RATB/Metrorex Card Activ Hacked
…and “Mifare Classic Dark-Side Key Recovery Tool” released under GPL!

Well… It was about the time for RATB/Metrorex Card Activ in Bucharest to fall… And it is not even news. OV Chipkaart in Netherlands, Oyster Card in London were broken in the near and not so near past…

RATT Contactless Ticketing in Timisoara and EasyCard in Taipei are the next samples of cards to be “hacked", i.e. the keys are recovered, need only to analyze the data.

Mifare Classic is both theoretically and practically broken in both active (sniffing) and passive (card-only) attack scenarios.

Thanks to ignorance, lots of money/interest (14 Millions of Euros) and UTI/PMB (Primaria Municipiului Bucuresti/Bucharest City Hall) involvement, RATB/Metrorex still uses Mifare Classic.

Hell ya, where are they gonna go? It’s a logistic nightmare to upgrade the readers in the entire RATB fleet and all Metrorex entrances, manage the exchange of already 800.000 sold cards, not telling about additional several Millions of Euros for upgrade equipment and software upgrades…

Even though researches were blowing the whistle from last year, no system integrator or vendor seems to care . Well it seems that few smart guys (and not pointing to me, I just implemented what other had know and researched for a long time) can fcuk up dozen of systems, each costing Millions of Euros.

Nice equation: (a dozen of smart guys * their brain IQs of Millions) >>>OUT-WEIGHTS>>> (the dozens of projects * XX Millions of Euros)

Long story short, here we go - food for the brain (yes - food for the brain, not spoon-feeding - note the difference):

RATB/Metrorex Mifare Card Security Assessment Document (PDF)

RATB/Metrorex Mifare Card Security Assessment Document (MS Word 2007)

MFCUK (MiFare Classic Universal toolKit) http://code.google.com/p/mfcuk/

Enjoy!

PS: (14 Nov 2009)
Ironically, on the night of publishing this paper/post and the open-source/binary for key recovery, UTI has posted these news “Cardurile de călătorie RATB se pot reîncărca online sau la bancomat (13 noiembrie 2009)” (i.e. “RATB cards can now be topped-up online or at some BCR ATMs”).

DISCLAIMER: The information and reference implementation source/binary contained herein is provided:

• for informational use only as part of academic or research study, especially in the field of informational security, cryptography and secure systems
• as-is without any warranty, support or liability - any damages or consequences obtained as a result of consulting this information if purely on the side of the reader
• NOT to be used in illegal circumstances (for example to abuse, hack or trick a system which the reader does not have specific authorizations to - such as ticketing systems, building access systems or whatsoever systems using Mifare Classic as core technology)

Tags: mifare, classic, key recovery, mifare classic key recovery tool, mifare classic key hack tool, mifare key recovery source binary executable, key crack, ratb metrorex hack, ratb.ro metrorex.ro hack, ratb metrorex crack, ratb.ro metrorex.ro crack, crypto1, crapto1, lsfr_common_prefix, dark side attack, dark side paper, dark side implementation, darkside libnfc, darkside crapto1, darkside attack implementation, ratb metrorex card activ sat spart hackuit crackuit, uti ratb metrorex card activ hack hacked, ratt hack, ratt card hack, ratt.ro hack, ratt.ro card hack, ratt card crack, ratt crack, ratt card spart hackuit crackuit, easycard mifare classic taipei card hack crack, crypto1 crack, crypto1 hack, crapto1, libnfc key recovery, proxmark3 key recovery