Public transportation in distress – part II
After the recent publication of the news that German students have successfully cracked the first layer of protection of the OV-chipcards which can be used with a subscription to travel with public transportation in the Rotterdam area, more news surrounding this system has surfaced yesterday.
A couple of Dutch students from the university of Nijmegen has successfully copied the throw-away version of the ov-chipcard, enabling them to travel for free as a new copy can be made without too much added effort.
This news has ‘shocked’ our Tweede Kamer, and a ‘spoeddebat’ (urgent debate) is planned for the upcoming week (which by the way has been asked for last week after the first news).
About 1 million of the subscription-capable cards are currently used, whilst about 10.000 throw-away cards (dagkaarten) are in use. Impact is thus limited, as only these latter cards are vulnerable (still).
Again: the company responsible for the cards (TLS) is to blame for this, yet more info on the copying-method has to be provided fot both us and them to see how the system (and the security-features) will cope with this setback.
Edit1: Apparently, the security of the daycard is really weak as details and information are shared in plaintext between the card and the terminal; while the subscription-cards do this encrypted.
Also, more information on the ‘hack’ is available: the student has created a device called Ghost which copies all info on the card and can be used itself to open the metro-gates and travel on the credit of the original card. So far, it is unclear whether the Ghost can still be used when the mama-card has no credit left. Some indications point to this, yet reasoning from the technique it should not as the Ghost simply copies the identification of the card and can be used to travel off off the same credit as the mama-card.
Edit 2 (2008-01-16): The CPNB only ruled the Amsterdam-trial of the OV-chipcard to be illegal due to the fact the travel-data will be stored for the enormously lengthy time of 7 years! In addition to this, the Amsterdam public transportation company (GVB) planned to deliver personalized ads based on the travel-routine. Yet more info has to surface to say more about the technical implementation of the security-system, I’m still waiting for that to happen (and post about it 😉 )
I’ll be posting updates whenever more news surfaces!
The version of the OV card used in Amsterdam (and thus likely everywhere?) has been ruled in violation with Dutch privacy law by CBP now! That’s a hallmark verdict (although not legally definitive) for the OV chipcard; you see how important it is in Huizinga’s response, who now has demanded an independant research as well, besides TLS’s own research and that of TNO, who are being paid by TLS.
This is getting more serious by the day now.
The card in Amsterdam is being banned for the organization managing it keeps hold of too much personal information (nal) and track records for too long of a period; the card in Rotterdam apparently does not. (Or they are simply not sued for it)
I’m in favor of truely independent research, unfunded and unbiased as conducted by a party which can not be a stakeholder in any conceivable way.
Also, yet unrelated, I’m surprised by the security-proposition of the card and it’s system. Apparently, there only is one layer of security in place which irreversibly and nonnegotiable lends access to all cards once breached. I’m stunned to conclude there is no fail-over system implemented, basing my conclusion on the scarcely available information at this point in time.
If so: TLS -> FAIL!