FareBot: an Android transit-card sniffer

Discuss

9 Responses to “FareBot: an Android transit-card sniffer”

  1. gadfly says:

    forgive me for picking nits, but I don’t think it’s very wise to presume that putting that information on an internet-connected device with a less-than-optimally policed app store makes the information *more* secure. introducing a more valuable and more accessible point of failure doesn’t sound much like strengthening security or privacy to me. (granted, i may be woefully uninformed about the state of security on android devices)

    it’s also conceivable that with the rise of wireless payment systems on phones, smartphones could become an even more valuable target for theft. if you keep your transit card somewhere other than your wallet, you’re probably better off with the insecure card in such a case. (obviously very hypothetical – where else but your wallet would you keep your transit card???)

    and of course, none of this will protect you from government snooping – if you’re concerned about that, stick to cash.

  2. Anonymous says:

    So you can read RFID cards, but, does anyone know if you can currently imitate or clone and RFID with an Android alone? Nexus S has that NFC chip. Kids could run around using their phones as cloners in cities just like in Little Brother.

  3. pmocek says:

    About one-and-a-half years ago, I tried without success to get the people behind the ORCA card (contactus@orcacard.com) to answer several questions about it.

    me: What, if any, information other than a serial number is stored on an ORCA card after it has been used?

    ORCA: Any transportation value is stored on the ORCA card.

    me: Are you sure that the only information stored on the card after it has been used is a serial number and any transportation value? Other people I’ve spoken to are confident that much more information is stored on it, but I hoped to find out from an authoritative source on the matter: you.

    me: I’ve not received a response from you. Can you answer my question?

    me: You told me in an e-mail dated July 31, 2009, that the only information stored on an ORCA card after it has been used is a serial number and any transportation value. Can you please confirm that this is *all* that is stored on the card then?

    ORCA: I’m not sure how this can be confirmed to you.

    me: Please confirm or deny: After an ORCA card has been used to pay for public transportation, precisely two pieces of information are stored on that card: 1) a serial number and 2) any stored value. There is public confusion over this issue. Some people believe that the card also stores information about when and where it has been used. Your own Web site states, “The ORCA card contains built-in intelligence that processes and stores information for three different types of transactions”. I am surprised that this can be achieved if, as you’ve told me, the card stores only a serial number and any stored value.

    me: Can you tell me whther ORCA cards truly store only transportation value and a serial number? This seems unlikely.

    That was February 23, 2010. They never responded.

    Less relevant to this post, but more concerning to me, was this:

    me: Other than repeatedly purchasing new ORCA cards anonymously with cash, how can an ORCA card user travel via public transportation without having all of his uses of public transportation tracked and linked in such a manner that if the ORCA serial number was associated with him (such as would be the case if he was found to be carrying the card by someone who could read the serial number from it), details of all of his public transportation travels would be available to interested parties with access to ORCA data?

    ORCA: Good day! Don’t register the card and no name will be associated with the card. Thanks!

    me: Thanks, but it seems that you misunderstood my question. I’d like to know how an ORCA card user can travel via public transportation without having all of his uses of public transportation tracked and linked in such a manner that if the card’s serial number was later associated with him (I understand that it can initially not be the case) details of all of his ORCA-paid public transportation travels would be available to anyone with access to ORCA data.

    One way to accomplish such travel would be to repeatedly acquire new ORCA cards. This would prevent all travel from being tracked under a single card serial number. Unfortunately, that will eventually cost $5 per card.

    Your suggestion, to decline to register the card, does indeed prevent a name from being associated with the card, but does not prevent a record of all travels using the card to be stored somewhere (your privacy statement dated June 2, 2009 says that transit agencies will retail travel records for as long as they find it useful to do so), and thus to accumulate a record that *will* be associated with the passenger if the card serial number is eventually linked to him — something which would seemingly be a simple matter, given that he will be carrying a card with that number both printed on and stored electronically in it.

    Can you explain how someone will be able to travel without having a record of all his travels stored — even in an initially-anonymous manner — without paying cash (which will cost extra unless no transfers are ever involved) and without repeatedly forking over $5 to ORCA to start a new anonymous history?

    me: I’ve not received a response from you. Can you answer my question?

    me: How can ORCA card user can travel via public transportation without having all of his uses of public transportation tracked and linked in such a manner that if the card’s serial number was later associated with him (I understand that it can initially not be the case), then details of all of his ORCA-paid public transportation travels would be available to anyone with access to ORCA data?

    ORCA: You don’t have to your card registered. Also, please know that we don’t know where you board and disembark when riding on a bus as it will only show the route you took not the location. However, the trains will show the station you boarded or disembarked. But, as stated, you don’t have to register your card. Plus, the card is transferrable; a person can have the card in their name, but allow someone else to use it. The ORCA system doesn’t know who’s using the card.

    me: You didn’t answer my question. Again: How can someone who uses an ORCA card to pay for public transportation travel via public transportation *without* having all his uses of public transportation tracked and linked in such a manner that if the ORCA card’s serial number is associated with him, then details of all his public transportation would be available to anyone with access to the ORCA data?

    Put another way: Please confirm or deny the following: Once paper transfers are no longer honored, anyone who wishes to use public transportation and wishes avoid having to pay extra for transfers must use an ORCA card — cash customers will be required to pay more than ORCA customers if a transfer is involved. When using an ORCA card, a record of all travels accomplished using the card is associated with the card’s serial number. This information may be kept indefinitely, as ORCA has not specified any retention plan for the data. If someone uses an unregistered ORCA card for his travels, and the serial number from that card is later associated with him, then anyone with access to ORCA data can retrieve a record of all of that person’s ORCA travels. The serial number for an ORCA card — registered or unregistered — is not treated as a piece of private information; it is printed on the card, as well as stored electronically inside the card. People must carry the card with them in order to use it. People are often asked to present the card for examination by public transportation staff. People are sometimes required to present the card for examination by public transportation staff. Were a person’s belongings stolen by a thief or subjected to a search by a government agent, then it would be trivial for the thief or government agent to associate the ORCA serial number with that person. That serial number could be used by anyone with access to ORCA travel data to retrieve a record of all travel accomplished using the “unregistered” card.

    me: Is the second paragraph below accurate?

    They never responded.

  4. Symbiote says:

    For the moment, I’m keeping my Oyster card (London) in plastic-card form.

    If I lose it, I can transfer the remaining balance to a new card.

    Any dodgy onlooker only knows where I keep my Oyster card (which is pretty much worthless) rather than an expensive phone.

    Also, Transport for London have said the mobile phone systems aren’t fast enough — they need sub-300ms response times, which the hardware encryption on a card can provide, but the software encryption on a phone can’t.

  5. johnphantom says:

    This is why I have one of these, that I picked up on sale at a department store for $15:

    http://www.stewartstand.com/collections/men/products/driving-wallet-2

  6. Anonymous says:

    I studied the Clipper protocol and structure three years ago (when it was still called “Translink”) by sniffing some transactions, and I can tell you that in its current form, this application is not going to work with the Clipper card; the file numbers and record structures are different.

    On top of that, I haven’t managed to get a Clipper card to divulge its files without authentication. The authentication method appears to use a mutual cryptographic challenge response between the reader and the card. Clipper may be safe — for now.

  7. turn_self_off says:

    Reminds me of the classical story of some EE student gaming the cash cards for the college phone and/or vending machines.

  8. a random John says:

    There are well understood ways of making systems such as these much more secure. There are even ways of making them anonymous. But generally the people implementing them don’t care. The RFID/smart card industry tends to drive out people that are competent or care about security as they get underpriced by those that are incompetent and do not care. Many customers figure that since they themselves don’t comprehend the mechanisms of the transactions they must be secure. Nothing could be further from the truth.

  9. toyg says:

    This sort of applications to be legally banned in 3, 2, 1…

Leave a Reply