Auckland’s Yellow Bus Company is refusing to comment on claims by security researcher Peter Gutman that he has broken the smartcards used as travel passes on its buses.
Gutman, who has notified the company of his actions, says he is able to both load value on to the “Yellow Pass” cards and clone new cards from easily available blanks. The cards, which have been in use for several years, are simple 256-byte memory cards which, says Gutman, contain no security features at all.
“I’ve had the equipment to read, write and copy these things at least as long as they’ve have been around, but I assumed they had some security so I’d never even looked at it,” says Gutman. “But I recently had someone over from Australia who does smartcard security breaking for a living and she suggested I see what was on the cards, so I did.
“And it took about 30 seconds to read the contents, and a couple of minutes to modify the programme so I could write them as well.”
The Yellow Pass cards conform to I2C, the simpler of the two international smartcard protocols, and Gutman says it would “in theory” be possible to dump the contents of their memory chips “with wires poked into a PC’s printer port and taped to the card”.
“ You might want to put a bit of buffer in between the PC and the card, but you can do it with absolutely minimal equipment.”
Gutman says he contacted Yellow Bus Company manager Colin Burrow “and said, ‘These things aren’t secure’, they’re just memory cards, so I can copy them. I asked if they were doing anything about it and he said, ‘Yes, we’re looking at it’.”
Burrow refused to comment when Computerworld called last week.
Gutman says the company could potentially detect card fraud through its logging process.
“Presumably [the company’s logging] records the time-stamp of when the card was last used, so they could, if they find a re-used card, figure out of the course of a week what bus-stop the person’s getting on at. But there are ways getting around that. They have to track vast numbers of cards and find the anomalies, so if you only use it outgoing on the 5pm bus, it’s going to be very hard to track.”
The Yellow Pass is one of relatively few public smartcard applications in New Zealand at present, but use of the cards is likely to grow considerably in New Zealand and Australia over the next few years. Basic chip-cards are produced in huge numbers in Europe, and there are well-known attacks for them -— particularly those used as phone cards.
A popular technique, says Gutman, involves the use of a more sophisticated processor card (available for about $10) which can be programmed to alter its serial number and balance in memory after every use, making the card impossible to track.
The pirating of satellite TV services, using both counterfeit smartcards and card-emulator programs for the PC, is also a huge business across Europe. Sky TV in New Zealand, which uses similar technology to BSkyB in Europe, has insisted in the past that such piracy is impossible here.