The contactless card solution used on the Gautrain is susceptible to being hacked, and academics did just that at least two years before the rapid rail project went live.
Commuters using the train need to load a card with cash before they can proceed through the turnstiles, swiping the card at the gate to gain access to the station. The system used is the Mifare Classic 4k, which was partially hacked in 2007.
Researchers Henryk Pl"otz and Karsten Nohl presented the hack at the Chaos Communication Congress, in December 2007. They showed how they partially reverse-engineered the algorithm used in the card.
Computerworld explains that Nohl and Plotz reverse-engineered the cryptography on the Mifare chip, examined the card under a microscope and the open source OpenPCD RFID reader, and took several in-depth photographs of the chip's architecture.
The researchers sliced off the minuscule layers of the chip and took photos of each layer. They then wrote scripts, scanned for clues for the cryptographically important regions of the chip and reconstructed the circuit.
Nohl and Plotx uncovered several potential security risks, including a 16-bit random number generator that was easy to manipulate.
Chip vulnerability
In 2008, a complete reverse engineering of the card was done. The researchers, from Radboud University Nijmegen, in the Netherlands, were able to clone and manipulate the contents of the card.
About a year ago, Dutch manufacturer Trans Link Systems (TLS) released an updated card, which is better protected against fraud. However, professor Bart Jacobs, from the Radboud University Nijmegen, who consulted to TLS, admitted the new smart cards are tamper-proof only until the chip is cracked.
Hacking the card would allow the perpetrator to load it with fake money, and ride the train and supporting bus network without paying.
The Gautrain started operations on 5 June 2010, and runs between Johannesburg and Pretoria and also links up to OR Tambo International Airport.
Aware
Bombela, the concessionaire that runs the train and associated bus system, says it is "well aware of the limited security risks surrounding the Mifare 4k contactless smart card". The Mifare is the most widely used contactless card for transport in the world.
"As with any system in the world, the potential for individuals to 'hack' the system exists, but extensive checks are run on a daily basis to detect suspicious behaviour and stop this from happening as soon as possible."
The contract for the contactless e-ticketing solution was awarded in 2007 to Thales Transportation Systems and its local partner SIMS. The system selected was, and remains, fully compliant with the concession specification.
Bombela has no plans to replace the system, and will not disclose whether the card has been hacked in SA. It says hacking the Gautrain cards can have a potential revenue impact, but because back-office checks are done on a regular basis, the risk and potential impact is minimised.
"Extensive checks and systems are in place to prevent and detect any form of hacking of the Gautain Mifare 4k cards and shut it down immediately. If any form of hacking should be detected, legal proceedings will be implemented to take action against the perpetrator(s)."
According to recent reports, 28 000 commuters make use of the Gautrain and its supporting bus infrastructure per day.