Interesting People mailing list archives

more on Hacked Speedpass, Hotel mag cards

From: David Farber <dave () farber net>
Date: Thu, 22 Sep 2005 06:01:04 -0400



Begin forwarded message:

From: Jim Thompson <jim () netgate com>
Date: September 21, 2005 7:35:52 PM EDT
To: Dave Farber <dave () farber net>, jadams01 () sprynet com
Cc: Ip Ip <ip () v2 listbox com>
Subject: Re: [IP] more on Hacked Speedpass, Hotel mag cards

So? In this case, we've got an actual, live individual makingfairly specific claims. Still could be a hoax, but as the snopespage points out, one chain did formerly do just what was claimed.Are you willing to bet that non-chains motels and hotels, andcheaper chains, aren't doing this? Snopes is good at documentingurban legends, but I don't regard that as superior to actuallytesting the cards and finding out the truth of the matter.
The follow-up from Robert Mitchell points something interesting out:
"What's interesting to me is that while everyone has an opinion asto whether its possible that hotels would - either knowingly orunknowingly - store such information on a card key, only one personwho posted here claims to have tried this at several hotels(without success). Given past discussions and all of the newsstories going back to at least 2003, I am surprised that no oneelse among this tech savvy group has tried this and reported in."
Hmm...now where could I find a tech-savvy group to supply data? Anythoughts?



Dave (and John),

There is a body of GPL code that would allow anyone to decode the mag-stripe on these types of cards named "Stripe Snoop"


http://stripesnoop.sourceforge.net/

The site includes instructions on how to build (or modify) a mag-stripe card reader: http://stripesnoop.sourceforge.net/hardware/hardware.html

A related toolkit allows the casual user to decode the 1-D and 2-Dbarcodes used on most state drivers licenses:

http://turbulence.org/Works/swipe/barcode.html

All that said, the Speedpass cards use a mag stripe, but ratherRFID. Its been hacked: http://rfidanalysis.org/

In my experience, the hotel room keys work as described.(Literally the only information is a room number and a limit on when the

room key is valid.)

However, your security can be compromised in other ways whilststaying in a hotel. On more than one occasion I've been handed a keywhich opens more than one room, and I've been handed a key for analready occupied room. (You can imagine the surprise of both parties

in that one.)

Also, the TV in your room has been cracked, with quite possiblenegative privacy aspects. http://www.wired.com/news/privacy/0,1848,68370,00.html


Jim



-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/

Current thread:

more on Hacked Speedpass, Hotel mag cards David Farber (Sep 22)
- <Possible follow-ups>
- more on Hacked Speedpass, Hotel mag cards David Farber (Sep 22)
- more on Hacked Speedpass, Hotel mag cards David Farber (Sep 22)