Sony FeliCa vulnerability found in pre-2017 IC transport cards

Sony has revealed that some of its FeliCa contactless IC cards shipped prior to 2017 are vulnerable to unauthorized data read out and modification. FeliCa-based cards are popular in Japan and widely used as train, ID, and payment cards. Other countries, including America, Bangladesh, Hong Kong, Indonesia, and Thailand, have used the system as well.

Travellers to Japan often encounter FeliCa as public transit cards, such as the Suica or Pasmo cards used in Tokyo's JR East and Pasmo train and bus networks. These contactless NFC cards can be pre-loaded with money and used for trips. They can also be used to purchase drinks, food, and goods at vending machines, restaurants, and shops that support this payment system.

Sony has not disclosed details of the vulnerability, but third parties discovered the vulnerability and notified Sony under the "Information Security Early Warning Partnership Guidelines" of the Information Technology Promotion Agency (IPA), a Japanese security partnership framework designed to minimize damages.

The vulnerability in these IC cards allows hackers to read and modify data despite AES/DES encryption, opening the door to account balance theft, so owners of pre-2017 cards should transfer their card account balances to a new card as soon as possible. Electronic wallets, such as those stored in phones or smartwatches, are not at risk.

The discovery of the vulnerability shows once again that anything electronic will likely be hacked someday. Readers with Bitcoins in an online wallet or account should consider an offline wallet, like this one on Amazon, to safeguard their money because hackers have stolen millions in cybercoins from a variety of online accounts.