I found this bug by accident on my way home from work tonight. The reason I am writing this even though it’s a 0-day:
- I do not think it’s widely exploitable.
- And if it is, NYC isn’t losing any money over it as far as I could tell.
- It will help the MTA/NYC Transit find and fix the problem
- I’m not sure it’s reproducible since I wasn’t about to spend my own time and money to test it
Technically what I describe below is a security issue because it denies legitimate users entry/access and could allow a non-legitimate user a “free ride” if they happen to be in the right place at the right time. It might also cost a legitimate user an extra fare since they might swipe again at a different turnstile since they will assume they just swiped at a broken one.
Here’s the scenario that happened to me coming home from work tonight at around 7PM. Imagine three turnstiles lined up in a row.
- I swiped my unlimited metrocard at right most turnstile to enter subway system. I was denied access. It said ‘Go’ on the green readout but the turnstile wheel was locked. I swipe again and received the ‘Just Used’ message.
- Woman behind me swipes and turn style denies her access in the same way. (She then “hops the turnstile” and enters subway system.)
- As I try to swipe my card again and on the other turnstiles I continue to receive the “Just Used” Message. The left most turnstile readout says, “Just Usedd” with two Ds. I probably try around 5 times in the next few minutes. (I know I need to wait 15 min for the ‘Just Used’ flag to clear but I worked late and thought I might get lucky!)
- Legitimate users enter and leave the subway system through turnstiles. I don’t recall how many or which one’s they used. Although tired I don’t recall this watching and step 3 combined being more than 5 minutes.
- A legitimate user swipes card in middle turnstile to enter the subway and the right turnstile — without prompting or a card swipe (no one is in proximity) — lights up ‘Go’ on the green readout and allows access.
If NYC transit wants to contact me I’ll give them the location of the turnstile for them to investigate.
I hope I don’t test positive for substances because I just take normal vitamins from GNC.
Earlier today GNC sent me the following email (which is worth reading in full):
On February 3, 2010, Senators John McCain and Byron Dorgan introduced S. 3002, a bill entitled, The Dietary Supplement Safety Act. The supposed purpose of the bill is to make dietary supplements “safer.” This is ironic because dietary supplements are already hundreds of times safer than either prescription or over-the-counter drugs.
The real purpose of this bill is to limit your access to dietary supplements. The government would tell you, the consumer, what dietary supplements you could and could not buy. There is little doubt that if this bill becomes law your choices will be drastically reduced, and many of the supplements you take today will become illegal. This misguided bill affects ALL dietary supplements, including vitamins, minerals, herbs, sports and diet products.
But, who is behind this bill? The answer is simple: big time sports leagues, especially Major League Baseball, which in recent years have been plagued by steroid scandals. Fearful that Congress will end their lucrative anti-trust exemption and require real drug testing, they have decided to make the supplement industry their scapegoat. When one of their players tests positive for steroids, they’d like people to think it must have been an adulterated dietary supplement.
Unless you want the government to tell you what supplements you can and cannot take, and unless you want to see your freedom of choice drastically reduced, you need to make your views known to your United States Senators.Tell them to oppose this terrible piece of legislation.
Clearly this bill will affect GNC’s bottom line. Unfortunately from an email such as this I cannot make a reasonable determination if this is truly for my benefit or theirs.
What if the supplements that are proposed to be banned really are bad for my health and I just don’t know it? Or, what if GNC is 100% correct?
Did you know that your car has a blackbox similar to airplanes? Most car companies use an open platform that allows this blackbox data to be downloaded and analyzed in order to aid investigations. In the February 22nd, 2010 issue of Newsweek, Matthew Philips reported that Toyota uses a closed data system. Unfortunately this article is not online so I cannot link to it, but it is on page 12 of the current issue.
The article gives no indication whether or not the data is encrypted or encoded. It is my guess that it’s an uncrypted proprietary format. To me it seems unlikely that Toyota would go though such efforts to protect/encrypt data that they claim is not designed for accident reconstruction but namely intended to “aid research on safety systems such as airbags.”
Given the Toyota recall, we see the double edged nature of closed systems: on one hand, the data is protected from eyes outside Toyota; on the other hand, the lack of transparency (and non-compliance with industry open standards) leaves it vulnerable to attack by the larger justice system for being potentially negligent about the technical malfunctions that leads to a higher crash rate.
This is an interesting decision. The public will most likely never know about the false positives — identifying a person as a potential terrorist even they are not a terrorist — created by this change in policy that are almost guaranteed to happen:
The 10,000 people in line to get classified information are managers, supervisors and “behavior detection officers” who roam airports looking for suspicious people. They represent about 20% of the TSA’s airport workforce and exclude screeners who scan passengers and bags.
The information will give workers details about terrorist “tactics, planning, operations and threats,” TSA spokeswoman Sterling Payne said. Those details “give context to things they see every day which may otherwise not appear unusual” and let workers “exercise discretion” in dealing with travelers, Payne added. She would not elaborate on specific intelligence the workers will get. All TSA airport workers now get daily intelligence briefings that include less sensitive information.
This change in policy (I believe) was a response to the underwear bomber. In infosec vulnerability language it is in response to false negatives!
As security professionals who (should) err on the side of caution, these false positives should be OK within normal bounds. It will be interesting to see what will happen if (and when) there are egregious problems.