security evaluation of the disposable ov chipkaart

Security evaluation of the disposable OV-chipkaart Maurits van der - PowerPoint PPT Presentation

Dec 14, 2022 •578 likes •874 views

Security evaluation of the disposable OV-chipkaart Maurits van der Schee Pieter Siekerman July 4, 2007 Master System and Network Engineering University of Amsterdam Contents Why? What is the OV-chipkaart? How did we do our

  1. Security evaluation of the disposable OV-chipkaart Maurits van der Schee Pieter Siekerman July 4, 2007 Master System and Network Engineering University of Amsterdam

  4. Contents  Why?  What is the OV-chipkaart?  How did we do our research?  Card data  Transactions  Vulnerabilities  Recommendations  Epilogue

  5. Why?  Interesting subject  Vital infrastructure  No technical information publicly available  To improve the system, NOT to promote abuse

  6. OV-chipkaart  National public transport payment card  RFID-based contactless technology  Trans Link Systems  Amsterdam & Rotterdam  Launch: January 1, 2009

  8. Types of cards  Disposable paper card

  9. How?  Public documentation of Mifare Ultralight  Observation of data  Manipulation of data  Lots and lots of trial and error

  11. Contents of a disposable card 04989B8F D1D20280 814800F0 DF33FFF8 C8002002 277CA7C0 0687CB77 8F9D119E C8001002 077CA7C0 9B355ECC 3988DAB6 8E416418 8BB36A4C 1B2F858F 8062A79B  512 bits: 16 pages of 4 bytes each

  12. Unique Identifier 04989B8F D1D20280 814800F0 DF33FFF8 C8002002 277CA7C0 0687CB77 8F9D119E C8001002 077CA7C0 9B355ECC 3988DAB6 8E416418 8BB36A4C 1B2F858F 8062A79B  Set during manufacture, cannot be changed

  13. Lock Bytes 04989B8F D1D20280 814800F0 DF33FFF8 C8002002 277CA7C0 0687CB77 8F9D119E C8001002 077CA7C0 9B355ECC 3988DAB6 8E416418 8BB36A4C 1B2F858F 8062A79B Restrict access to parts of memory to read-  only

  14. One Time Programmable (OTP) Counter 04989B8F D1D20280 814800F0 DF33FFF8 C8002002 277CA7C0 0687CB77 8F9D119E C8001002 077CA7C0 9B355ECC 3988DAB6 8E416418 8BB36A4C 1B2F858F 8062A79B  1111 1111 1111 1000  Irreversible counter used to track remaining

  15. User Area 04989B8F D1D20280 814800F0 DF33FFF8 C8002002 277CA7C0 0687CB77 8F9D119E C8001002 077CA7C0 9B355ECC 3988DAB6 8E416418 8BB36A4C 1B2F858F 8062A79B  Fully read-write accessible

  16. Card Details 04989B8F D1D20280 814800F0 DF33FFF8 C8002002 277CA7C0 0687CB77 8F9D119E C8001002 077CA7C0 9B355ECC 3988DAB6 8E416418 8BB36A4C 1B2F858F 8062A79B  General characteristics: type of card, expiration date

  17. Transactions 04989B8F D1D20280 814800F0 DF33FFF8 C8002002 277CA7C0 0687CB77 8F9D119E C8001002 077CA7C0 9B355ECC 3988DAB6 8E416418 8BB36A4C 1B2F858F 8062A79B  Last 2 transactions are saved  Oldest transaction replaced by new transaction

  18. Transactions C8001002 07732D30 0A920530 5B6EFF53 C8002002 27732E60 26804B14 413F9D8B C0003002 47733000 CCD18C5C 656C88AE C8004002 27733100 018EC4DD 13051785 C0005002 47733130 EA535D22 D2D497EC C0006002 C7733160 BC96C921 18E8911E B8007002 47733190 C2D75857 051705D3 C8008002 27733240 266BA19B B133BA2A

  19. Transaction counter C8001002 07732D30 0A920530 5B6EFF53 C8002002 27732E60 26804B14 413F9D8B C0003002 47733000 CCD18C5C 656C88AE C8004002 27733100 018EC4DD 13051785 C0005002 47733130 EA535D22 D2D497EC C0006002 C7733160 BC96C921 18E8911E B8007002 47733190 C2D75857 051705D3 C8008002 27733240 266BA19B B133BA2A

  20. City? C8001002 07732D30 0A920530 5B6EFF53 C8002002 27732E60 26804B14 413F9D8B C0003002 47733000 CCD18C5C 656C88AE C8004002 27733100 018EC4DD 13051785 C0005002 47733130 EA535D22 D2D497EC C0006002 C7733160 BC96C921 18E8911E B8007002 47733190 C2D75857 051705D3 C8008002 27733240 266BA19B B133BA2A

  21. Transaction type C8001002 07732D30 0A920530 5B6EFF53 C8002002 27732E60 26804B14 413F9D8B C0003002 47733000 CCD18C5C 656C88AE C8004002 27733100 018EC4DD 13051785 C0005002 47733130 EA535D22 D2D497EC C0006002 C7733160 BC96C921 18E8911E B8007002 47733190 C2D75857 051705D3 C8008002 27733240 266BA19B B133BA2A

  22. Date C8001002 07732D30 0A920530 5B6EFF53 C8002002 27732E60 26804B14 413F9D8B C0003002 47733000 CCD18C5C 656C88AE C8004002 27733100 018EC4DD 13051785 C0005002 47733130 EA535D22 D2D497EC C0006002 C7733160 BC96C921 18E8911E B8007002 47733190 C2D75857 051705D3 C8008002 27733240 266BA19B B133BA2A

  23. Time C8001002 07732D30 0A920530 5B6EFF53 C8002002 27732E60 26804B14 413F9D8B C0003002 47733000 CCD18C5C 656C88AE C8004002 27733100 018EC4DD 13051785 C0005002 47733130 EA535D22 D2D497EC C0006002 C7733160 BC96C921 18E8911E B8007002 47733190 C2D75857 051705D3 C8008002 27733240 266BA19B B133BA2A

  24. Encrypted (Station and integrity) C8001002 07732D30 0A920530 5B6EFF53 C8002002 27732E60 26804B14 413F9D8B C0003002 47733000 CCD18C5C 656C88AE C8004002 27733100 018EC4DD 13051785 C0005002 47733130 EA535D22 D2D497EC C0006002 C7733160 BC96C921 18E8911E B8007002 47733190 C2D75857 051705D3 C8008002 27733240 266BA19B B133BA2A

  25. Example C8001002 07732D30 0A920530 5B6EFF53 − 001 = Transaction 1 − 002 = Amsterdam − 0 = Purchase − 773 = June 12, 2007 − 2D3 = 12:03

  26. Vulnerabilities  Disabled defence mechanism − Allows repeated attacks with one card  Repeated check-out − Ride counter is only increased during check-in  Free travel − We could tell you, but then we would have to kill you

  27. Recommendations  Open approach to security research: make detailed technical information about the OV- chipkaart public  Encrypt all data on the Mifare Ultralight cards …  … or stop using Mifare Ultralight cards  Improve public information and employee knowledge

  28. Epilogue  Constructive contact with Trans Link Systems  Combined press release  Vulnerability remains confidential until the problem has been solved  The dilemma of ethical hacking

  29. Questions?

Recommend

/// DISPOSABLE JOURNALISTS? LOCAL INJURED JOURNALISTS IN SYRIA AND THE FUTURE OF CONFLICT

/// DISPOSABLE JOURNALISTS? LOCAL INJURED JOURNALISTS IN SYRIA AND THE FUTURE OF CONFLICT

1 /// DISPOSABLE JOURNALISTS? /// DISPOSABLE JOURNALISTS? LOCAL INJURED JOURNALISTS IN SYRIA AND THE FUTURE OF CONFLICT REPORTING 1 /// DISPOSABLE JOURNALISTS? From the start of the revolution in March 2011 through May 2019, the Syrian

381 views • 11 slides
DNS and Security DNS and Security DNS and Security DNS and Security DNS and Security DNS and

DNS and Security DNS and Security DNS and Security DNS and Security DNS and Security DNS and

DNS and Security DNS and Security DNS and Security DNS and Security DNS and Security DNS and Security DNS and Security DNS and Security DNS and Security DNS and Security DNS and Security DNS and Security DNS and Security DNS and

860 views • 71 slides
Clean Land, Safe Water, Healthy Lives Understanding and Tracking Disposable Bag Consumption in the

Clean Land, Safe Water, Healthy Lives Understanding and Tracking Disposable Bag Consumption in the

Clean Land, Safe Water, Healthy Lives Understanding and Tracking Disposable Bag Consumption in the District of Columbia Disposable Bag Consumption in D.C. Project Objectives 1. Quantify change in bag use. 2. Measure attitudes, experiences with

372 views • 25 slides
Secure recharge of disposable RFID tickets Riccardo Focardi Flaminia Luccio Universit` a Ca

Secure recharge of disposable RFID tickets Riccardo Focardi Flaminia Luccio Universit` a Ca

Secure recharge of disposable RFID tickets Riccardo Focardi Flaminia Luccio Universit` a Ca Foscari, Venezia { focardi,luccio } @unive.it FAST 2011 15-16 September 2011, Leuven FAST 2011 () Secure recharge of disposable RFID tickets

558 views • 34 slides
Chapter 12. Evaluation Research Chapter 12. Evaluation Research evaluation research? evaluation

Chapter 12. Evaluation Research Chapter 12. Evaluation Research evaluation research? evaluation

What are the topics appropriate for What are the topics appropriate for Chapter 12. Evaluation Research Chapter 12. Evaluation Research evaluation research? evaluation research? Evaluation research (program evaluation )s Evaluation

206 views • 4 slides
User Interface Evaluation Empirical evaluation Heuristic evaluation 1 CS 349 - UI evaluation

User Interface Evaluation Empirical evaluation Heuristic evaluation 1 CS 349 - UI evaluation

User Interface Evaluation Empirical evaluation Heuristic evaluation 1 CS 349 - UI evaluation When does UI evaluation happen? Design Testing and Implementation Development evaluation Testing 2 CS 349 - UI evaluation Types of tests

820 views • 20 slides
Fighting against COVID-19, We are together! Presented by DreamCatcher 32 Types of the COVID-19

Fighting against COVID-19, We are together! Presented by DreamCatcher 32 Types of the COVID-19

Fighting against COVID-19, We are together! Presented by DreamCatcher 32 Types of the COVID-19 Products: Disposable Face Masks for Adults and Children Disposable Medical Surgical Face Masks KN95 Respirator Face Masks N95 Medical Face Masks

808 views • 35 slides
Bathing and Diapering an Infant Unit Two, Lesson Five - Bathing and Diapering an Infant Slide 1

Bathing and Diapering an Infant Unit Two, Lesson Five - Bathing and Diapering an Infant Slide 1

Bathing and Diapering an Infant Unit Two, Lesson Five - Bathing and Diapering an Infant Slide 1 Disposable vs. Cloth Diapers Disposable Diapers Cloth Diapers Advantages Convenient Less diaper rash** Less leaking More

696 views • 8 slides
Disposable vs. Reusable Gowns & Greenhouse Gas Baseline Fairview Medical Center Fairview

Disposable vs. Reusable Gowns & Greenhouse Gas Baseline Fairview Medical Center Fairview

Disposable vs. Reusable Gowns & Greenhouse Gas Baseline Fairview Medical Center Fairview Medical Center Alicia Reigel Alicia Reigel MnTAP Intern 2009 Ad i Advisor: Catherine Zimmer C th i Zi Fairview Medical Center

289 views • 17 slides
DISPOSABLE SURGICAL DRAPES AND CLOTH About us Our company was founded in 2000. The company

DISPOSABLE SURGICAL DRAPES AND CLOTH About us Our company was founded in 2000. The company

DISPOSABLE SURGICAL DRAPES AND CLOTH About us Our company was founded in 2000. The company Zdravmedtekh produces a wide range of medical and surgical gowns, medical drapes, specialized operating sets used to provide high-tech medical care.

627 views • 20 slides
Loop is a global platform that enables consumer product companies and retailers to shift from a

Loop is a global platform that enables consumer product companies and retailers to shift from a

Loop is a global platform that enables consumer product companies and retailers to shift from a disposable supply chain to a durable one. 1 A global platform that enables consumer product companies and retailers to shift from a disposable supply

861 views • 35 slides
AMS Sustainability Goals June 2017-April 2018 1 million disposable coffee cups used at UBC

AMS Sustainability Goals June 2017-April 2018 1 million disposable coffee cups used at UBC

SCD022-18 AMS Sustainability Goals June 2017-April 2018 1 million disposable coffee cups used at UBC annually Mugshare Increasing incentives for reusable foodware Presented price = price of coffee (includes cup, lid and sleeve) Presented

282 views • 11 slides
Femtosecond laser microfabrication technology for the development of disposable polymeric Lab On a

Femtosecond laser microfabrication technology for the development of disposable polymeric Lab On a

Departim imento In Interateneo Di i Fisic isica "M "M. . Merlin rlin" Dottorato di Ricerca in Fisica XXXII ciclo Femtosecond laser microfabrication technology for the development of disposable polymeric Lab On a Chip

707 views • 19 slides
Utah PPE Projections Green River near Moab, Utah PPE Evaluated Gloves Disposable gowns

Utah PPE Projections Green River near Moab, Utah PPE Evaluated Gloves Disposable gowns

Utah PPE Projections Green River near Moab, Utah PPE Evaluated Gloves Disposable gowns Face shields Non-ASTM or ASTM 1 masks FFR masks (such as N95) Hand sanitizer Disinfectant wipes Head and shoe coverings PPE

124 views • 8 slides
Disposable Potentiometric Enzyme Sensor for Direct Determination of Organophosphorus Insecticides

Disposable Potentiometric Enzyme Sensor for Direct Determination of Organophosphorus Insecticides

Disposable Potentiometric Enzyme Sensor for Direct Determination of Organophosphorus Insecticides Authors: Gaberlein, S., Knoll, M., Spener, F., Zaborosch, C. Reviewer: Bax Smith, B.Sc. (Chemistry), B.Eng. (Electrical Engineering), M.Eng.

405 views • 17 slides
Fabric Medical Disposable KN95 + N95 Respirator (NIOSH 95 certification coming shortly) KN95

Fabric Medical Disposable KN95 + N95 Respirator (NIOSH 95 certification coming shortly) KN95

Fabric Medical Disposable KN95 + N95 Respirator (NIOSH 95 certification coming shortly) KN95 Respirator Information 5-Layer Filtration Scheme Filtration Rate >95% Widened Elastic Cotton Rope KN95 Steel Seal Adjustable Nose Clip KN95

306 views • 6 slides
Prophet Forecasting at Scale Sean J. Taylor and Ben Letham Facebook / Core Data Science Outline

Prophet Forecasting at Scale Sean J. Taylor and Ben Letham Facebook / Core Data Science Outline

Prophet Forecasting at Scale Sean J. Taylor and Ben Letham Facebook / Core Data Science Outline Motivation and requirements Review of forecasting methods Curve-fitting as forecasting Uncertainty estimation Tuning parameters

956 views • 36 slides
Observation of the Higgs particle in events and search for the Higgs particle in Z events

Observation of the Higgs particle in events and search for the Higgs particle in Z events

Observation of the Higgs particle in events and search for the Higgs particle in Z events at ATLAS LIU Kun 1 Laboratoire de Physique Nucl eaire et de Hautes Energies (LPNHE) 2 University of Science and Technology of China (USTC) June 24

1.56k views • 73 slides
Analysis of the Effects of Single Event Transients on an SAR-ADC based on Charge Redistribution

Analysis of the Effects of Single Event Transients on an SAR-ADC based on Charge Redistribution

Analysis of the Effects of Single Event Transients on an SAR-ADC based on Charge Redistribution Graduate Program Department of Electrical Engineering Federal University of Rio Grande do Sul - UFRGS Alisson J. C. Lanot, Tiago R. Balen

445 views • 18 slides
Component fluxes of the Carbon balance of Europe and their uncertainties Philippe Ciais

Component fluxes of the Carbon balance of Europe and their uncertainties Philippe Ciais

Component fluxes of the Carbon balance of Europe and their uncertainties Philippe Ciais Laboratoire des Sciences du Climat et de lEnvironnement Gif sur Yvette, France Fossil fuel emissions drive the increase of CO 2 Land and ocean absorb

999 views • 70 slides
Understanding patients: Participatory approaches for the user evaluation of vital data

Understanding patients: Participatory approaches for the user evaluation of vital data

See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/234826665 Understanding patients: Participatory approaches for the user evaluation of vital data presentation Article in ACM SIGCAPH

340 views • 8 slides
GDPR Michle le Finck Max Planck Institute for Innovation & University of Oxford THE

GDPR Michle le Finck Max Planck Institute for Innovation & University of Oxford THE

BLOCKCHAINS AND THE GDPR Michle le Finck Max Planck Institute for Innovation & University of Oxford THE GDPR General Data Protection Regulation Dual objective: (i) facilitate the free movement of p. data in the EU: and (ii)

545 views • 9 slides
UAV based remote sensing tools for Smallholders cropping area determination Presenters:

UAV based remote sensing tools for Smallholders cropping area determination Presenters:

UAV based remote sensing tools for Smallholders cropping area determination Presenters: Gonzalo Cucho (CIP/U. Illinois), Elijah E. Cheruiyot (CIP/UoN), and R. Quiroz (CIP) Reducing the cost of your UAV platform through custom made

476 views • 30 slides
Introduction to Classes Gaddis Ch. 13 CS 2308 :: Spring 2016 Molly O'Neil Procedural Programming

Introduction to Classes Gaddis Ch. 13 CS 2308 :: Spring 2016 Molly O'Neil Procedural Programming

Introduction to Classes Gaddis Ch. 13 CS 2308 :: Spring 2016 Molly O'Neil Procedural Programming Programming paradigm centered on the actions that take place in a program Data is stored in variables Perhaps using arrays and structs

739 views • 41 slides

More recommend