News - May 10, 2012

Hacker cracks Wageningen UR pass

A hacker calling himself 'Przewalski Horse' sent the Resource editorial staff an unusual message a few weeks ago: apparently he had managed to adapt a public transport smart card so that it could be used in the drinks vending machines and photocopiers on the Wageningen campus.

Stills from the hacker's  film clip.
After an exchange of e-mails - the student insists on remaining anonymous - he sent some clips proving that the card works. He also explains his motive: to show how 'easy' it is to crack Wageningen UR's system. In the end he sends Resource the ultimate proof: the hacked public transport card. It does indeed have all the functionality of a standard staff pass: free coffee and copying facilities plus access to a number of buildings.
Clever work, says IT-specialist René de Koster who, together with the acting security manager, studied the card on the request of the editors to see whether Przewalski Horse really had managed to break Wageningen UR's card system. The answer is yes. The hacker has managed to copy the data on a staff pass and transfer this information to a public transport smart card. 'We knew this was theoretically possible but this is the first time we have seen it done in practice', says the security manager. He recalls how the Nijmegen student Roel Verdult managed to crack the public transport smart card a few years ago. The card contains NXP's so-called mifare chip, which is also in the Wageningen passes. 'We have known ever since then that the cards can in principle be copied.' He says the reason the passes have not been replaced is a simple assessment of the risks. 'Copying costs a lot of time and energy while the rewards are relatively low: free coffee and copying facilities. If you go one step further, for example by starting a trade in copied passes, alarm bells will soon go off in the financial department when they see one pass being used so intensively. They will then block that pass.'
'A day's work', mails Przewalski Horse in answer to our inquiries. 'You need some equipment, a reader that can be bought for a couple of tenners. All the instructions you need are on the Internet.' He saw it primarily as a challenge. 'Just to see whether it can be done.' But there is still the burning question of whose pass he actually copied. 'Lecturers sometimes leave a pass lying around. Some students just pocket them but I hand them back nicely. Although not without first "studying" the pass...'
The IT specialists say that is perhaps the most important lesson: staff are often careless with their passes, not realizing that they are creating a security risk. This particular lecturer is now wise to this: his or her pass has been permanently blocked. No other measures have been taken. 'Our risk assessment remains unchanged', concludes De Koster. But they are pleased that Przewalski Horse did not tinker with the pass for personal gain. Because of this, they do not view the hacking as a criminal offence. 'We have learned from this too.'