Hacking the OV chipcard… again

The Dutch OV-chipcard has been hacked. Again. First some clever guys at Radboud University (Nijmegen, NL) managed to hack the chip used in the card. They demoed their hack on their own university’s access control system, on the Dutch transport card system, and even on the London Oyster Card (which uses the same chip).

This led to questions in parliament, increased security in military bases (which used this system for access control), and questions on the Dutch OV-chipcard. Funnily enough, the OV-chipcard survived the storm (the company producing the chip, NXP, a Philips “spin-off” (it comprised about half the company when it spun out), also survived but had quite some PR fallout). Despite various researchers pointing out it would only be a matter of time before the system would be attacked by people seeking to travel for free (as opposed to researchers testing the security of the system), their arguments were washed away by a wave of “we’re paying attention”, “we’re monitoring things” etc..

Fastforward 2 years. PC-Active has found windows software online, which allows anyone with a windows PC and a reader to clone a card. They bought an anonymous card, put 5 euros on it, copied it, raced around, and then restored the copy. Et voila (as the French say), they were back to 5 euro credit. Most of their cards were not invalidated for any type of transport (apparently, two cards were refused entry on the train, but not on other types).

So where will this all go? I see two options:

  • Either the system is scrapped, OR
  • After strong words by politicians, and some public grovelling by the company implementing the card, nothing much changes.

Can’t the security be updated? Sure it can. But unless they actually diligently planned for that, all the readers at stations and in buses can’t speak new and updated security. And the point is not to prevent this one hack. There will be new hacks of new systems — there always have been. The point is that you cannot build an indefinitely secure system that’s open to public use. You need a way to update the security.

Perhaps the manufacturer included such a way. In which case, they should hire equally competent personnel for their PR department, because they’re not impressing anyone (case in point: they have an official response to this story, but on their site, under news, it right now says “no news”…).

Anyway, personally, I hope the system is scrapped. Remember: the traveller did not ask for this system. Not only does this electronic system have less options than the paper-based system (eg. someone else travelling on my “strips” when I’m done with them, getting off at an intermediate station while en route somewhere, buying three large “strippenkaarten” to travel a short distance with a large group, etc.), but it also enables tracking of travellers. Which I don’t like.

It is a pity that the politicians nowadays only discuss the security of the system. Perhaps I missed the discussion on the usefulness of the system, but it seems as if that discussion never occurred. Please correct me if I’m wrong.

Comments are closed.