Fare Hack: Exploiting a Clipper Card Flaw Is Easy

Not that we think you would, but with a visit to Radio Shack you could hack into that Clipper card in your wallet, allowing you to load it with free rides or create and sell copies for profit — and funnel money away from the Bay Area's crash-strapped public-transit agencies.

What it would take: an oscilloscope, an antenna, a transponder, a bit of know-how, and about seven hours.

That's according to David Oswald, a Ph.D. student in IT security at the Ruhr University of Bochum in Germany, who broke the encryption in Clipper and similar transit cards last year. Clipper cards contain a chip that uses radio signals to talk to fare gates and the transponders on buses, making it easy to "eavesdrop" on the conversation."It's comparable to a professional thief who can open a safe by listening to the mechanical clicks of the lock. In our case, we are listening to electromagnetic fields," says Oswald.

From there, a hacker can narrow down which key will break the encryption and gain access to the information on the chip. Lest you think it takes an IT degree to read the data, the Farebot app for Android phones lets you peek at the travel history and balance on your own card — or anyone else's nearby.

The vulnerability poses "a severe threat to the security of real-world systems" that use the chip, Oswald wrote in a paper published in October.

Cubic Transportation Systems, the company that supplies Clipper cards, downplays the finding. "Cubic continually monitors card activity to determine if unauthorized modifications have been made," says Derick Benoit, vice president of customer services.

However, Metropolitan Transportation Commission spokesman John Goodwin says card-cloning is possible. That's a problem, since Andres Townes, a former employee of Boston's Massachusetts Bay Transit Authority and later Cubic, was indicted for selling millions of dollars' worth of cloned magnetic-stripe transit cards on Craigslist. Townes kicked off his alleged racket in 2007, before Cubic took over the MBTA's transit-card system, but wasn't arrested until 2011 — well after Cubic got involved.

The MTC has asked Cubic to finesse the Clipper system in light of Oswald's findings, and Cubic is "considering this request," Goodwin said. Cubic also plans to use a new, less-vulnerable chip in Clipper cards this year, but that still leaves over 1 million weaker cards in circulation.

"No smart card is, or will ever be, absolutely 100 percent hack-proof," Goodwin said. "The goal is to stay at least one step ahead of the people that would look to take advantage of discovered vulnerabilities."

That's easier than staying out of cities with Radio Shacks.

 
My Voice Nation Help
6 comments
Elizabeth Frantes
Elizabeth Frantes

I never liked that system, because it costs too much and taking that much $ to collect the $ is like driving a lead gasoline tanker. Sometimes simple is far better, less ways to break down, etc. Norbert Weiner didn't make sense to far too many of it, it seems. And now that they're talking about giving free rides to "children" (which means more crime, more damage, etc) why care about some folks getting free rides? I don't think hacker types will be as much of a problem as "the children" already are. And if MUNI wuld stop with nonsense like that tunnel, fire everyone who isn't a driver or mechanic, fares keep rising, there will be more problems with "cheating" when in fact if the CHEATERS IN CHARGE could run MUNI properly, we wouldn't be IN this problem!

asm firoz bin
asm firoz bin

For a proper designed system, the explained risk is bare minimum. Every ticket has its own unique security, so breaking of one card will not help to manipulate other cards, and cloning of one card by using illegitimate devices can be detected by back-end (legitimate card cannot be used due to its uniquness). The threat is much more higher in theory than in practice.

Elizabeth Frantes
Elizabeth Frantes

And how much would a properly designed system cost per ride? Is it really worth a lot of money to go after a few "fare cheats?" I'd prefer to spend money on more security on the buses and start kicking out "the children" who rob, rape, steal, and destroy public property. This is not a serious problem, and was caused by some idiot with a sinecure job who bought a pretty package of nonsense from a friend/relative with some consulting company .. ..

TAPman
TAPman

Oswald is dealing with Radio Frequency Identification (RFID) Cards.

The case in Boston, while also involving Cubic, was over magnetic stripe cards as used by BART since its opening that in Boston's case double as "flash" passes (visual inspection by conductors) on Commuter Trains. (In Boston, the MBTA runs both the subway/light rail system and the diesel-hauled commuter rail system)

And yes, RFID shields should now be as common as those Tyvek sleeves that ATM cards once came with.

MrEricSir
MrEricSir

-Clipper+American Express

Look, I just made your story far more relevant. Of course, only one of those two companies might consider buying ad space in your paper...

Akit
Akit

This is why a RFID shield product is necessary. I use a badge holder that the federal government employees use in their RFID badges.

 
©2014 SF Weekly, LP, All rights reserved.
Loading...