Skip to content Skip to main navigation

Innovation

New high performance team wear for cricket clubs - Steve Waugh & ONTHEGO Sports

MyWay Card Hacking

By imagineteamsol - 29 November 2012 31

Hey All,

I just got an awesome Galaxy Note 2 to do some development on, and to my extreme delight, I found it has NFC capabilities. For those who haven’t heard of NFC, its an extension of RFID technologies, which allows for wireless data transfer over a 10cm range. Obviously, I had some good fun scanning different things to see what was read, and eventually, my focus turned to my MyWay card.

I was intrigued. Seeing that NFC capabilities in handsets is to become the norm, I was curious to see how secure the cards were. If I could possibly top my card up without having actually paid, or get the details of someone else’s card, it would defeat the purpose of a $65 million dollar system. The MyWay card uses the MiFare Classic 1k standard, which has 16 sectors of 64 bytes. After doing some digging, each sector is encrypted using two 48-bit keys, and the last sector contains these keys, and a configuration file (which specifies which blocks are read-only/write).

At this point I was stuck. If the keys were somehow obtained, it would be a simple matter of seeing which block contains the information regarding the balance, and editing the value, or copying the values onto the phone to spoof someone else’s phone. On the flip side, the legitimate advantage for all of this is to use your phone as your MyWay card, as opposed to the actual card itself. It would also allow for instant top ups (no more fumbling for change when you realise you forgot to top up your card!)

It was an interesting exercise, and I’d love to hear your guy’s thoughts/insights!

Cheers,
Zakaria
Imagine Team

UPDATE . This in from the Imagine Team
Hey all,

We’ve had a think about our last blog post and taken a fresh look on how it could be mis-interpreted.

We didn’t intend to give the impression that we were maliciously going after the security of the MyWay system. Nothing of the sort, this was an exploration of what MyWay is and how it works: nothing was hacked or similar, nor are we encouraging it. On that note, the title “MyWay Card Hacking” was a reference to technical exploration, not the criminal connotation of the term.

We’d be really keen to see ACTION/MyWay adopt the positive possibilites of incorporating MyWay into phones with NFC.

Imagine Team

What’s Your opinion?


Please login to post your comments
31 Responses to
MyWay Card Hacking
1
steveu 9:11 am
29 Nov 12
#

I think unless you have permission to do so from the owner of the technology, what you are proposing us very illegal. Illegal in the sense that you could find afp on your doorstep with a warrant very quickly.

Report this comment

2
rainmaker 9:16 am
29 Nov 12
#

steveu said :

I think unless you have permission to do so from the owner of the technology, what you are proposing us very illegal. Illegal in the sense that you could find afp on your doorstep with a warrant very quickly.

Yeah, in the immortal words of Chris Rock… “man I wouldn’t do dat sh*t if I was you”

Report this comment

3
johnboy 9:20 am
29 Nov 12
#

I’m pretty sure the balance is stored on the MyWay servers. Card reading is just authentication and debit authorisation?

At least that’s how i’d set it up.

Report this comment

4
Here_and_Now 9:23 am
29 Nov 12
#

Yes, I think this is akin to “I’ve realised that if someone goes out and leaves their door open, it’s easy to just walk in and take all of their stuff!’

Report this comment

5
poetix 9:36 am
29 Nov 12
#

Sounds a tad Romanian to me!

Report this comment

6
arescarti42 9:38 am
29 Nov 12
#

What I want to know is can you get the phone to emulate a myway card in the same way that it can emulate a credit card, so you don’t actually have to carry it on you when you ride the bus.

Report this comment

7
Mr Waffle 9:40 am
29 Nov 12
#

Not sure about the rest of Japan, but in Tokyo you can associate the chip on your phone with your smart card, so you don’t even need the card- just swipe your phone to pay for things at vending machines, shops, train stations etc. My friend showed me this technology in 2006… we’ve got a long way to go. Sigh.

Report this comment

8
MERC600 9:52 am
29 Nov 12
#

??? I’m realy going to have to start reading more about new techo things. I didn’t understand any of imagineteams note.

Report this comment

9
Alderney 9:54 am
29 Nov 12
#

I didn’t underatand a word of it. Sheesh, technology ay.

Report this comment

10
kos 10:03 am
29 Nov 12
#

Your myway card doesn’t store a balance, it should only take 5 seconds for you to figure that out;

http://www.transport.act.gov.au/myway/topup.html

If you can top up your card online, how do you think the balance then gets back physically to your card?

Report this comment

11
PantsMan 10:20 am
29 Nov 12
#

With all the power within your Galaxy Nought, you choose to target a bus ticketing system?

Report this comment

12
mneuling 10:27 am
29 Nov 12
#

johnboy: the issue with it being only on the servers would be when the bus can’t talk to the servers. There must be some ability to use the card without needed to talk to the servers. It’s probably a mix of both offline and online.

Report this comment

13
eyeLikeCarrots 10:32 am
29 Nov 12
#

Stratsec did it 2 yerars ago

Report this comment

14
devils_advocate 10:35 am
29 Nov 12
#

johnboy said :

I’m pretty sure the balance is stored on the MyWay servers. Card reading is just authentication and debit authorisation?

At least that’s how i’d set it up.

Even if this is the case, the capability to dupe someone else’s card details would allow you to use up their balance, rather than your own.

Report this comment

15
Duffbowl 10:36 am
29 Nov 12
#

The card acts as JB says, for authentication and authorisation only.

What would be interesting to some would be if you could clone the information of the card, gathered by some surreptitious sniffing, and have someone else’s card (or a group of cards) reside in either your smartphone or a card of different manufacture. Select who you want to be, have them pay for your fare, and Robert is your Mum’s brother. Have a fairly wide pool, preferably sourced from near bus routes that you will regularly take, and spread the pain over say 50 MyWay users. Once a month, they will fork out for an extra fare, and it most likely will go unnoticed.

Of course, doing so would most likely end up in you being charged as a criminal when caught, under the same sections as those that source and misuse credit cards that don’t belong to them. Attempting to reverse engineer the card and their protections would most likely be on the edge of criminal. Publishing here that you are doing it at work, or using your work account on RA, could be seen to opening up your employer to investigation as well.

Golden rule: Do nothing without getting explicit permission from the system owner.

Report this comment

1 2 3

Related Articles

CBR Tweets

Sign up to our newsletter

Top
Copyright © 2016 Riot ACT Holdings Pty Ltd. All rights reserved.

Search across the site