Smart Card Fail

The Stockholm local transit people (SL) introduced a so-called smart card over  a year ago, and called it SL Access. Now, usually anything that SL introduces costs a pile of money and doesn’t work. We kind of expect it to be that way.

And, true to form, as SL were about to introduce their expensive system it became clear that the technology used, the Mifare RFID card system, had been hacked. The details of this are all over the net now. “Mifare hack” will get you started. It’s fair to say that this is not a good system, and as leaky as a sieve full of sponges.

Still life with RFID chip

It works like this, for those who don’t know. You “load” your card (or more correctly you update a database somewhere using your cards ID) and then swipe your whole wallet, with the card inside, over the reader. It’s actually a nifty system, despite the whole not-secure aspect, as you avoid having to dig out the card every time.

I noticed, by turning the card a certain way, that you can see the chip. It was about 5 mm across which, for the Americans, just means very small.So I reasoned if it could be removed from the card, then it could be put into more interesting objects that one could swipe across the reader.

Such as a head. Or a banana. Or a Mars bar. You get the idea.

Unfortunately, once extracted, the chip doesn’t work. A quick googlement showed that there is a thin antenna wire connecting to the chip that circles the perimeter of the card. This interacts with a magnetic field over the reader using good old-fashioned induction and transfers the data required. No wire, no data.

So it’s back to the drawing board with that one. Would be nice however to get me some hardware and hack the thing properly. I figure, in the interests of helping SL improve their security, it’s the only kind thing to do.

/ paddy


10 thoughts on “Smart Card Fail

  1. Aww. I’m disappointed. While my new yellow card’s more interesting than the purple one I just threw away, I’d still have liked to put the chip in my plush Eeyore.

  2. Would a sieve full of sponges actually leak or would the sponges intercept the water afore it had the chance to pass through the sieve?

    …I am waiting for your friend to give us a discourse on absorption rates and saturation levels of various sponges… No? Okay, I’ll continue…

    I actually did some work in Reuters on smartcards. No, I actually did some work, on those rare occasions that I got out of bed in time.

    It was all very dull.

    You could do like Prof. Kevin Warwick and insert an RFID under your skin. I believe he gave one to his wife so they could “interact” with each other when he was at conferences.

    Yes, he’s probably a pervert.

  3. Why do people persist in this notion that these things are ‘secure’. Everyday in the news ATM MACHINES HACKED (or somesuch). You know what’s secure? Conductors on trains punching your ticket. Or better, conductors on trains dressed as Eeyore, punching your ticket.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s