Free ride: students crack ticket algorithm
A team of university students in Sydney have cracked the secret algorithm used on Sydney's public transport tickets for buses, trains and ferries, which they say could allow them to print their own tickets.
The students – Damon Stacey, Dougall Johnson, Karla Burnett and Theo Julienne – presented their research at the Ruxcon security conference in Melbourne last month but did not name the organisation affected, a common practice for ethical "white hat" security researchers not wishing to do damage to an organisation.
Since the talk was delivered and reported by specialist IT security publication SCMagazine, Transport for NSW has owned up to being the affected organisation in an emailed statement to Fairfax, in which it said it had met with the group and taken steps to minimise the risk of fare evasion. For "security purposes" it said it didn't want to provide any detail about what action it had taken or what measures were in place to prevent fraud.
The Sydney university students who cracked the algorithm used on Sydney transport tickets ... Theo Julienne, Karla Burnett, Damon Stacey and Dougall Johnson Photo: Darren Pauli/SCMagazine
In an email interview with Fairfax, Mr Julienne, of UNSW, said he and the other researchers took about 1000 used tickets purchased over about five years and analysed the data on them to work out how it was stored and encrypted.
"We looked for correlations – bits of data that were the same across similar tickets, and slowly found enough patterns to work out the entire algorithm used to encode the ticket," Mr Julienne said. "We have not written tickets, but we are certain that it is possible seeing as we have uncovered every aspect of the algorithm."
Mr Julienne said he and the other university students started looking at a public transport's ticketing system because they were fans of public transport and interested in how the data was encrypted. They were also interested in what protections were in place against malicious users creating fake tickets, Mr Julienne said.
Cracked ... a team of students has worked out the algorithm used on Sydney's public transport tickets, including the rail network. Photo: Wolter Peeters
To crack the algorithm used on the transport system's tickets they targeted, Mr Julienne said he and the other students used about $300 worth of equipment (magnetic card readers and some specially purchased tickets), their laptops and a "a few weeks" worth of their time at night (a few days of which was full-time work).
"We were surprised at how simple the encryption was," Mr Julienne said. "Ideally cryptography should be impossible to crack, even if a potential attacker or reverse engineer knows every detail about how it is implemented. This system on the other hand is relying completely on users not knowing how it is implemented, which may have been fine when it was introduced in the early '90s because much fewer people had access to the technology required to read the tickets, or computers fast enough to analyse the data."
Mr Julienne assured Fairfax that he and the other students had not written their own tickets, though was "absolutely certain" that it would be possible since he and the others knew every detail about the algorithm.
Their suspicions of being able to print tickets were confirmed by the reaction from the transport organisation affected when they met with it to inform it of their research, Mr Julienne said. "They said they were already aware of the potential flaws, but it was a large and expensive operation to change the tickets."
In a statement, Transport for NSW said that it was a serious offence under the Rail Safety (Offences) Regulation 2008 to travel without a valid ticket. "This includes a ticket which has been altered."
It added that the new electronic ticketing system to be gradually introduced to Sydney's transport system starting with a testing period later this year did not use the cracked magnetic stripe used on paper tickets.