The Stockholm local transit people (SL) introduced a so-called smart card over a year ago, and called it SL Access. Now, usually anything that SL introduces costs a pile of money and doesn’t work. We kind of expect it to be that way.
And, true to form, as SL were about to introduce their expensive system it became clear that the technology used, the Mifare RFID card system, had been hacked. The details of this are all over the net now. “Mifare hack” will get you started. It’s fair to say that this is not a good system, and as leaky as a sieve full of sponges.
It works like this, for those who don’t know. You “load” your card (or more correctly you update a database somewhere using your cards ID) and then swipe your whole wallet, with the card inside, over the reader. It’s actually a nifty system, despite the whole not-secure aspect, as you avoid having to dig out the card every time.
I noticed, by turning the card a certain way, that you can see the chip. It was about 5 mm across which, for the Americans, just means very small.So I reasoned if it could be removed from the card, then it could be put into more interesting objects that one could swipe across the reader.
Such as a head. Or a banana. Or a Mars bar. You get the idea.
Unfortunately, once extracted, the chip doesn’t work. A quick googlement showed that there is a thin antenna wire connecting to the chip that circles the perimeter of the card. This interacts with a magnetic field over the reader using good old-fashioned induction and transfers the data required. No wire, no data.
So it’s back to the drawing board with that one. Would be nice however to get me some hardware and hack the thing properly. I figure, in the interests of helping SL improve their security, it’s the only kind thing to do.