paper tickets > smartcards, probably.
source link: https://lobi.to/talks/papertickets/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
paper tickets > smartcards, probably.
This was published on 29 Dec 2022, but has been backdated to the talk's original presentation at Securi-Tay 2020.
Following its adoption by the Department for Transport, the ITSO specification has been the legally mandated technological stack for all new smartcard ticketing systems in the United Kingdom.
Many transit operators have adopted ITSO as their primary ticketing scheme as a result of the government’s endorsement and the plethora of vendors supplying ITSO-certified equipment. Despite this, there has been little research done into the security mechanisms provided by the specification.
After creating a tool to interpret data stored on compliant smartcards, I compromised a public ITSO validator app by abusing backwards compatibility measures to clone a genuine smartcard and alter its contents in an unauthorised manner.
This research was conducted as part of my BSc (Hons) Ethical Hacking dissertation, which can be found at dissertation.pdf (submitted May 2019)
pytravelcard’s source code can be found on GitHub at https://github.com/unlobito/pytravelcard
I presented some of my findings from this research at Securi-Tay 2020 (recording), campGNDd 2021 (recording), and DC4420.
The slides for the original Securi-Tay presentation are available on Speaker Deck.
statically rendered with jekyll
this page was served by CloudFront
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK