ButtUgly: Main_blogentry_220912

Radio Eyes

The story is making rounds about someone finally figuring out that you can just make a copy of a public transport ticket with an NFC phone, then use the ticket, then reset the ticket to its original state by writing the original content to it with the same NFC phone.

You can claim that this is a big security vulnerability, but in fact it really isn't. It's the equivalent of a public transport company issuing paper tickets using regular printer paper, and then punching a hole to it when it's used. You can make a photocopy of the ticket you received, and just keep making more photocopies and throw away the punched ones.

There was no security in the first place, so it's not a security breach. The only reason nobody figured this out earlier was the fact that nobody had cheap, ubiquitous NFC readers available - Radio Eyes, I call them. You've already got two perfectly good EyeBall Mk2 Photon Detection Engines installed by default, so figuring out that there's no security in a printed A4 you can put through a copy machine isn't really a big brain exercise. Calling it a security breach would be like calling stealing candy from a kid the "greatest crime since Enron."

This is an example of a technical term called "security through obscurity", which is the rather dubious practice of just making stuff hard to find instead of actually protecting things through algorithms. And I'm pretty sure a lot of the other early NFC ticket/card manufacturers have made the same mistake as the Amsterdam PTA. [Fun fact: the Ultralite cards are manufactured by NXP, Nee Philips Semiconductors, a Dutch company. And this particular trick with the travel cards has been "exposed" at least once before - though at that time you couldn't download an App to get the free trips...]. The ISO-14443 family of standards, which is the basis for NFC, has been around for a very long time, and there's a metric fuckton of still operational systems out there whose developers probably never thought an inch about security, because "it was just going to be for our use only."

In a world where everyone can have radio eyes, and you can download an app to open them for you, you just can't continue relying on obscurity.

A lot more of these coming your way soon.

Updating the story now that kids are out with their mom... As an example, this tag is on the front door of the house. My N9 tells me that it's a "Type 2 Tag", which in other words means it's a Mifare Ultralite. Now, if the developers never bothered to make it read-only, anyone could just use their phone to overwrite the contents with links to say, cat pictures.

Also, I finally found the link to the original hack of the Amsterdam transport ticket from 2007: https://ovchip.cs.ru.nl/Event_history#The_UVA_Ultralight_crack. It should be noted that the hack has been public knowledge for at least five years, and the Amsterdam PTA hasn't bothered to fix the problem yet. So there really is no security involved. :-) (The link above has plenty of other information about different attacks on the Dutch public transport system too. Interesting stuff if you're into it.)

Of course, the difference is that now you can download an app for it - which is something I've been expecting for years now ;-)

You can buy your own Mifare Ultralights for $0.50/piece from anywhere. Go hack! ;-)