card gives you a rebate of forty percent so kind of interesting you cannot have it anonymous even though you can think of systems that you could do it anonymous I mean you could have two cards and you know pucha ticked on this one and then when the train conductor comes by you show this as proof and then basically that would work but the Dutch railways don't want to go that route yet I know of somebody who is planning to sue so I think that's given European regulations that they might have to adjust that part of the system owned you July tenth I did a lot of research on oh sorry I'm minor detail on July eighth nxp started a lawsuit against the night Mary researchers they were suing the university and they were suing the professor that is doing the research basically what they trying to work what they were trying to get is a temporary restraining order that means that you are not allowed to do something and they were not allowed to publish their results in October because this would like a bee and real nightmare and for national security and it would be a real nightmare for all the companies that use my a classic of course I would have loved to have gone to that lawsuit to the trial but by really big exception given the national security interest it was all behind closed doors because you know it's all about the clothes protocol and if that leaks out and basically the security is gone basically this is why security through obscurity doesn't work we all know that so I started digging in another way because if you can't you know if you can't come to a party you have to create a part of yourself and I started doing a lot of research and found that since 2004 and Chinese vendors have been selling clones of the smart cards and the readers so all this time Chinese people have been able to clone take it access to the apartment like the Department of the Interior and military installations and you make me you name it that's kind of scary I I found a good secret service and I I asked them have you known this and how long have you known this and even like you know what look it back to you and they fall and then we follow me back in a blanket why do you want to do it and I always try to be like no no I all try to be as fair a pose as possible so i said like wow if you've known it for years you've ignored a very big security risk and if you haven't known it why didn't you know you know that's why your secret service and they took another four days or three days i'm not sure and they came back like I'm after the name is a demonstration was given nxp basically gave us this information this part of their statement I know for a fact is not true and I if there's anybody of the dirty secret surface don't be offended because I fully understand why you didn't tell me but I've heard from multiple sources that after the name of the University researchers showed that demonstration like one or two weeks later basically the dirt secret surface went to an XP and they went like you are going to give gifts crater one Noah not it's like corporate secrets we are telling you national security interests you're going to give to us and apparently you know without too much lawyer work they were so bullied that they gave it all so I have to hand it to the dude Secret Service I think that is awesome but we I told you about the oyster crashed and then on July eighteenth something important happened the verdict came in I have to remind you because I told you about the Minister of the Interior telling me that she was standing behind researchers pure coincidence on July seventh I asked the Department of the Interior if they still was standing by this statement and they said yes um one day later the lawsuit came and I could it was kind of handy to use that in the article like the Minister of the Interior I I've got to tell one thing when this thing in Parliament was going down and the debate was finished I was asked and I was asking the I was walking towards the Minister of the Interior and she walked towards me and she meant like I you that little troublemaker sound like yeah good going boy and I thought that was kind of cool so they were like totally cool about it especially the Department of the Interior was and they were very very proactive in solving it but now the verdict came in what do you think the judge said did they give the 950 search as a temporary restraining order of course not remember the first slide in the Netherlands we've got freedom of speech and that's what the judge said you know nxp you've got freedom of speech in this country you cannot silence researchers the judge said no you know what else the judge said nxp if you're making a faulty product and it doesn't work that's your problem and it's not the messengers problem I could I could understand that and the last thing the judge did was he wrote down or they wrote down everything that happens like on a highlight on a high line in the courtroom so everything was behind closed doors but every journalist had access to it all of a sudden so what they want to try to keep away from us and they wouldn't respond to words about it blah blah blah all of a sudden was out there in the open so I asked nxp are you going to appeal this verdict and then like not really so this is what we've been up to in the Netherlands currently we're rolling out a system that we know with its kind of float I know that they are looking at different cards but of course you know it's such a fundamental part of the system that is kind of hard to do I must also state that the company translink has never ever ever bullied me they've never ever ever stood in my way in any way shape or form of course they did sometimes say that we are not going to answer questions that is they are given right of course but they never ever stood in my way I know that in some countries you know that is different and i know that in some countries like the United Kingdom it is very hard to get a response at all I've heard that translink was actively sometimes pointing me like hey did you see this so on one hand you know you're the difficult reporter that is following them on the other hand you know they're the grown-up people that deal with it in a grown-up way and I think that's cool and then what will happen in the future well I know two things in October the study will be published by the name aha Biden I major university researchers then it's okay I was nearly done so that's kind of cool the name a her researchers will publish the findings and then we can crack mifare classic cars all over the world in matter of seconds I guess that will be perfected over time I cannot imagine that it would take longer than three or four weeks to have open source tools on the market and I wouldn't be surprised if they would serve as before that if anybody in the room is using my a classic at this moment this is your final wake-up call this is your final heads up you've got two months left and if you haven't done anything you're screwed second thing that I know is that um we will get the we won't get this transportation card ultimately and we will go for a different system now I'm I've talked quite long so i think i have only a few minutes left for questions after that we can go in the Q&A room again i'm pretty technical but and I've been advised by several lawyers not to go into technical details of the Mifare classic and but anybody who has access to Google any questions sorry I couldn't hear that are the tools you need is that expensive now the cart oh no no that that's like one or two euros and because there's a unique identifier there and they would register the unique identified that is registered to a name they did they did make some privacy safeguards but you know for like law enforcement that would be kind of interesting think about what you issue 8 with debt if I can clone your cart you know I can make you look suspicious and that kind of ruined today any yeah oh how much does the equipment in China cost I don't know exactly i sent them a couple of emails and what I found was that they wouldn't they will only discuss large numbers I also ask them is it possible to buy totally blank cards without any factory identifier and they only would talk about it in person I would like to ask at one thing I forgot to tell and all of sooner i remember in canada in canada there is a report available that you can buy with all the information it's about sixty thousand dollars anybody else well that's that's kind of sums it up thank you
Info
Channel: Christiaan008
Views: 7,828
Rating: 4.9200001 out of 5
Keywords: attacks, mit, systems, subway, weaknesses
Id: amTB19V_sqg
Channel Id: undefined
Length: 43min 35sec (2615 seconds)
Published: Mon Jan 17 2011
Related Videos
DEF CON 24 - Przemek Jaroszewski - Hacking boarding passes for fun and profit
DEFCONConference
12K
Radio Hacking: Cars, Hardware, and more! - Samy Kamkar - AppSec California 2016
OWASP Foundation
1.1M
Network Security 101: Full Workshop
SecureSet
1.6M
I'll Let Myself In: Tactics of Physical Pen Testers
Wild West Hackin' Fest
2.5M
One of the Greatest Speeches Ever | Steve Jobs
Motivation Ark
10M
How Does The James Webb Space Telescope Work? - Smarter Every Day 262
SmarterEveryDay
1.2M
Inside the mind of a master procrastinator | Tim Urban
TED
44M
Super Capacitor Bike
Tom Stanton
1.2M
The Simplest Math Problem No One Can Solve - Collatz Conjecture
Veritasium
13M
How Hidden Technology Transformed Bowling
Veritasium
5.3M
The Map of Particle Physics | The Standard Model Explained
DoS - Domain of Science
475K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.