Nederlands
English
Public Transport card fully hacked
What experts foresaw last December and the Dutch research institute TNO denies was possible in their recent report has been done. The deepest level of data-encryption on the NXP Mifare RFID chip has been hacked. Cash from cards can now be copied to other cards through cloning and that makes this system utterly unsuitable for serious applications involving real people and real money.
But this is essentially old news. The more interesting news as far as I’m concerned is the fact that TNO was immediately re-hired by the company implementing the card system to do more research on the validity of the hack. You have to wonder what the thinking is here. This company dropped the ball on at least three separate occasions in this area so why do they get another chance to write a big rapport to claim ‘there is no problem’ ? And this is not the first time, on the sensitive subject of voting computers (now banned in The Netherlands) they also kept telling us ‘all is well‘.
If you merely want a paper to reassure yourself just ask the secretary to print out a pretty picture from the Interweb with a caption that says ‘everything will be ok’. That’s a lot cheaper then hiring a company like TNO, and apparently just as valid.
Does TNO just write down whatever the customer asks of them or do they really not know any better? Either alternative is troublesome. As an important expert-adviser to the governments we should hold TNO to a higher standard. When faced with an impossible request from a client they should respectfully decline the job explain that the client’s request is either technically impossible or not in line with laws concerning citizen privacy and such.
Our government (and parliament!) allowing such organizations to indirectly guide technology policy is a real problem that will continue to cost us dearly (in real money, privacy violations, theft and missed technology opportunities).
Next up for big IT-projects is a road-toll system that should allow for more flexible costs of (pay-as-you-go) owning and using a car. Hopefully it won’t be as insecure as this project, that could be expensive for government or the citizen (or both).
Tomorrow there will be a meeting in parliament on this matter. The independent experts (the ones that got it right from day 1) have decided to boycott this meeting since they are not allowed access to the ‘secret’ paragraph of the most recent TNO rapport. They wisely refuse to legitimize more ‘security-by-obscurity‘ bullshit.