Beginning of this year, there was a small buzz in the Belgian security landscape about a RFID card (The BMC – “Belgian Mobility Card“) being introduced by the company in charge of the public transports in Brussels (previous article here).
A few months later, what changed? Almost nothing! If the original planning to deploy the cards won’t be respected, more tests will be performed during 2010. We can expect a massive deployment by 2011 or 2012. Read the article from the Belgian press on datanew.be (in French, Google translation here).
In May 2009, the university of Louvain-la-Neuve released interesting material about the security issue with RFID chips. Regarding the BMC, they released a piece of code able to decode the information present on the card:
- Holder name,
- Last three validations (timestamp, bus line, bus stop, station, etc),
- Some other additional technical data.
Due to pressure from the STIB, they brought everything offline. Instead of trying to hide potential vulnerabilities, why don’t they try to fix them? In contrast to what they say, it could be very easy to read information from the chip: a laptop, an RFID reader, some piece of software and you’re ready. By reading personal information, social engineering attacks could be greatly facilitated. Example: people working for a financial or military organization could be tracked if they take the bus line just in front of their office. Using their name and zipcode, it could be easy to find where they live. You can imagine a plenty of other scenarios.
Let’s hope that authorities and the responsible Minister, Hilde Crevits, will be aware of those issues.