Difference between revisions of "MOBIB"
m (→Tools) |
|||
(20 intermediate revisions by the same user not shown) | |||
Line 18: | Line 18: | ||
==Security/Privacy== |
==Security/Privacy== |
||
⚫ | |||
+ | ** 2013-?? [http://www.belgianrail.be/fr/service-clientele/faq/mobib.aspx FAQ about MOBIB by SNCB]: they're less shy than STIB...<br>''Quelles sont les données conservées sur la carte MOBIB ?<br>Sur la carte : n° de carte, n° de série de la carte, photo, nom, prénom, date de naissance.<br>Dans la puce : n° de client, n° de série de la carte, nom, prénom, date de naissance, profils tarifaires éventuels, langue, sexe, code postal, abonnements.'' |
||
+ | ** 2012-09-15 [http://www.weblex.irisnet.be/Data/Crb/Bqr/2011-12/00032/images.pdf Question parlementaire 834 sur les cartes Mobib défectueuses (page 93, PDF)]: 17% remplacées pour défaut technique + 13% remplacées aux frais de l'utilisateur (10€) |
||
+ | ** 2011-06-24 [http://www.rtbf.be/info/regions/detail_mobib-et-vie-privee-la-controverse-continue?id=6345503 Mobib et vie privée : la controverse continue] |
||
+ | ** 2011-06-02 [http://www.rtbf.be/info/societe/detail_stib-la-video-d-un-possible-piratage-du-systeme-mobib-circule-sur-le-net?id=6211833 La vidéo d'un possible piratage du système Mobib circule sur le Net] |
||
+ | *** Une première vidéo a circulé puis a été retirée rapidement, une deuxième est toujours visible sur [http://www.youtube.com/user/MOBIBavenger Youtube] |
||
+ | *** Ces vidéos sont plus que probablement des faux, montrant tout au plus le problème connu depuis 2009 de confidentialité des données de l'usager. La confusion d'outils liés à la Mifare alors que la Mobib est de technologie Calypso et d'autres inepties dans la première vidéo tentent à confirmer ce fait. |
||
+ | *** 2011-06-03 [http://www.tvbrussel.be/video/4/kan-je-een-mobib-kaart-kopi%C3%ABren?sublang=FR Kan je Mobib kopiëren?], interview de Gildas Avoine sur TVBrussel. |
||
+ | *** 2011-06-06 [http://www.rtbf.be/info/regions/detail_mobib-pirate-la-stib-n-y-croit-guere?id=6226823 Mobib piraté? La STIB n'y croit guère]. |
||
+ | ** 2011-03-22 [http://www.lalibre.be/actu/belgique/article/650103/mobib-la-stib-craint-la-justice.html MOBIB: la STIB craint la justice] (fr) |
||
+ | ** 2010-12-02 [http://www.lalibre.be/actu/belgique/article/627129/la-stib-veut-securiser-la-carte-mobib.html La STIB veut sécuriser la carte Mobib] (fr) |
||
+ | ** 2010-08-05 [http://www.rtbf.be/info/regions/bruxelles/la-stib-communique-t-elle-les-donnees-de-ses-clients-a-des-tiers-243092 La STIB communique-t-elle les données de ses clients à des tiers?] (fr) |
||
+ | ** 2010-07-06 [http://www.lalibre.be/actu/belgique/article/594246/mobib-intrusion-dans-la-vie-privee.html Mobib: intrusion dans la vie privée] (fr) |
||
+ | ** 2010-06-30 [http://www.liguedh.be/index.php?option=com_content&task=view&id=916&Itemid=280 La Ligue des Droits de l'Homme] s'en mêle... (fr) |
||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
* Privacy Commission, about the access STIB has on the National Registry in the context of the introduction of MOBIB & external suppliers<br>Objet : demande de la S.T.I.B. visant à obtenir l'extension des autorisations en sa possession (RN/MA/2007/056)<br>Betreft: aanvraag van de MIVB tot uitbreiding van de machtigingen waarover zij beschikt (RN/MA/2007/056) |
* Privacy Commission, about the access STIB has on the National Registry in the context of the introduction of MOBIB & external suppliers<br>Objet : demande de la S.T.I.B. visant à obtenir l'extension des autorisations en sa possession (RN/MA/2007/056)<br>Betreft: aanvraag van de MIVB tot uitbreiding van de machtigingen waarover zij beschikt (RN/MA/2007/056) |
||
** [http://www.privacycommission.be/fr/docs/RR-RN/2008/deliberation_RN_005_2008.pdf Délibération RN n° 05/2008 du 23 janvier 2008] |
** [http://www.privacycommission.be/fr/docs/RR-RN/2008/deliberation_RN_005_2008.pdf Délibération RN n° 05/2008 du 23 janvier 2008] |
||
** [http://www.privacycommission.be/nl/docs/RR-RN/2008/beraadslaging_RR_005_2008.pdf Beraadslaging RR nr. 05/2008 van 23 januari 2008] |
** [http://www.privacycommission.be/nl/docs/RR-RN/2008/beraadslaging_RR_005_2008.pdf Beraadslaging RR nr. 05/2008 van 23 januari 2008] |
||
+ | * Voir aussi [http://www.liguedh.be/actions-en-cours/mobib-et-vie-privee le dossier] de la Ligue des Droits de l'Homme |
||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
− | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
==Tools== |
==Tools== |
||
− | * UCL software to read Mobib cards (mobib extractor) seems to not be available anymore |
+ | * UCL software to read Mobib cards (mobib extractor) seems to not be available anymore, but there is still a copy [http://www.hackerzvoice.net/repo_hzv/tools/RFID/ here] |
* [http://www.springcard.com SpringCard] offers a SDK with a Calypso explorer for Windows and its sources, find [http://www.springcard.com/download/sdks.html here] the SDK PC/SC for Calypso. See also [http://www.springcard.com/blog/2010/calypso-explorer/ their blog post] |
* [http://www.springcard.com SpringCard] offers a SDK with a Calypso explorer for Windows and its sources, find [http://www.springcard.com/download/sdks.html here] the SDK PC/SC for Calypso. See also [http://www.springcard.com/blog/2010/calypso-explorer/ their blog post] |
||
* [http://www.acbm.com/inedits/pass-transports-commun-secrets.html An article] from P. Gueulle describes a program in Basic to dump the memory content of a Calypso card |
* [http://www.acbm.com/inedits/pass-transports-commun-secrets.html An article] from P. Gueulle describes a program in Basic to dump the memory content of a Calypso card |
||
* [http://code.google.com/p/cardpeek/ Cardpeek] is a Linux tool to read the contents of ISO7816 smartcards. It features a GTK GUI to represent card data is a tree view, and is expandable with a scripting language (LUA). The tool currently reads the contents of: EMV cards, Navigo public transport cards, Moneo ePurse cards and the French health card "Vitale 2" |
* [http://code.google.com/p/cardpeek/ Cardpeek] is a Linux tool to read the contents of ISO7816 smartcards. It features a GTK GUI to represent card data is a tree view, and is expandable with a scripting language (LUA). The tool currently reads the contents of: EMV cards, Navigo public transport cards, Moneo ePurse cards and the French health card "Vitale 2" |
||
− | * you may try [https://www.lafargue.name/smart-tools/atr/ Edouard Lafargue's tool] |
+ | * you may try [https://www.lafargue.name/smart-tools/atr/ Edouard Lafargue's tool] |
+ | * UCL researchers wrote a nice article (in French) in [http://www.ed-diamond.com/feuille_misc48/index.html MISC Mag #48] on how to read a Navigo card, see pages 74-82 |
||
+ | ==Disclaimer== |
||
+ | Under Belgian [http://reflex.raadvst-consetat.be/reflex/?page=chrono&c=detail_get&d=detail&lang=fr&docid=70202 law of 28 november 2000 relative to computer/cyber criminality], is punishable '''the one, knowing he was not allowed to do so, accesses a computing system'''. |
||
+ | <br>Without exception for academic security research. |
||
+ | <br>Without need for demonstrating an intention of bad behavior. |
||
+ | <br>Without need for demonstrating an intention of getting financial benefit (=fraud). |
||
+ | <br>The sole intention to access the computing system is also punishable. |
||
+ | |||
+ | And, oh, btw, apparently your Mobib is not yours, it's STIB property. |
||
+ | <br>Now, don't say I didn't warn you. |
||
+ | |||
+ | As pointed out on [http://blog.security4all.be/2009/10/privacy-and-belgian-mobility-card-bmc.html this blog], this may explain why UCL researchers removed their tool from their website, as it's hard to write such a tool without reading any Mobib and ''considering who owns the transport card company and who subsides the university''... ''Sound a bit like a conspiracy, but we can't say for sure''. |
||
+ | |||
+ | So this is how you can deploy a privacy-savvy technology in Belgium: no technical protection whatsoever required as there is already a law prohibiting to read the unprotected data. And you won't be blamed as anyone demonstrating publicly that your technology is a privacy nightmare is committing a crime. |
||
+ | <br>''Quod erat demonstrandum''. |
||
+ | |||
+ | <!-- test |
||
+ | Loi 2000 |
||
+ | http://www.dekamer.be/FLWB/pdf/50/0213/50K0213001.pdf |
||
+ | http://www.lachambre.be/FLWB/PDF/50/0214/50K0214003.pdf |
||
+ | Avis du Conseil d'Etat, Doc. Parl. Chambre, 1999-2000, 0213/001 et 0214/001 |
||
+ | http://www.droit-technologie.org/legislation-193/decision-cadre-europeenne-relative-aux-attaques-visant-les-systemes-d.html |
||
+ | [http://www.crid.be/pdf/public/4067.pdf A PROPOS DE LA LOI DU 28 NOVEMBRE 2000 SUR LA CRIMINALITE (CRID)] |
||
+ | 15 MAI 2006. - Loi modifiant les articles 259bis, 314bis, 504quater, 550bis et 550ter du Code pénal. |
||
+ | |||
+ | Version consolidée: |
||
+ | http://pierre.baudu.in/other/articles.du.code.penal.html |
||
+ | http://www.polfed-fedpol.be/crim/crim_fccu_ict_fr.php |
||
+ | --> |
Latest revision as of 11:06, 25 March 2013
See also RFID
Technology
- STIB site about MOBIB (MIVB)
- ASK, the card manufacturer
- Press releases
- On wikipedia:
- Calypso, see also here
- MoBIB (fr)
- Passe Navigo (fr) is not fully ISO14443-B compliant (Innovatron "standard", also referred as type B') so without proper reader it can be accessed only via contacts. Mobib readers cannot read Navigo pass, so no compatibility whatsoever with the anonymous Navigo card, sigh.
- Cards:
- ASK dual interface cards, according to the ASK productsheet for Calypso a CD21 of 8K bytes with as IC a ST19WR08 from ST Microelectronics
- C.ticket in the future?
- Other cities with Calypso (pdf)
Security/Privacy
- On the news:
- 2013-?? FAQ about MOBIB by SNCB: they're less shy than STIB...
Quelles sont les données conservées sur la carte MOBIB ?
Sur la carte : n° de carte, n° de série de la carte, photo, nom, prénom, date de naissance.
Dans la puce : n° de client, n° de série de la carte, nom, prénom, date de naissance, profils tarifaires éventuels, langue, sexe, code postal, abonnements. - 2012-09-15 Question parlementaire 834 sur les cartes Mobib défectueuses (page 93, PDF): 17% remplacées pour défaut technique + 13% remplacées aux frais de l'utilisateur (10€)
- 2011-06-24 Mobib et vie privée : la controverse continue
- 2011-06-02 La vidéo d'un possible piratage du système Mobib circule sur le Net
- Une première vidéo a circulé puis a été retirée rapidement, une deuxième est toujours visible sur Youtube
- Ces vidéos sont plus que probablement des faux, montrant tout au plus le problème connu depuis 2009 de confidentialité des données de l'usager. La confusion d'outils liés à la Mifare alors que la Mobib est de technologie Calypso et d'autres inepties dans la première vidéo tentent à confirmer ce fait.
- 2011-06-03 Kan je Mobib kopiëren?, interview de Gildas Avoine sur TVBrussel.
- 2011-06-06 Mobib piraté? La STIB n'y croit guère.
- 2011-03-22 MOBIB: la STIB craint la justice (fr)
- 2010-12-02 La STIB veut sécuriser la carte Mobib (fr)
- 2010-08-05 La STIB communique-t-elle les données de ses clients à des tiers? (fr)
- 2010-07-06 Mobib: intrusion dans la vie privée (fr)
- 2010-06-30 La Ligue des Droits de l'Homme s'en mêle... (fr)
- 2010-01-13 According to SpringCard, Atmel has released a 14443-B card where one can very easily program the UID (PUPI), demo with a Mobib.
- 2009-08-27 Carte blanche (fr, in Le Soir) by François-Xavier Standaert & François Koeune about what should be expected from a metro ticket
- The full version on UCL website
- 2009-01-16 Flanders will also make a MOBIB card
- 2009-01-09 La carte Navigo belge peut jouer les indics (fr)
- 2009-01-09 Mobib : la carte trop curieuse (fr, in Le Soir)
- 2009-01-09 UCL have shown anybody can read it, see your name, date of birth and details on last three payments. Some say the Navigo pass contains also details of the last three badgings.
- 2013-?? FAQ about MOBIB by SNCB: they're less shy than STIB...
- Privacy Commission, about the access STIB has on the National Registry in the context of the introduction of MOBIB & external suppliers
Objet : demande de la S.T.I.B. visant à obtenir l'extension des autorisations en sa possession (RN/MA/2007/056)
Betreft: aanvraag van de MIVB tot uitbreiding van de machtigingen waarover zij beschikt (RN/MA/2007/056) - Voir aussi le dossier de la Ligue des Droits de l'Homme
Tools
- UCL software to read Mobib cards (mobib extractor) seems to not be available anymore, but there is still a copy here
- SpringCard offers a SDK with a Calypso explorer for Windows and its sources, find here the SDK PC/SC for Calypso. See also their blog post
- An article from P. Gueulle describes a program in Basic to dump the memory content of a Calypso card
- Cardpeek is a Linux tool to read the contents of ISO7816 smartcards. It features a GTK GUI to represent card data is a tree view, and is expandable with a scripting language (LUA). The tool currently reads the contents of: EMV cards, Navigo public transport cards, Moneo ePurse cards and the French health card "Vitale 2"
- you may try Edouard Lafargue's tool
- UCL researchers wrote a nice article (in French) in MISC Mag #48 on how to read a Navigo card, see pages 74-82
Disclaimer
Under Belgian law of 28 november 2000 relative to computer/cyber criminality, is punishable the one, knowing he was not allowed to do so, accesses a computing system.
Without exception for academic security research.
Without need for demonstrating an intention of bad behavior.
Without need for demonstrating an intention of getting financial benefit (=fraud).
The sole intention to access the computing system is also punishable.
And, oh, btw, apparently your Mobib is not yours, it's STIB property.
Now, don't say I didn't warn you.
As pointed out on this blog, this may explain why UCL researchers removed their tool from their website, as it's hard to write such a tool without reading any Mobib and considering who owns the transport card company and who subsides the university... Sound a bit like a conspiracy, but we can't say for sure.
So this is how you can deploy a privacy-savvy technology in Belgium: no technical protection whatsoever required as there is already a law prohibiting to read the unprotected data. And you won't be blamed as anyone demonstrating publicly that your technology is a privacy nightmare is committing a crime.
Quod erat demonstrandum.