Dutch RFID Transit Card Hacked

The Dutch RFID public transit card, which has already cost the government $2B — no, that’s not a typo — has been hacked even before it has been deployed:

The first reported attack was designed by two students at the University of Amsterdam, Pieter Siekerman and Maurits van der Schee. They analyzed the single-use ticket and showed its vulnerabilities in a report. They also showed how a used single-use card could be given eternal life by resetting it to its original “unused” state. The next attack was on the Mifare Classic chip, used on the normal ticket. Two German hackers, Karsten Nohl and Henryk Plotz, were able to remove the coating on the Mifare chip and photograph the internal circuitry. By studying the circuitry, they were able to deduce the secret cryptographic algorithm used by the chip. While this alone does not break the chip, it certainly gives future hackers a stepping stone on which to stand. On Jan. 8, 2008, they released a statement abut their work.

Most of the links are in Dutch; there isn’t a whole lot of English-language press about this. But the Dutch Parliament recently invited the students to give testimony; they’re more than a little bit interested how $2B could be wasted.

My guess is the system was designed by people who don’t understand security, and therefore thought it was easy.

EDITED TO ADD (2/13): More info.

Posted on January 21, 2008 at 6:35 AM • 60 Comments