RSS

Smart Card Fail

05 May

The Stockholm local transit people (SL) introduced a so-called smart card over  a year ago, and called it SL Access. Now, usually anything that SL introduces costs a pile of money and doesn’t work. We kind of expect it to be that way.

And, true to form, as SL were about to introduce their expensive system it became clear that the technology used, the Mifare RFID card system, had been hacked. The details of this are all over the net now. “Mifare hack” will get you started. It’s fair to say that this is not a good system, and as leaky as a sieve full of sponges.


Still life with RFID chip

It works like this, for those who don’t know. You “load” your card (or more correctly you update a database somewhere using your cards ID) and then swipe your whole wallet, with the card inside, over the reader. It’s actually a nifty system, despite the whole not-secure aspect, as you avoid having to dig out the card every time.

I noticed, by turning the card a certain way, that you can see the chip. It was about 5 mm across which, for the Americans, just means very small.So I reasoned if it could be removed from the card, then it could be put into more interesting objects that one could swipe across the reader.

Such as a head. Or a banana. Or a Mars bar. You get the idea.

Unfortunately, once extracted, the chip doesn’t work. A quick googlement showed that there is a thin antenna wire connecting to the chip that circles the perimeter of the card. This interacts with a magnetic field over the reader using good old-fashioned induction and transfers the data required. No wire, no data.

So it’s back to the drawing board with that one. Would be nice however to get me some hardware and hack the thing properly. I figure, in the interests of helping SL improve their security, it’s the only kind thing to do.

/ paddy

About these ads
 
10 Comments

Posted by on May 5, 2010 in Science, Sweden

 

Tags: , , ,

10 responses to “Smart Card Fail

  1. Melliferax

    May 5, 2010 at 9:51 pm

    Aww. I’m disappointed. While my new yellow card’s more interesting than the purple one I just threw away, I’d still have liked to put the chip in my plush Eeyore.

     
    • paddyK

      May 5, 2010 at 10:19 pm

      You could always put the WHOLE card in the bear. And didn’t you get new glasses..?

       
      • Melliferax

        May 5, 2010 at 10:57 pm

        The ASS (har har) isn’t big enough for a whole card. And yes..?

         
    • paddyK

      May 6, 2010 at 9:21 am

      Your thumbnail keeps shifting between the old and the new. It annoys.

       
      • Melliferax

        May 6, 2010 at 10:02 am

        I’m not getting that. Try clearing your cache.

         
  2. James

    May 5, 2010 at 10:26 pm

    Would a sieve full of sponges actually leak or would the sponges intercept the water afore it had the chance to pass through the sieve?

    …I am waiting for your friend to give us a discourse on absorption rates and saturation levels of various sponges… No? Okay, I’ll continue…

    I actually did some work in Reuters on smartcards. No, I actually did some work, on those rare occasions that I got out of bed in time.

    It was all very dull.

    You could do like Prof. Kevin Warwick and insert an RFID under your skin. I believe he gave one to his wife so they could “interact” with each other when he was at conferences.

    Yes, he’s probably a pervert.

     
    • paddyK

      May 6, 2010 at 9:22 am

      A very good point on the sponges. I’ll have to rework that one.

       
  3. Wynn

    May 5, 2010 at 11:05 pm

    That could have been awesome idea! Make it work!

     
    • paddyK

      May 6, 2010 at 9:23 am

      Gimme me some research money and I’m on it!

       
  4. anaglyph

    May 6, 2010 at 12:01 am

    Why do people persist in this notion that these things are ‘secure’. Everyday in the news ATM MACHINES HACKED (or somesuch). You know what’s secure? Conductors on trains punching your ticket. Or better, conductors on trains dressed as Eeyore, punching your ticket.

     

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
Follow

Get every new post delivered to your Inbox.

Join 88 other followers

%d bloggers like this: