Full Disclosure mailing list archives
Re: BART Card Advisory
From: "Michal" <michal () sharescope co uk>
Date: Thu, 6 Aug 2009 09:14:28 +0100
Is this...a shit version of the London Oyster Card? -----Original Message----- From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of noisebridge () hushmail com Sent: 05 August 2009 17:24 To: full-disclosure () lists grok org uk Subject: [Full-disclosure] BART Card Advisory www.noisebridge.net -= Security Advisory =- Advisory: BART Tickets vulnerable to simple cloning Release Date: 2008/07/14 Author: Jacob Appelbaum Application: Bay Area Rapid Transit System (BART) Severity: All BART blue high-value tickets magstripe encoded tickets are vulnerable to cloning. Risk: Medium/High Vendor Status: Vendor has not been contacted "If you only read the books that everyone else is reading, you can only think what everyone else is thinking." -- Haruki Murakami Overview: Quote from www.bart.gov/tickets/ BART tickets are like debit cards with stored value. All BART stations have automatic ticket vending machines that accept nickels, dimes, quarters and $1 coins, as well as $1 $5, $10 and $20 bills. You can also use credit and debit cards in select machines. When you enter BART, insert your ticket into the fare gate and it will be returned to you. Use the same ticket when you exit. The correct fare will be automatically deducted and tickets with remaining value will be returned. If your ticket has too little value, a sign on the fare gate will read "Underpaid: Go to Addfare." A nearby Addfare vending machine will tell you how much additional fare you must add to your ticket to exit the BART system. It turns out that BART high value (blue) tickets and other magstripe BART tickets store value ON TICKET, as opposed to centrally via an authentication token. Critical information is stored directly on card using what is probably a simple block cipher and is vulnerable to a basic replay attack. In our analysis though, we have found that just like the SFMTA parking meter smartcard system, the signature goes UNVALIDATED. It seems theres a pattern here in the security systems of San Francisco public services! Hmmmm. This type of vulnerability does not extend to the new BART EZ Rider smart cards. (Applause) Track 2 Layout | SS | PAN | FS | Additional Data | ES | LRC | SS=Start Sentinel ";" PAN=Primary Acct. # (19 digits max) FS=Field Separator "=" Additional Data=Expiration Date, offset, encrypted PIN, etc. ES=End Sentinel "?" LRC=Longitudinal Redundancy Check In the ABA Track 2 system, the magic happens in the "Additional Data" area. Depending on bank (some remained completely unencrypted until mid 2000s!) the PIN numbers were actually stored on card only encrypted by a simple block cipher! Well it turns out the BART ticketing system, although not similar in format, does use the same general encoding format, 75bpi BCD which means you can take your standard off-the-shelf MSR-206 magstripe encoder/decoder and go! Fortunately for you, we've even provided this handy utility! http://code.google.com/p/libmsr/ This project is an independent Free Software implementation of the protocol for the MSR 206 magnetic stripe reader/writer. It is intended to be both a library for use in other programs that wish to interface with the MSR 206 and as a collection of useful user space programs. So onto the data. Bart Card Layout: | SET | VERSION | ID | DATA | VALUE | CRC | . set(?) . card id .- plain text value / / / 084909 5346 00721486 8432187913029 00405 1610 084909 5346 00721486 2072730117332 00065 2287 \ \ \ - version(?) \ `- CRC(?) `- data Set: Seems to be related to the ID but changes infrequently and doesnt seem to increment linearly. Version: This number seems to change infrequently but from time to time even for the same type of card (blue/red/green) ID: Card ID, which seems to be issued semi-sequentially Data: Most likely the encrypted version of value Value: Dollar value ($000.00) CRC: Possibly the checksum Although, as you can see, a plain-text BCD card value is stored on the stripe it is not the only data used to determine the on-card value. By our simple analysis (i.e. trying to encode other dollar figures in plaintext) It's clear that the plain text value in conjunction with the data field is used to validate the on-card value. We assume that the 4-digit value after the plain text value is the CRC, because this also changes each time its used, it's kinda small and it just seems like one (great evidence, huh!). In truth black-box differntial analysis of the magstripe data is relatively uninformational, but it turns out if we follow these this simple rule, we can effectively clone and use BART cards without any real brains. Don't use two clones of the same card at the same time. Anyone whos tried using a Fast Pass twice will realize they will be let in twice, but not let out twice. You'll end up stuck. Other than than, just copy the card and once in a while, reset the data back to a higher value by re-encoding a previous state. Anyways, if anyone wants to come join us at Noisebridge to clone some BART cards for fun and profit just swing by 83C Wiese Street with your extra cards (you know, the ones with a nickle on them). Also, if you would like to donate to the Noisebridge cause (and now an official 501(c)(3) non-profit corporation) we might be able to throw in a BART pass at twice the donation value! Just kidding, but hey, they're definately tax deductable and for a good cause ;) Regards, Jacob Appelbaum _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- BART Card Advisory noisebridge (Aug 05)
- Re: BART Card Advisory Michal (Aug 06)
- Re: BART Card Advisory Thor (Hammer of God) (Aug 06)
- <Possible follow-ups>
- BART Card Advisory Martin Bogomolni (Aug 06)
- Re: BART Card Advisory Michal (Aug 06)