back to article Perth SmartRider public transport cards popped by student researchers

University students in the Australian city of Perth have landed in hot water, with one charged by Police, after finding and exploiting severe holes to rewind travel charges incurred using the city's SmartRider public transport smart card. The Murdoch University students reported the flaws to SmartRider operator TransPerth and …

  1. glen waverley
    Big Brother

    Enquiring minds want to know

    Further and better details are needed! What was the hack?

    Disclosure: I have a SmartRider card.

    1. Anonymous Coward
      Anonymous Coward

      Re: Enquiring minds want to know

      I don't know the actual attack that they used, but Mifare classic has been completely compromised so they have plenty to choose from. An example is something like this: http://www.backtrack-linux.org/wiki/index.php/RFID_Cooking_with_Mifare_Classic

  2. Knoydart
    FAIL

    Streisand effect in play?

    So the police and public transport operator instead of fixing the known weakness, take someone to court for $18 worth of top up? How much was the lawyers time for this prosecution?

    Maybe they should fix the system and do the hard yards instead of taking a (not so) cheap shot at a student.

  3. Winkypop Silver badge
    Joke

    Riders on the storm

    $18 - seems 'fare'

  4. Gecko

    For a government that claims to be committed to innovation this is really silly. We need to stop shooting the messenger. It's the criminals who are secretly using these vulnerabilities we should be targeting. I bet these students are finding our what an exciting time it is to be an Australian.

  5. Adam 1

    breathtaking shortsightedness

    So independent researchers discover and report to the government a vulnerability allowing it to be patched rather than exploited. Instead of a thank you, they get the book thrown at them.

    Do pray tell, what exactly do you think that the next researcher will do if they discover a vulnerability? Certainly they wouldn't setup some hidden tor service where for some infinitesimal small portion of bitcoin you can load credit on the card, making a wad of cash whilst the authorities pay big bucks to try to reverse engineer the hack.

    Security research can be a murky area. By not selling their exploits on the underground marketplaces, they are already giving up a lot of money. Sometimes they will overstep the mark even if their intentions are good. I make no judgement about whether they overstepped here, but the government needs to catch half a clue here, figure out what they are trying to achieve and determine whether their decision to prosecute advances that goal.

    Upon sober reflection, they should realise they have scored a spectacular goal, just for the wrong team

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021