Anatomy of a Subway Hack


Zack Anderson
Alessandro Chiesa

For updated slides and code, see: http://web.mit.edu/zacka/www/subway/



what this talk is:
Pen-testing a subway system


what this talk is not:
evidence in court
(hopefully)


You’ll learn how to
? Generate stored-value fare cards
? Reverse engineer magstripes
? Hack RFID cards
? Use software radio to sniff
? Use FPGAs to brute force
? Tap into the fare vending network
? Social engineer
? WARCART!



AND THIS IS VERY ILLEGAL!
So the following material is for educational use only.


ATTACK
PHYSICAL
SECURITY

there is almost always a free way to get in


turnstile control boxes open…
almost everywhere


computer screens visible through
windows



door keys left in open boxes


state-of-the-art surveillance…
often unattended



documents left in the open



ATTACK
THE
MAGCARD


try a cloning attack
Is value stored on the card?


If yes, then
you now have free subway
rides for life


Oh,
but you want more than that,
eh?


reverse engineering
The Charlie Ticket


reverse engineering
Everybody talks about it,
But where do you start?
1) Make a guess about what’s in the data
2) Change a single variable; see what changes
3) Repeat many times with varying data
4) Compare similar and dissimilar data
5) Ignore constant regions
6) Build/use tools


reverse engineering
Isolate Variables method
To locate a single variable:
? Group data by that variable
? Ignore global similarities (between different groups)
? Ignore differences within groups
Resulting locations are probably where the data is stored


forging
The Charlie Ticket


Demo: MagCard and
Reverse Engineering Toolkit
?? wrote Python libraries for analyzing magcards
?? integrated with the MSR206 reader/writer
?? GUI helps visualize and organize data
Can Now Forge Cards


what about other subways?
? Most subway fare collection systems in US are made by two major integrators
? Scheidt & Bachmann made Boston T, San Francisco Bart, Long Island Railroad, Seattle Sound Transit, London Silverlink, etc. systems
? Cubic Transportation made NYC MTA, Washington DC WMATA, Chicago CTA, Shanghai Metro, etc. systems
Are they hackable? Yes!


ATTACK
THE
RFID


learn about your RFID card


MIFARE Classic
? 13.56MHz RFID smartcard
? End-to-end proprietary “crypto” (Crypto-1)
? 1K memory & unique identifier on card
? Over 500 million tags in use



Crypto-1 Cryptanalysis
Crypto-1 reverse engineered by Karsten Nohl, University of Virginia, 2007:
? Etched and inspected silicon wafer using high-powered imagery.
? Found and reconstructed crypto portions from over 10k gates.
? Found vulnerabilities in the cipher and implementation






security of the MIFARE card
Mutual 3-pass authentication
Card Reader
sector? key A or B?
read key <-------------------

random-challenge
------------------->

answer, random-challenge
verify <-------------------
answer answer
------------------->
verify
answer


Each sector two keys
Non-linear filter
functions






security of the MIFARE card
Mutual 3-pass authentication
Card Reader
sector? key A or B?
read key <-------------------

random-challenge
------------------->

answer, random-challenge
verify <-------------------
answer answer
------------------->
verify
answer


KEY IS 48bits!
Non-linear filter
functions








PRG IS WEAK!


KEY IS 48bits!
Non-linear filter
functions





PRG IS WEAK!


KEY IS 48bits!
BIASED Filter
Functions





to execute these attacks we need to interact with the card
choose your hardware








——原来是这样破解“互相加解密随机数来认证”的cpu卡的。。。。。。。。
——我一直以为不靠磨芯片是无法破解的了——磨其实也是有对策的