Collaborative Security Review: Wave2Go

By Chad at 9:57 pm on February 24, 2008 | 2 Comments

This security review is intentionally left incomplete. It is simply a topic that I think would be interesting for us as a group to explore. If you can add to the discussion, please do, even if it’s simply to propose an idea, or to shoot one down.

Washington State Ferries have been using the Wave2Go system for over a year now. The old system required passengers to remain in a holding area after they had bought their tickets from one of three booths. Many patients would wait to buy their tickets just before the ferry would board, causing long lines right before departure and occasionally delaying ferries.

Wave2Go allows clients to buy tickets from multiple kiosks in addition to the three ticket booths. Alternatively, you can purchase tickets ahead of time online and then print them out. There are a few different types of tickets: Single Ride ticket, Multi-Ride Commuter card, Monthly Pass, and Senior/Disabled convenience card. There are also options on some of these for car and driver or passenger only. For more information about types of tickets, go here.

After purchasing their ticket, each walk-on passengers must swipe the barcode on their ticket at one of various turnstiles. If the barcode passes some test, the turnstile is unlocked, allowing the passenger to board the ferry.

Potential Vulnerabilities:

  • The kiosks are scattered around in the ferry terminal just asking to be tinkered with.
  • The turnstiles aren’t watched closely by WSF employees.
  • The algorithm for picking a “valid” barcode.

Some of the questions we could explore:

  • How might the tickets be validated?
  • How are the tickets actually validated?
  • How are barcodes generated from a given chunk of data?
  • How hard would it be to intercept and perhaps alter traffic from the kiosks to the “central database?”
  • Are there security cameras focused on each kiosk? On each turnstile?
  • Is the payoff worth the amount of work involved and risk of getting caught?

Again, please feel free to add to this review even if it’s just an idea.

Filed under: Physical Security,Security Reviews2 Comments »

2 Comments

  • 1
    Get your own gravatar for comments by visiting gravatar.com

    Comment by Fabian

    February 24, 2008 @ 11:51 pm

    I am sure that the new system will benefit the commuter, especially in terms of simplifying the process. In my opinion, validating the tickets through barcode is better right now than other media such as RFID, etc. However, purchasing the ticket online might cause certain issues such as duplication and validation. It would be best if a special card is produced to ensure validity.

  • 2
    Get your own gravatar for comments by visiting gravatar.com

    Comment by PGA

    February 24, 2009 @ 4:31 am

    That’s a really good review. The ticket validation is one of the most important aspects needed to be looked into. Nevertheless, good review.

RSS feed for comments on this post