Dutch RFID transit pass cracked and cloned

Melanie Rieback, who worked on the RFID Guardian, sez,
Roel Verdult, an MSc. student from the Raboud University of Nijmegen, used an RFID tag emulator to perform a successful practical relay attack on the single-use OV Chipkaart (the Dutch RFID public transportation card), that uses MIFARE Ultralights (no crypto).

There's a video of the relay attack available. The video speaks for itself.

Roel used a homemade tag emulator that was modeled after Kfir and Wool's "ghost and leech", to perform a simple relay attack. However, anyone can perform the same attack using the RFID Guardian, whose HW/SW is freely available.

PDF Link


  1. The Dutch transit pass is really getting hammered for the use of this MIFARE RFID chip. First the new national pass is now delayed because of the hack demonstrated at last years CCC.
    And now this one-time transit pass is hacked.

    It’s time to see that firstly RFID is NOT the solution, and secondly security-through-obscurity is not the way to protect your system.

  2. Well, everyone knows mass transportation should be FREE. Transportation is like information! Really.


  3. the problem is, preventing bypassing of the security of public transport is prohibitive, because public transport implicitly runs at a loss anyway. in most pre-rfid districts anyone with the will can fabricate perfectly acceptable public transport tickets. and i doubt there will be any difference post-rfid, except increasing the losses to the city councils operating them.

    i agree with the sentiment about making public transport free. the problem is, when it comes down to it, the cost of it will only increase the more that operators try to prevent free riders.

    perhaps it would be a more beneficial view of it to think of public transport as a means to facilitate greater levels of trade, which indirectly improves rates of taxation revenue.

    so all we have to do is get rid of this federal tax nonsense and let taxation operate on a regional basis with a transparent purpose rather than the present obfuscation and diversion of the majority of it to military and intelligence operations. then people could develop a more region-appropriate type of defense, rather than this nonsensical nationalistic militarism. (if you talk to any military person they will tell you straight up that every territory has different defense characteristics, some areas are indefensible, some are easy to defend, some have nothing worth defending…)

    amongst other things.

  4. Using tickets or tokens for public transport is not the only solution.

    The Calgary LRT uses an honour system with random spot checks. You just walk on. If you paid for a ticket, well and good, but there are no ticket checkers. There are random checkers who can ask anyone to see their ticket. If you don’t have it, it’s a fine. A friend who rides regularly tells me she’s computed the average cost and it’s about the same whether or not she buys a ticket.

    Note that my information on all this is ten years out of date, so it may all be false now. But I do know that for a long time this was the way the Calgary system worked, and it worked well.

  5. The Dutch metro (and tram) system has gradually been moving from an honor system with spot checks to having conductors and controllers all over the place. At least in the 14 years I’ve been living here.

    From an article that was published today:

    The CBP (Dutch Bureau for Protection of Personal Data – yeah, we’ve got one of those) is threatening to impose fines on the GVB (Amsterdam public transport company) if it doesn’t comply to the law in the use of the new card. The fines are so high that they could lead to the bankruptcy of the company. Later on in the article, the chairman of the CBP is basically quoted as saying: “Threatening language? You betcha!” I think I like this guy…

  6. More: I used to live in a big city with mass trans. It cost a lot to get around that city and I really do think it should be free. Tax money can be spent on a never-ending list of things, but allowing people to use a train or a bus for free has to be a sign that the culture is on the “right track.” And free bikes in Chicago wouldn’t have solved the problem. Yiks, I’m starting to sound like a socialist.

  7. RFID is not the inherent problem here, IMHO…it is the use by the transit authority of a non-encrypted standard for transactions that have monetary value.

  8. The transport authority of Rotterdam ‘RET’ said in a statement today that the card will remain in use, despite all the complaints and the hacks.
    That’s either a show of guts, or sheer stupidity.

    Also from the CPB came the statement that the travelling records (and more) of every traveller is stored for 7 years. Scary!

  9. What’s the big deal if a handful of people can spend a bunch of time and money and get “free” train rides? For the transit company, it would probably cost more if they made it more secure versus just letting some freeloaders on – who risk fines or jail if caught.

  10. #8, zosa: it’s encrypted alright, but mostly through obscurity, or at least that’s what we think…

  11. @#10, dculberson, right now, it’s just a handful, but this hack could become so easy to do, that everyone could do it.
    What the hack basically is, is make a clone copy of the pre-paid card. Then use it during transit, and later put the copy back, making the amount back to its original state, meaning you have a full card again.

Comments are closed.