Security analysis of metropolitan locking systems using the example of the city of Vienna

Abstract

In this work, we carried out a black-box analysis of the electronic contact-less BEGEH system that has been steadily replacing the conventional mechanical BG key on multi-party houses in Vienna. The BG key has been introduced originally to allow mail delivery services to access multi-party houses but has since then aggregated additional users. We have found several vulnerabilities in the new system caused by the design, technology used, organization, and its implementation. We have further shown that the new system is circumventable with little costs. This effectively nullifies many security advantages promised by the new system.<br />We found a configuration issue, enabling access to 43% of all installations with a reprogrammed transponders worth approximately e2, such as an old ski ticket. We have also shown that it is not necessary to break the encryption of the data, as it can be replayed together with its UID-derived key. Therefore, we built a card simulator for less than e20. We also conclude that the way blacklist updates are organized, raises the black market value of physically stolen keys.<br />On two more examples (an electronic purse and an UID based access system) we demonstrated that similar issues are found in other systems as well. We show that UID based solutions offer a lower level of security than could be expected, especially when not enough attention is payed to the entropy of the UID space.