This page summarizes all the technical and non-technical attacks on the OV-chipkaart system, in chronological order. This list focuses on the factual descriptions of the attacks, links to detailed information about these attacks, and explicitly not on the political and media hysteria that was triggered by these attacks. There is another page with the political and procedural events. This page tries to include links to all relevant sources.
The quick and rough summary: Halfway 2007, two UVA students found and exploit, reported it and it was fixed. December 2007, two Germans published that they are "close to" breaking the mifare classic chip, which is used in the OV-chipkaart for subscribers. In January 2008, a student from the Radboud University Nijmegen found and exploit which cannot be repaired. Also, the Dutch Data Protection Authoritiy criticized the use of information in a particular OV-chipkaart back office as "not in accordance with the law" and "an infringement of privacy".
The UVA Ultralight crack
|Movie made by UVA, placed with permission.|
In May/June 2007, Pieter Siekerman and Maurits van der Schee, two students of the University of Amsterdam (UVA) investigated the disposable ticket (mifare ultralight), and identified three serious problems. These problems allowed unlimited free travel using only 1 disposable ticket.
Two of the three problems could be addressed by a relatively simple software update in the toll gates. This software update is implemented and deployed at the toll gates by TLS. This update disabled unlimited travel by means of the identified exploit.
The third identified problem, which alone does not allow unlimited travel, still exists, and can only be addressed by a change of architecture.
TLS was informed and addressed the issue. The UVA and TLS made a joint press release on July 2, 2007, in Dutch (English translation). More details can be found in the UVA report. They also made a demo video. The students won the Joop Bautz award 2007 with their research.
The UVA Ultralight attack identified repairable mistakes in the OV-chipkaart infrastructure, but no mistakes in the mifare ultralight chip as such.
The German Classic crack
On December 28, 2007, Karsten Nohl and Henryk Plötz showed their results in dissecting the mifare classic chip (which is used in the subscriber's OV-chipkaart) on the 24th Chaos Communication Congress in Berlin. They have physically sliced the hardware and reconstructed its schematics. Though these schematics have some sampling errors, they were able to identify the region of the chip implementing the proprietary CRYPTO1 algorithm. They have not yet fully reverse-engineered CRYPTO1, but it is commonly believed by experts that they will in the forseeable future. In particular, a "confidential" TNO report (dated 14/1/2008) acknowledges the credibility of the claims of the Germans.
Their results are twofold. Firstly, they are reverse-engineering CRYPTO1, and secondly, they identified weaknesses in the chip that appear to enable a certain kind of spoofing attack. Final results still have to be published, but their slides are already online (Karsten's slides, Henryk's slides).
The results of the Germans do not consitute practical attacks on the mifare classic or the OV-chipkaart system yet. However, they make clear that it is only a matter of time when practical attacks will be available.
In the Netherlands, Webwereld first brought the news on January 2, 2008, but it was only picked up when de Volkskrant brought the news to a broader audience on January 8, 2008. This kickstarted massive attention from media and politicians.
The German Classic attack identified mistakes in the mifare classic chip, but no mistakes in the OV-chipkaart infrastructure (other than maybe using the mifare ultralight chip).
TLS commisioned TNO ICT to investigate the claims of Nohl and Plötz and their impact on the OV-chipkaart. This resulted in Reaction to CCC presentation on Mifare cards in December 2007, dated January 14th 2008, which was originally classified but quickly made public. A TNO press release of March 10, 2008 (in Dutch) states that newer claims by Karsten Nohl are in line with this evaluation.
The Radboud Ultralight crack
| RTL Nieuws, January 14, 2008, 19:30, |
placed with permission.
On January 14, 2008, Roel Verdult, a student at the Radboud University Nijmegen, disclosed that he had broken the disposable ticket of the OV-chipkaart system. This disposable ticket uses the mifare classic chip. Using a device called the "Ghost", he can travel for free for an unlimited amount of times. TLS has been informed, acknowledged the problem, and acknowledged that it cannot be solved without major changes to the OV-chipkaart infrastructure.
Technically, the crack is a "replay attack", a kind of attack that in the security world in known since the 60s. Some more details are explained in Roel's report.
The news was made public by RTL Nieuws on January 14, at 19:30.
This publication resulted in an even higher attention from media and politicians. An expert hearing and a debate in the Dutch House of Representatives ("de Tweede Kamer") were commissioned.
The UVA Ultralight attack identified mistakes in the OV-chipkaart infrastructure, but no mistakes in the mifare ultralight chip as such.
The Dutch Data Protection Authority report
On January 15, 2008, the Dutch Data Protection Authority ("College Bescherming Persoonsgegevens") published a report (in Dutch) (local copy) in which they criticize a particular use of the OV-chipkaart. That is, they criticize the use of the information that is collected by means of the OV-chipkaart into the back office. The GVB, the public transport company of Amsterdam, uses this information in a way about which the Dutch DPA says:
- The handling of information is not in accordance with the law.
- The linking of the personally identifiable information with travel history is an infringement of privacy that may only occur under very strict conditions.
- Direct marketing may only happen after an explicit opt-in.
- The back office of the GVB is insufficiently protected, both technically and procedurally.
- The GVB does not (sufficiently) inform its clients about what happens with their personal information.
In contrast with the cracks of the OV-chipkaart where the chips ("front office") is attacked, the criticism of the Dutch DPA addresses the information flow at back office of the GVB. (In particular, it does not address the back office of TLS itself.)
TNO report "Security Analysis of the Dutch OV-Chipkaart"
On February 26 TNO presented a report (nr 34643) on the security analysis of the Dutch OV-chipkaart commisioned by TLS. This report is classified, and only part of it has been made public: public excerpt, also available in Dutch.
The Radboud Mifare Classic crack
On March 7 2008, a group of students and staff from the Radboud University Nijmegen demonstrated an attack on Mifare Classic, as it is used in building access control at the university, and presumably many access control systems around the world. This crack uses an implementation of the CRYPTO1 algorithm, so demonstrates that it has been completely reverse engineered.