Password Leak Analysis
Everyone who buys a monthly or yearly ticket with the SBB – the Swiss Federal Railways – will receive a SwissPass. There’s not a lot of print on this new red card. Suspiciously absent is information as to what kind of ticket the client actually bought.
SwissPass stores client data electronically. Conductors scan the credit card size device and request your client data from a database that SBB maintains. The technology behind this system is called RFID.
RFID stands for Radio Frequency Identification which allows a scanner to identify an object that has an RFID tag attached to it using electromagnetic waves. This system requires two things: A transponder – also known as the tag – and a scanner.
Most smartphones are able to read RFID tags because they’re capable of reading NFC tags. NFC stands for Near Field Communication which is a subset of RFID and therefore the technology is closely related. More specialized hardware can read RFID tags over a greater distance.
SwissPass has two built-in RFID tags, according to its official publications concerning the new card. On one of these tags, says SBB spokeswoman Lea Meyer, the client identification number is stored. It’s this number that the train conductor scans and then gets data from.
The tag is a passive and stupid device. On its own, it does not transmit any data, unlike, say, a mobile phone that constantly receives and transmits data.
But a RFID tag always replies when it’s being asked to. It will always reply with the exact same information because it is not intelligent enough to discern between requests and who’s asking. In order to get that reply from any tag, interested parties need a scanner.
RFID scanners are devices that send a request to any tag in their range, which causes the tag to answer.
Scanners are cheap. They go for at least 14 US Dollars on online auctioning platform eBay but can cost more, depending on requirements. They allow users to request data from an RFID tag without requiring physical contact with the tag itself. The scanner penetrates clothing and regular wallets with ease.
Lea Meyer says that the SBB had to face a challenge here: Trains are constantly on the move and therefore services can’t be guaranteed if the train is somewhere where there’s no internet connection. The scanners SBB uses synchronize with the server and store the entire customer database locally. To avoid people stealing conductor’s devices and then having access to all client data, the scanners are password protected.
RFID tags are not only used in SwissPasses issued by the SBB. Most credit card manufacturers include the technology in their cards in order to allow their clients to use NFC to pay without having to dig around their wallet to find their credit card. Banks do the same with most ATM cards. Biometric passports such as Switzerland’s E-Pass 10 also stores data on built in RFID tags.
Because using RFID tags to pay for goods or quickly exchange information, it is to be assumed that RFID technology will be increasingly prevalent in every day life.
Famous and established RFID systems are access to public transport. For years now, London’s Underground has restricted access to all stations unless pass holders have an Oyster Card which has an RFID tag built into it.
The range at which a RFID scanner can read a RFID tag depends on the tag’s frequency. According to online magazine RFID Journal tags can be read from a distance of 100 centimetres. Manufacturers like SkyRFID sell passive RFID tags that can be read from a distance of up to 300 centimetres. The reading distance also depends on the material the tag is attached to. Metal, for example, can act as both an antenna but also as a shield. More about that later, though.
To give you a bit of dimension: Type SBB-CFF-FFS RABDe 500 trains used by SBB are 283 centimetres wide.
At a first glance, SwissPass brings four risks with it:
SBB try their best to avoid interference of any kind, including theft, by third parties. But according to a flyer published by SBB, the Swiss Railways sell client data to exploit marketing opportunities.
Criminals and other data collectors can easily gain access to the data stored on the RFID tags. Because, remember, the tag always answers when it’s receiving a request.
That means that not just SBB but also everyone else with the right equipment can read the data on the RFID tags built into SwissPass. To do this on a larger scale, all that’s needed is a scanner in a strategically smart position such as at platform entry or near a train door. Because scanners are light and portable – every conductor has one on their person – a person can easily just hang out near the train door and collect large amounts of data that way.
Using the same method, SBB can read RFID data on the platform. All they would need is an antenna near the entry to a platform or atop of a billboard on the platform itself.
To make things hard for criminals, SBB has employed a simple but effective trick. A flyer states the following (translation mine):
SwissPass does not store any customer data or services purchased. SwissPass only stores a technical number of identification.
Thus, the biggest immediate bounty a thief could get is a number that, according to pictures of SwissPass, is made up of three letters and three digits. According to Lea Meyer, this is the same number existing clients have on their current train passes.
However, data transmission as seen in SwissPass does open up new attack vectors. Should an attacker manage to correlate or reverse data stolen from SwissPass with data on SBB’s server, then he or she has access to a plethora of information about SBB’s customers.
This method is not new. US TV channel WREG Channel 3 News has reported on RFID skimming back in 2010. But they were by far not the only ones.
Using this information, an attacker can spoof the data that is emitted by the RFID tag. That’s why scip AG has been keeping a watchful eye on the technology for the past five years. In a Proof-of-Concept, scip co-founder Marc Ruef has proven that spoofing someone’s identity using RFID is easily done.
With the introduction of SwissPass, SBB gains a lot of opportunity to exploit data for marketing pruposes. The company has announced that it is going to pass on data to third parties. The flyer states (translation mine):
The data is being analysed for marketing purposes and help the transport companies to adjust their services to client demands as well as to expand the goods they offer.
The data is being used for marketing purposes in accordance with the Federal Act on Data Protection. At all times, clients have the right to withdraw permission from the transport companies to analyse their individual data for marketing purposes.
This means that SBB, whenever a conductor scans a SwissPass, records data such as date, time and most likely some kind of location data. Either GPS coordinates or the ID of the train. Using this data it is possible to find out a place of residence, correlating location with time, and who works where. This data alone allows SBB to better deploy their services such as the Starbucks Carriages, putting them into trains where they can have the maximum amount of people in their main client segment as possible on the train.
I have collected further possibilities how seemingly harmless data tell a lot about you and your life in the article titled Data Correlation – How it Works.
SBB offers their clients to opt out of commercial exploitation. How that will work is unknown at this point.
In order to avoid third parties from gaining access to the data stored on any RFID tag you carry with you, you need a Faraday Cage that blocks the RFID scanners. A scanner can only send a signal to an RFID tag when the tag is physically removed from the Faraday Cage. There are many vendors online that offer RFID proof wallets such as Swicure, ID Stronghold, CryptAlloy or Epiguard. Purchasing such a wallet will not affect the magnet strips on your cards.
To demonstrate the effect of one such wallet, we’ve tested this using nothing but a mobile phone – a Samsung Galaxy S3 i9300 – an RFID tag and two wallets that employees of scip AG use in their daily lives. These wallets usually contain ATM cards as well as credit cards.
Our experts will get in contact with you!
Our experts will get in contact with you!
Further articles available here