RFID replay attack allows free travel in The Netherlands
A week ago a TV program was broadcasted about the successful attack on the single-use RFID-based Dutch public transit card by computer science student Roel Verdult of the Radboud University in Nijmegen. Security researchers normally report to the company whose product has been attacked before seeking publicity. However, due to the speed at which this story developed, Roel’s supervisors in the Nijmegen Systems Security group were only able to contact Trans Link Systems (TLS) on the day of the broadcast and to invite them to a meeting to tell them about all the technical details.
During the meeting, Roel Verdult began by explaining his attack. With an RFID reader, the contents of the single-user card were copied to a laptop, then the information was transferred to an electronic device Roel built, the “Ghost.” The Ghost can repeatedly act as a transit card, allowing unlimited free transit on the public transit system.
The TLS employees expressed their concern at this attack, in particular, because the necessary equipment to carry it out is easy to obtain. Next there was a lively discussion about countermeasures, both short term and long term, however without a clear result as all proposed countermeasures were either very expensive or difficult to implement.
The researchers emphasized the need for openness and transparency as necessary conditions for adequate security and public trust in the system. Putting that in more technical terms, the specification and implementation details should be public from the very beginning so that researchers, hackers, consumers’ groups and other interested experts can try to find design errors and propose solutions. The TLS employees admitted that in theory this is the best method to getting a secure system.
Because the current public transit card was not developed from this “open” approach, the chance is present that more exploitable errors will be found. For this reason, the TLS staff were hesitant to make the current design suddenly public.