JavaScript disabled. Please enable JavaScript to use My News, My Clippings, My Comments and user settings.

If you have trouble accessing our login form below, you can go to our login page.

If you have trouble accessing our login form below, you can go to our login page.

Free ride: students crack ticket algorithm

Video settings

Please Log in to update your video settings

Video will begin in 5 seconds.

Video settings

Please Log in to update your video settings

Meet the ticket hackers

One of the students who 'white' hacked Sydney's ticket system explains the principles behind how it was done.

PT0M0S 620 349

A team of university students in Sydney have cracked the secret algorithm used on Sydney's public transport tickets for buses, trains and ferries, which they say could allow them to print their own tickets.

The students – Damon Stacey, Dougall Johnson, Karla Burnett and Theo Julienne – presented their research at the Ruxcon security conference in Melbourne last month but did not name the organisation affected, a common practice for ethical "white hat" security researchers not wishing to do damage to an organisation.

Since the talk was delivered and reported by specialist IT security publication SCMagazine, Transport for NSW has owned up to being the affected organisation in an emailed statement to Fairfax, in which it said it had met with the group and taken steps to minimise the risk of fare evasion. For "security purposes" it said it didn't want to provide any detail about what action it had taken or what measures were in place to prevent fraud.

Cracked ... a team of students has worked out the algorithm used on Sydney's public transport tickets, including the rail network.

Cracked ... a team of students has worked out the algorithm used on Sydney's public transport tickets, including the rail network.

In an email interview with Fairfax, Mr Julienne, of UNSW, said he and the other researchers took about 1000 used tickets purchased over about five years and analysed the data on them to work out how it was stored and encrypted.

"We looked for correlations – bits of data that were the same across similar tickets, and slowly found enough patterns to work out the entire algorithm used to encode the ticket," Mr Julienne said. "We have not written tickets, but we are certain that it is possible seeing as we have uncovered every aspect of the algorithm."

Mr Julienne said he and the other university students started looking at a public transport's ticketing system because they were fans of public transport and interested in how the data was encrypted. They were also interested in what protections were in place against malicious users creating fake tickets, Mr Julienne said.

The Sydney university students that cracked the algorithm.

The Sydney university students that cracked the algorithm.

To crack the algorithm used on the transport system's tickets they targeted, Mr Julienne said he and the other students used about $300 worth of equipment (magnetic card readers and some specially purchased tickets), their laptops and a "a few weeks" worth of their time at night (a few days of which was full-time work).

"We were surprised at how simple the encryption was," Mr Julienne said. "Ideally cryptography should be impossible to crack, even if a potential attacker or reverse engineer knows every detail about how it is implemented. This system on the other hand is relying completely on users not knowing how it is implemented, which may have been fine when it was introduced in the early '90s because much fewer people had access to the technology required to read the tickets, or computers fast enough to analyse the data."

Mr Julienne assured Fairfax that he and the other students had not written their own tickets, though was "absolutely certain" that it would be possible since he and the others knew every detail about the algorithm.

The Sydney university students that cracked the algorithm used on Sydney transport tickets ... Theo Julienne, Karla Burnett, Damon Stacey and Dougall Johnson.

The Sydney university students that cracked the algorithm used on Sydney transport tickets ... Theo Julienne, Karla Burnett, Damon Stacey and Dougall Johnson.

Their suspicions of being able to print tickets were confirmed by the reaction from the transport organisation affected when they met with it to inform it of their research, Mr Julienne said. "They said they were already aware of the potential flaws, but it was a large and expensive operation to change the tickets."

In a statement, Transport for NSW said that it was a serious offence under the Rail Safety (Offences) Regulation 2008 to travel without a valid ticket. "This includes a ticket which has been altered."

It added that the new electronic ticketing system to be gradually introduced to Sydney's transport system starting with a testing period later this year did not use the cracked magnetic stripe used on paper tickets.

twitter This reporter is on Facebook: /bengrubb

twitter This reporter is on Facebook: /bengrubb

 This reporter is on Facebook: /bengrubb
 This reporter is on Facebook: /bengrubb