For our released papers and presentations see our Consulting & Training services.
We have analysed and revealed serious vulnerabilities in various publicly available systems. A lot of these vulnerabilities have been presented on various renowned security conferences:
We have practically demonstrated the possibility of reading of a new Slovak biometric RFID passport. The passport can be read by arbitrary ISO14443A-compliant RFID reader (for our experiment we have used cheap touchatag reader that can be bought for 30 €).
Personal data are encrypted by Machine Readable Zone which is printed on the last but one page of the passport. The MRZ is composed from the passport’s number, the birthdate and date of expiration. With the knowledge of this information MRZ can be computed. The following information can be obtained from the passport using MRZ:
The following information cannot be read using MRZ and require a special key (owned by the Slovak government):
The passport is not by-default protected by a special RFID shield, so it can be read closed from the distance of 5 cm. In case of using the stronger antenna this distance can be significantly bigger (up to 10 meters and it will increase in the future).
The passport returns a random unique ID (UID), so it is not possible to fingerprint it and determine its producer (this behaviour can be emulated by NXP JCOP 41 v2.2.1 72K RANDOM_UID smartcard).
Without “Active Authentication Public Key Info” it is not easy to clone the passport.
To verify:
You have a right to be informed about security of technologies that process your sensitive information!
We have analysed Czech/Slovak most used public transport and access smart cards (Bratislava public transport card, University/ISIC cards, parking cards, Slovak Lines cards etc) based on Mifare Classic technology.
Using various technologies and thanks to publically available academical papers, we have demonstrated the possibility of gaining all access keys used for the card content encryption.
We have also verified that these keys can be subsequently used for complete reading, altering and cloning the cards that can pose a serious threat for affected transport companies.
We have also estimated costs of effective attacks and proposed appropriate effective countermeasures from the most secure ones (replacement of all vulnerable cards) to less secure ones (bind card’s UID with passenger, UID whitelisting, digital signing, “decrement counter” solution).
For the demonstration of the seriousness of these vulnerabilities we have implemented and released our own implementation of “offline nested” attack that can be used for offline cracking of all keys for all sectors without valid RFID reader.
An official paper of revealed Slovak and Czech Mifare Classic vulnerabilities (in Slovak)
Technical presentation of Mifare Classic vulnerabilities
Our Mifare Classic Offline Cracker (new version 0.09 for libnfc 1.3.9)
(tested with crapto1, libnfc and Tikitag/Touchatag reader)
Presentations:
SMS tickets are widely used in the big cities in Central Europe (Prague, Bratislava, Košice, Vienna, Warsaw, ..)
The primary aim of this presentation is to show a serious inherent vulnerability in the public transport SMS tickets systems used in many big cities.
Firstly, prerequisites for a successful hack are described. Then a proposed SMS ticket hacking network architecture is outlined, including a SMS ticket hack server, SMS ticket mobile hack clients and their encrypted communication protocol.
The author describes various partial solutions how to fix this vulnerability including instructions for attackers how to evade them (e.g. by using decentralized private P2P mobile network).
Finally, an effective countermeasure is proposed: secure SMS ticket generation methods based on symmetric/asymmetric cryptography and a security improvement of transport inspector’s checking process.
Despite the fact that public transport companies have already been informed about this serious vulnerability, they ignore this fact and still use the vulnerable systems.
Presentation: Public Transport SMS ticket’s hacking (presentation)
Presentation / References: