CybersecurityStudents writing their own tickets

Four students at the University of New South Wales say they have cracked the secret algorithm used in Sydney’s public transportation system, which will allow them to print their own tickets.

Damon Stacey, Dougall Johnson, Karla Burnett, and Theo Julienne gave a presentation at the Ruxcon security conference in Melbourne last month. In a “white hat” ethical effort, the group decided not to name the organization affected, but Transport for NSW has come out and admitted they were the affected organization.

The Sydney Morning Herald reports that Transport for NSW, which runs a system of trains, buses, and ferries, said that it has talked with the group and has been working to minimize the risk of fare evasion and that for “security purposes” it will not provide details about the actions that have been taken or what measures have been put in place to prevent fraud.

Julienne told Fairfax that he and the rest of the group collected almost 1,000 used tickets purchased over five years and analyzed the data on them to work out how it was stored and encrypted.

“We looked for correlations — bits of data that were the same across similar tickets, and slowly found enough patterns to work out the entire algorithm used to encode the ticket,” Julienne said. “We have not written tickets, but we are certain that it is possible seeing as we have uncovered every aspect of the algorithm.”

Julienne and the other students say they are interested in public transportation systems and how the data was encrypted, so they began to look at the ticketing system and what protections the system had in place against users attempting to use fraud.

In order to crack the algorithm used on the tickets they collected, Julienne said the group spent about $300 gathering magnetic card readers and a few specially purchased tickets, and along with their laptops spent “a few weeks” working late nights and a few full days as well.

“We were surprised at how simple the encryption was,” Julienne told the Morning Herald. “Ideally cryptography should be impossible to crack, even if a potential attacker or reverse engineer knows every detail about how it is implemented. This system on the other hand is relying completely on users not knowing how it is implemented, which may have been fine when it was introduced in the early ’90s because much fewer people had access to the technology required to read the tickets, or computers fast enough to analyze the data.”

Julienne told Fairfax that he and his team did not write their own tickets, even though it is “absolutely certain” that they could, considering they know every detail of the algorithm. Julienne said that Transport for NSW knew the algorithm had flaws.

“They said they were already aware of the potential flaws, but it was a large and expensive operation to change the tickets.” Julienne told the Morning Herald.

Transport for NSW said that it will gradually introduce a new electronic ticketing system to Sydney’s transportation system later this year that will not have the cracked magnetic strip on paper tickets.