Security

A proposed bill in the Nevada State Legislature would make it a crime to do legitimate research on security weaknesses in radio frequency identification, the Electronic Frontier Foundation said on Friday.

The bill, S.B. 125, would make it a Class 3 felony to possess, read, or capture another person's personal identifying information through RFID, subject to up to five years in prison and a $10,000 fine.

The measure is scheduled to be discussed Monday morning in the Nevada Senate Judiciary Committee in Carson City, Nev. The hearing will be Webcast.

The EFF hasn't taken a formal position on the measure because attorneys haven't yet had time to analyze it thoroughly, but the group is concerned about its unintended consequences, said Lee Tien, a senior staff attorney at EFF. The nonprofit civil rights group is concerned that it will quash legitimate research (PDF) and land innocent people in jail.

When RFID companies and government proponents of the technology make claims about privacy protections, often the only way to disprove those claims is to test the technology in real-world demonstrations, Tien said.

In a letter to the Nevada Senate Judiciary Committee sent Thursday, Tien wrote that the bill in its current form does not protect information security research.

"Because the privacy risks of RFID include the likelihood that malevolent entities will 'skim' individuals' RFID-enabled devices in public places without their knowledge, it is important that security researchers be able to lawfully demonstrate that these vulnerabilities exist in real-world settings--not only in controlled conditions," he wrote.

California's recently enacted anti-skimming law, S.B. 31, contains a safe harbor provision for researchers, Tien noted.

The Northern Nevada chapter of Infragard, a public-private cybersecurity partnership, opposes the measure, said Ira Victor, president of the group.

"Not only is it already a felony to hack and steal someone's personally identifiable data" but the measure would make some of the presentations at the Defcon and Black Hat security conferences held in Las Vegas every year illegal, said Victor.

One person at risk would be security researcher Chris Paget, of IOActive, who demonstrated the security risks of RFID to The Register earlier this month. A video shows Paget driving around downtown San Francisco grabbing data from random RFID-based passport cards and cloning them.

RFID has proved to be a controversial research area, with security experts saying the technology, in general, does not have adequate security protections.

In 2007, Paget pulled his demonstration of a device that could clone RFID-enabled proximity badges from his presentation at the Black Hat DC Training conference after getting legal threats from the chipmaker. Paget gave a redacted version of his presentation.

An RFID technology provider unsuccessfully took Dutch researchers to court over their research last year. And the Massachusetts Bay Transportation Authority stopped three MIT students from presenting their RFID security research at Defcon last summer, but a court ruled later that they should be allowed to go public with their findings.

MIT students Alessandro Chiesa, R.J. Ryan, and Zack Anderson show up at, but do not speak at, the Defcon conference in August.

(Credit: Declan McCullagh/News.com)

Three MIT students who were sued by the Massachusetts Bay Transit Authority over their research into subway card vulnerabilities are now working with the transit authority to improve the fare collection system.

The lawsuit against the students was dismissed after a judge lifted a gag order in August that prevented the students from discussing their work. The students had planned to present their research at the Defcon hacker conference in Las Vegas on August 10, but canceled their presentation after a judge granted the MBTA's request for an injunction the day before.

"This is a great opportunity for both the MBTA and the MIT students. As we continue to research ways to improve the fare system for our customers, we appreciate the cooperative spirit demonstrated by the MIT students," MBTA General Manager Daniel Grabauskas said in a statement published on the Electronic Frontier Foundation Web site on Monday. EFF attorneys represented the students in their legal defense.

One of the students, Zack Anderson, was quoted as saying: "We've always shared the goal of making the subway as safe and secure as can be. I am glad that we can work with the MBTA to help the people of Boston, and we are proud to be a part of something that puts public interest first."

As part of their presentation, entitled "The Anatomy of a Subway Hack: Breaking Crypto RFIDs and Magstripes of Ticketing Systems," the students planned to describe several attacks to break the CharlieCard, an RFID card that the MBTA uses on the Boston T subway line.

Inside Contactless offers a MicroPass technology that can be embedded in stickers that are affixed to mobile phones so they can be used to make payments or access transit systems and buildings.

(Credit: Inside Contactless)

I admit it; I've been put off by the term "contactless payments." But it's an emerging area that deserves some attention.

If you are in Asia, you know what I'm talking about. People there have been making payments with their mobile phones using what's called "near-field communications." Just wave the handset in front of a reader and voila, the transaction is done.

In the U.S., we've had RFID technology embedded in cards. But the long-term goal is to eliminate the need to carry credit cards, building access badges and transit cards and just turn the phone into an all-in-one device.

Well, while the mobile phone has turned into an entertainment device over the last few years, it hasn't become the payment and access device in the U.S. that was envisioned when contactless payment strategies were born back in 2005 and earlier.

And now, with the economic downturn, the near-field communications industry is likely to take even longer to take off. Broad adoption of near-field communications will take longer than expected now, as long as three to four years, predicts Shyam Krishnan, an industry analyst at Frost & Sullivan.

So, a French company called Inside Contactless has come up with an interim solution that will let people turn their phones into credit cards and transit cards. Inside's MicroPass technology will be embedded into a sticker that can then be affixed to a phone, wallet, or anything else.

The company, which entered the U.S. bank card market with a microprocessor-based chip in 2005 and is backed by Nokia, Motorola and Samsung, recently announced that Colorado Plastics will be producing stickers using the MicroPass technology.

Soon, we may see people waving their mobile phones, iPods, ID badges, or wallets in front of readers to get on the subway or buy coffee at Starbucks.

"It's a cool way to pay; convenient," said Charles Walton, executive vice president of the payments business at Inside. "It turns the phone into a super wallet."

"It's a card in a different format," said Jonathan Collins, principal analyst in ABI Research's RFID and contactless group. "We've had American Express fobs, but they didn't prove to be overly popular. Stickers are more useful."

The MicroPass technology should fare better with regard to security scrutiny than the much-maligned NXP Mifare Classic RFID chip, which has been found to have severe flaws and can be cloned.

"We're using a microprocessor with open-standard security techniques, not a fixed memory, proprietary security scheme" like Mifare Classic, Walton said. The applications implemented using MicroPass "cannot be cloned in that way."

Adoption will depend on how quickly banks, retailers and phone companies can agree on standards and implementation, as well as on whether people are ready to merge their phone and their wallet.

"There has to be a benefit for the end user," Krishnan said. "It all boils down to its convenience, at the end of the day."

I'd be interested in hearing reader thoughts on whether this technology would be useful.

Want to ride the subway for free without having to jump the turnstiles? Well, as of Monday, you'll be able to do that by making a fake transit card.

A scientific paper detailing the security flaws in the Mifare Classic wireless smart card chip used in transit systems around the world is being published by the Radboud University Nijmegen. And a researcher at Humboldt University in Berlin has published a full implementation of the algorithm (PDF).

"Combining these two pieces of information, attacks can now be implemented by anyone," RFID researcher Karsten Nohl told CNET News. "All it takes is a $100 (card) reader and a little software."

Armed with the information in the papers, someone could steal the secret key from a Mifare Classic-based transit card and create a clone of it. As seen in a demonstration, data was collected wirelessly by merely brushing a card reader past someone carrying a card. The data was then used to create a fresh transit card that permitted free access to the London subway.

Subway systems in Amsterdam, Boston, Bangkok and Delhi, among other cities, are also susceptible, as are building access control systems in Europe.

"That's just the tip of the iceberg," said 3ric Johanson, a Seattle-based security consultant. "It's my estimation that approximately 3.5 billion cards have been issued using the Mifare Classic protocol, all subject to financial fraud. There are at least 60 or so major citywide RFID implementations that rely on Mifare Classic."

Nohl, who worked with others to break the Mifare crypto last year and received a Ph.D. in computer security from the University of Virginia, suspects that "hobby hackers who ride the metro everyday and are curious about this technology" will be the first to exploit the vulnerability, "more for fun than profit."

For the less technologically savvy among us, there could soon be mass produced devices that make it easy to forge Mifare Classic cards, Johanson said.

Johanson, an expert in RFID technology, said he has reached out to transit systems to offer help improving their security, but received mixed responses.

There are options for transit authorities who don't want to replace their entire systems. For instance, they can use intrusion detection-type systems that register when a particular card has had a change in value or been cloned, according to Johanson. "I'm highly dubious about a lot of these claims because it's hard to do it right," he said of such measures.

NXP, the company that developed the Mifare Classic chip, could not be reached for comment Monday. The company sued to block publication of the Dutch University paper but a judge ruled in July that the paper could be published.

The Massachusetts Bay Transit Authority (MBTA) took legal action in August to prevent three MIT students from presenting their research on how to "hack" the Boston subway system at the Defcon hacker confab in Las Vegas. A judge later lifted the gag order in that case. Representatives from the MBTA could not be reached for comment.

Security systems like the Mifare Classic that are not peer reviewed are not as trustworthy as systems that can be openly analyzed by researchers looking for flaws, Johanson and Nohl said.

"Developing your own proprietary security mechanisms and not getting public scrutiny on it does not work," Nohl said.

The state of Massachusetts said Monday it is not prepared to abandon its lawsuit against MIT students who uncovered security vulnerabilities in Boston transit cards, even though thousands of copies of their 87-page presentation have been distributed.

A federal judge on Saturday granted the state transit authority's request for a restraining order barring the students' planned presentation at the Defcon conference. It orders them not to disclose any "program, information, software code, or command that would assist another in any material way to circumvent or otherwise attack the security of the Fare Media System."

The MIT students canceled their talk. But their presentation materials were handed out to Defcon attendees in the conference packet, and it has been distributed widely on the Web.

When we asked the Massachusetts Bay Transportation Authority if it would end the lawsuit as a result of the distribution, spokesman Joe Pesaturo replied: "The MBTA will reserve comment on the substance of the presentation until staff has had a sufficient period of time to thoroughly review the information, and meet with the students and their professor." Pesaturo did not respond to a followup question about whether any meeting has been set up.

The Electronic Frontier Foundation, which is providing a legal defense to the students, did not immediately respond to questions about whether a meeting has been arranged.

U.S. District Judge Douglas Woodlock granted MBTA a temporary restraining order, which under federal rules automatically expires in 10 days--meaning August 19--unless extended "for good cause."

That means MBTA needs to decide in the next week whether to try to ask Woodlock to convert his temporary order into a longer-lasting preliminary injunction.

MBTA's Pesaturo added in a separate message:

A week ago, the MBTA learned about the presentation to be made at the conference, and immediately contacted MIT. At a meeting last Tuesday involving all the parties, MIT staff and the students agreed to provide the MBTA with a copy of the presentation. After several days passed without getting any information from MIT, the MBTA had no choice but to seek assistance from a federal court judge on Friday. At 4:30 a.m. on Saturday, the presentation was finally provided to the MBTA. Staff is thoroughly reviewing the information to determine if there is any degree of substance to the claims being made by the students.

One reason the MBTA may want to proceed is that the restraining order does more than merely require the three students--Zack Anderson, R.J. Ryan, and Alessandro Chiesa--not to proceed with their presentation. It also applies to releasing "software code," which the trio had planned to post at web.mit.edu/zacka/www/subway/, but apparently never did.

During Saturday's hearing, an attorney for MBTA pointed to the students' plans to post Python code that could read magnetic cards and said: "This is not simply saying, 'We did it. Aren't we inventive?' It's also providing a tool to help accomplish this. Our understanding is that these would likely be software tools that would make it easier to analyze the cards." (An EFF attorney, on the other hand, characterized the code as general-purpose and "not tools which are targeted toward the MBTA system.")

Judge Woodlock said, according to a recording posted by Wired News, that the students acted "in contravention of best practices" and that he foresaw "no harm to defendants" in granting the restraining order. He did, however, add that "defendants are free to seek modification even before the end of the 10-day period."

MIT students Alessandro Chiesa, R.J. Ryan, Zack Anderson, and Electronic Frontier Foundation staff attorney Kurt Opsahl speak at a panel turned press conference at Defcon.

(Credit: Declan McCullagh/CNET News)

LAS VEGAS--A federal judge on Saturday granted the Massachusetts transit authority's request for an injunction preventing three MIT students from giving a presentation about hacking smartcards used in the Boston subway system.

The Electronic Frontier Foundation, which is representing the students, anticipates appealing the ruling, said EFF senior staff attorney Kurt Opsahl.

The undergraduate students had been scheduled to give a presentation Sunday afternoon at the Defcon hacker conference here that they had said would describe "several attacks to completely break the CharlieCard," an RFID card that the Massachusetts Bay Transportation Authority uses on the Boston T subway line. They also planned to release card-hacking software they had created, but canceled both the presentation and the release of the software.

U.S. District Judge Douglas Woodlock on Saturday ordered the students not to provide "program, information, software code, or command that would assist another in any material way to circumvent or otherwise attack the security of the Fare Media System." Woodlock granted the MBTA's request after a hastily convened hearing in Massachusetts that took place at 8 a.m. PDT on Saturday.

EFF staff attorney Kurt Opsahl said that the temporary restraining order is "violating their First Amendment rights"; another EFF attorney said a court order pre-emptively gagging security researchers was "unprecedented."

EFF attorneys appeared with the three students--Zack Anderson, R.J. Ryan, and Alessandro Chiesa--in front of a crowd of hundreds at an afternoon session at Defcon, but largely prevented them from answering questions, citing the lawsuit. Although Sunday's talk is canceled, Defcon organizers hinted that there may be a related presentation on a similar topic.

First page of subway-hacking presentation that was the subject of an injunction to stop its distribution--after it had already been distributed.

The students told reporters that they had, on their own, asked their professor to initiate contact with the MBTA a week before the government agency contacted them on July 30 or July 31. But the process was delayed because professor Ron Rivest was at a security conference near San Francisco, and no contact with MBTA was made at the time.

But then the conversations took a hostile turn when MBTA mentioned an FBI criminal investigation of the MIT students. In the "initial contact, they said the FBI was investigating and that was not--we didn't find that to be a very pleasing way to start a nice dialogue with them. And we got a little concerned about what was happening," said Anderson, one of the students.

EFF's Opsahl said the students only intended to "provide an interesting and useful talk, but not one that would allow people to defraud the Massachusetts" government.

The MBTA, which is a state government agency, alleges in its lawsuit that "disclosure of this information will significantly compromise the CharlieCard and CharlieTicket systems" and "constitutes a threat to public health or safety."

Its suit asks a judge to order the students "from publicly stating or indicating that the security or integrity of the CharlieCard pass, the CharlieTicket pass, or the MBTA's Fare Media systems has been compromised." The requested order would also prevent them from circulating the summary of their talk, from providing any technical information, and from distributing any software they created.

That could be difficult to enforce. Every one of the thousands of people here who registered for Defcon received a CD with the students' 87-page presentation titled "Anatomy of a Subway Hack." It recounts, in detail, how they wrote code to generate fake magcards. Also, it describes how they were able to use software they developed and $990 worth of hardware to read and clone the RFID-based CharlieCards.

Those CDs were distributed to conference attendees starting Thursday evening, meaning the injunction arrived nearly two days late. (On the other hand, the source code to the utilities--not included on the CD--was removed from web.mit.edu/zacka/www/subway/ by Saturday morning.)

Court documents filed by MBTA suggest that representatives of the transit agency tried to pressure the students into halting their talk. During a meeting with the students and MIT professor Ron Rivest on Monday, MBTA Deputy General Manager for Systemwide Modernization Joseph Kelly unsuccessfully tried to obtain a copy of their planned presentation. Kelly spoke with Rivest again on Friday. (There was initial confusion about whether the meeting was Monday or Tuesday.)

Chiesa, Ryan, and Anderson at an Electronic Frontier Foundation panel.

(Credit: Declan McCullagh/CNET News)

A representative of the Defcon convention, who asked that her name not be used, said that the students submitted their Powerpoint presentation at least a month ago. The presentation says--not-so-presciently--"what this talk is not: evidence in court (hopefully)." It also says: "THIS IS VERY ILLEGAL! So the following material is for educational use only."

In addition, what looked like a black-and-white faxed copy of the entire presentation was entered as evidence in publicly available court records available on the Web on Saturday, meaning any attempt to limit its distribution further will encounter an additional hurdle.

Also released as part of the public record was a document marked "confidential" and written by the researchers (PDF) that explains exactly how the Charlie cards can be cloned and forged. "Our research shows that one can write software that will generate cards of any value up to $655.36," the document says.

The document also discusses the lack of physical security at the MBTA. "Doors were left unlocked allowing free entry in many subways," the document says. "The turnstile control boxes were unlocked at most stations. Most shocking, however, were the FVM control rooms that were occasionally left open."

One portion of the MBTA's legal complaint that drew jeers from the Defcon crowd came in its odd claim that "A CharlieTicket standing alone constitutes a 'computer'" under federal antihacking law.

This isn't the first time speakers at security conferences have been hauled into court by companies seeking to muzzle them.

In 2005, Cisco Systems filed a lawsuit against security researcher Michael Lynn hours after he gave a talk at Defcon on how attackers could take over Cisco routers. The case was ultimately settled. Four years earlier, the FBI took Russian crypto expert Dmitry Sklyarov into custody at his Las Vegas hotel one day after he gave a presentation at Defcon on insecurities in e-book security software.

Another excerpt from the presentation distributed to thousands of Defcon attendees on CDs.

Princeton University computer science professor Ed Felten and his co-authors received legal threats from the recording industry involving a planned talk at a Pittsburgh security conference--but pulled the paper from the event, even though no lawsuit materialized.

Research into flaws in the encryption that the Mifare Classic cards, used by the MBTA, landed Dutch researchers in court recently. NXP sued to block a Dutch University from publishing information about vulnerabilities in the encryption used in the RFID cards around the world. Last month, a court ruled that the university could publish the information.

Karsten Nohl, a University of Virginia graduate student who worked with others to break the Mifare Classic crypto algorithm last year, said MBTA should not have sued researchers who voluntarily discussed their findings with them.

"It has been known for years that magnetic stripe cards can easily be tampered with and MBTA should not have relied on the obscurity of their data-format as a security measure," Nohl said. "MBTA made it clear that they are not interested in cooperating with researchers on identifying and fixing vulnerabilities, but their lawsuit will motivate more research into the security of Boston's public transport system."

MIT's student newspaper has posted a copy of the presentation that was distributed on Defcon CDs and the subject of the court order.

In the video clip below MIT student Zack Anderson tells reporters how he felt when he learned about the lawsuit filed by the MBTA. The lawsuit was filed a few days after he had met with the agency to discuss concerns about his talk at Defcon. He is with fellow MIT students R.J. Ryan, Alessandro Chiesa and EFF attorney Marcia Hofmann, who was advising the students about what they could say in lieu of the temporary restraining order against them.

(Credit: Elinor Mills)

CNET News.com's Elinor Mills contributed to this report.

[Note: This story was updated at 12:05 p.m. PDT to reflect that a temporary restraining order was issued. It was again updated at 1:30 p.m. PDT with more details from documents on how the hacks can be done, and at 4:30 p.m. with a report from the EFF press conference and 6:15 p.m. with video.]

Click here for more coverage from Defcon.

NEW YORK--Using a laptop, cell phone headset, building access badge, credit cards, or even a passport can make you a walking target for data thieves and other criminals, a security expert warned at the Last HOPE hacker conference here late Friday.

Security expert RenderMan discusses the insecurity of RFID chips, Bluetooth headsets and laptops using Wi-Fi at the Last HOPE hacker conference.

(Credit: Elinor Mills/CNET News)

In a frightening but entertaining session entitled "How do I Pwn Thee? Let me Count the Ways" (pwn is hacker speak for "own" or control), a hacker who goes by the alias "RenderMan" explained how most people are at risk and don't even know it.

By now most people probably know they should be careful using Wi-Fi networks, especially public hotspots that don't encrypt data transmissions and where network access points can be spoofed. These issues leave Web surfers at risk of having their data stolen, receiving fake Web pages and other information, and having their computers completely taken over, he said.

Even airplane passengers who either ignore stewardess requests to disable Wi-Fi or don't know how to turn it off are not immune to attacks from others in the airplane, he added.

RenderMan suggests that people disable Wi-Fi when it is not in use and use VPNs and firewall software.

Bluetooth headset users are at risk because of a security hole in the technology and default PINs that don't get changed, he said. Exploiting vulnerabilities someone can break in and steal data from the phones, make calls without the cell phone owner knowing, listen in on and break into conversations, and even spy on people by turning the device into a bug.

He advises that people change the default password, disable the Bluetooth on the phones, turn off the headsets when not in use, and limit access to the data and features when communicating with other Bluetooth devices.

Many people don't realize that new U.S. passports have RFID technology with weak encryption that makes the data on the chip easy to read with the proper reader device. (See related video below).

The U.S. government attempted to mitigate the privacy threat by putting a metal foil layer on the front and back cover of the passports, but the stiffness of the foil pops the passport open as much as an inch, wide enough for RFID readers to snatch the data, RenderMan said, showing a video to demonstrate this.

"There is no rule that says that if the chip doesn't work, they will refuse you access to the border. You will get increased scrutiny, but it's still a valid document," he said. "So, liberal application of a hammer can negate a lot of the possible" problems.

But doing willful damage to the passport is a crime, one attendee pointed out. "I fell, really hard," RenderMan deadpanned.

RFID used in transit and building access badges has also been proven to be insecure, allowing someone to use an RFID reader to copy data off the card and make a clone of it, he said.

A security flaw in the Mifare Classic Chip used in transit systems is the subject of a court case in The Netherlands. The maker of the chip, NXP Semiconductors, sued to block a university from publishing details of the problems, but a court ruled on Friday that the research can be made public.

Even traditional keys are vulnerable, RenderMan said. For instance, photographs of spare keys for electronic-voting machines displayed on a Web page were used to make replicas with similar-looking keys, he said. A video demo showed how someone filed down a key from a hotel mini-bar and was able to open up the memory card slot of a Diebold voting system.

Updated 8:30 a.m. PDT with researcher comment and photos. Updated 11:17 a.m. with NXP comment.

NEW YORK--A Dutch court ruled on Friday that a university can publish an article on security flaws in the Mifare Classic wireless smart card chip, the most popular chip used in transit systems around the world.

Security researcher Karsten Nohl discusses how he cracked the cryptography in the Mifare Classic Chip at the Last HOPE conference.

(Credit: Elinor Mills)

The Rechtbank Arnhem court ruled that prohibiting publishing of the article would violate the researcher's freedom of expression which is vital to a democratic society, according to a news release from the university.

The article will be published at the beginning of October during a scientific conference in Malaga in Spain. Jacobs demonstrated how one could ride the London transit system for free by making a clone of a stranger's transit card. The card is also used for access control to buildings.

Karsten Nohl, a University of Virginia graduate student who worked with others to break the crypto algorithm last year, was giving a talk about his research into security problems with Mifare chips at the Last HOPE hacker conference here on Friday morning.

"I don't think anyone truly believes you can prevent reverse engineering techniques from being published," Nohl said during his talk. Although the Digitial Millenium Copyright Act would apply in the U.S., universities are exempt, he said.

"I'm very happy that the court upheld the right to open research and freedom of publication," Nohl told CNET News after his talk. "I'm also happy that the court understood that publishing vulnerabilities is a crucial part of the evolution of security and a different court outcome would have slowed down that evolution of smart card security and left too many systems vulnerable."

Rop Gonggrijp, a Dutch security researcher attending the conference, said publishing information on vulnerabilities is often the only way to get the vendor to fix the problem. "Any other outcome would have changed the way science discloses security vulnerabilities," he said.

Security researchers Karsten Nohl and Rop Gonggrijp discuss the Mifare court ruling at the conference.

(Credit: Elinor Mills)

In a statement, NXP said publishing the means to carry out hacks on the chip "is contradictory to the scientific goal of prevention and the responsible disclosure of sensitive information."

"We have not and will not seek any kind of punitive action toward the university or researchers," Henri Ardevol, general manager of automatic fare collection for NXP, told CNET News on Friday. "Affected parties may want to see if they themselves want to take direct action" against the university.

Ardevol said it was too early to say whether NXP would appeal the ruling.

There are techniques and countermeasures to detect cards and data which have been tampered with, although there remains a residual risk, Ardevol said. (More information on the risks is on Mifare's Web site.)

"Migration to a different format is one option," he said. "We introduced Mifare Plus earlier this year, and it is designed to help migrate from Mifare Classic to a higher level of security...We will be developing plans for how to guide these migrations."

NXP has sold more than 1 billion of the cards, although it does not know how many are still active, according to Ardevol.