Remote Security Random Tips
News & Ads

MiFare Subway Hack

Subway hackWith regards to the conference Defcon there has appeared the first publication Subway Hack on internet. The funny thing is that the San Francisco court forbided publishing the material (or even talk about it) just before making the prezentation public at the conference. On the top og it the whole project was removed from the author´s web right after that. Is this a some kind of a honour? Who and why was risking the Streisand effect? 

New age

It is more then obvious that the government is just trying to camouflage the sad situation regarding the security of strategic places, confidential information, data flow and important nodes. One of this is definitely the subway and other strategic infrastructure. Insted of having an open discussion about the security here comes the censorship. Instead an open discussion somebody is punished sent to jail for many yaers. And what is the publication Subway Hack about? You get an idea just from the very one title Subway Hack.. The three authors (Russell Ryan, Zack Anderson and Alessandro Chiesa) were checking the security of information circles and the access to the subway infrastructure in Boston city. It is 40 pages really worth reading.

Subway hack

Right at the beggining there is a list of techniques and set of illustrated shots from the subway. How you can see, lots of places are unlocked or have the key in the lock. There are control panels of turnstiles with free access. Set of screen shots follows – Termo printer of Fargo cards, MBTA.. In the first part you can find a list of hardware (homemade reader, Spark Fun and MSR206) for reading and copying magnetic cards. The possibility itself to clone the magnetic card allows to fraud it (for example for a free ride). But the author goes beyond this. In the part Reverse engineering outlines the most obvious meaning of the saved data. By changing them he demostrates “credit recharging” of the ticket. The chapter finishes by a list of companies that use the same tehnology and mentiones python skript that can be used with MSR206. There is a funny comment that the whole fare colection system (company that produces fare cards) is controled by 2 companies – Scheidt & Bachmann (used for example in Boston T, San Francisco Bart, Long Island Railroad, Seattle Sound Transit, London Silverlink) and Cubic Transportation (used for example in NYC MTA, Washington, DC WMATA, Chicago CTA, Shanghai subway

and others).


Describes the technology used on RFID tickets, including frequence and security. Mentioned force of code key? 48bit 🙂 Then follows a list of hardware and software (GNU radio, card reader, USRP), information sniffing from random card and turnstile.

Brute Force – FPGA

The end of the publication mentions more and more available programmable field FPGA, writing easy XOR module and crack schema.

Cities using MiFare:

Boston (CharlieCard)
London (Oyster Card)
Netherlands (OV-Chipkaart)
Minneapolis, South Korea (Upass)
Hong Kong, Beijing, Madrid (Sube-T)
Rio de Janeiro (RioCard), New Delhi, Bangkok.

You can download the publication in e-books at download. Other publications from talks.

Similar Posts: