30 November 2012

MyWay Card Hacking

| imagineteamsol
Join the conversation
31

Hey All,

I just got an awesome Galaxy Note 2 to do some development on, and to my extreme delight, I found it has NFC capabilities. For those who haven’t heard of NFC, its an extension of RFID technologies, which allows for wireless data transfer over a 10cm range. Obviously, I had some good fun scanning different things to see what was read, and eventually, my focus turned to my MyWay card.

I was intrigued. Seeing that NFC capabilities in handsets is to become the norm, I was curious to see how secure the cards were. If I could possibly top my card up without having actually paid, or get the details of someone else’s card, it would defeat the purpose of a $65 million dollar system. The MyWay card uses the MiFare Classic 1k standard, which has 16 sectors of 64 bytes. After doing some digging, each sector is encrypted using two 48-bit keys, and the last sector contains these keys, and a configuration file (which specifies which blocks are read-only/write).

At this point I was stuck. If the keys were somehow obtained, it would be a simple matter of seeing which block contains the information regarding the balance, and editing the value, or copying the values onto the phone to spoof someone else’s phone. On the flip side, the legitimate advantage for all of this is to use your phone as your MyWay card, as opposed to the actual card itself. It would also allow for instant top ups (no more fumbling for change when you realise you forgot to top up your card!)

It was an interesting exercise, and I’d love to hear your guy’s thoughts/insights!

Cheers,
Zakaria
Imagine Team

UPDATE . This in from the Imagine Team
Hey all,

We’ve had a think about our last blog post and taken a fresh look on how it could be mis-interpreted.

We didn’t intend to give the impression that we were maliciously going after the security of the MyWay system. Nothing of the sort, this was an exploration of what MyWay is and how it works: nothing was hacked or similar, nor are we encouraging it. On that note, the title “MyWay Card Hacking” was a reference to technical exploration, not the criminal connotation of the term.

We’d be really keen to see ACTION/MyWay adopt the positive possibilites of incorporating MyWay into phones with NFC.

Imagine Team

Join the conversation

31
All Comments
  • All Comments
  • Website Comments
LatestOldest

I know this is old but did you manage to get a copy of the card data, not for misuse but for uploading to something like this http://nfcring.com/ I would love to not have to carry my card.

On the flip side, the legitimate advantage for all of this is to use your phone as your MyWay card, as opposed to the actual card itself. It would also allow for instant top ups (no more fumbling for change when you realise you forgot to top up your card!)

Please explain. How does this allow for instant top ups? Or are you only talking about “hacked” top ups by loading the card data onto the phone and then altering the card balance?

Tagging, not tapping.

why is it called ‘tapping’ on – i don’t ‘tap’ anything…

Lazy I said :

Look at me
I have NFC
Missing some encryption keys
And linking to my company

/end

P.S. poetix, you’re our of a job.

What is wrong with that. These guys wrote the MyBus 2.0 app for our city and have quite a collection of awards and achievements. They seem to be doing quite fine without cheap plugs and I doubt if that was their intension. Even if it was just to get recognition for what they have done then so what, they have earnt it. If you can do better then go ahead and dazzle us with your brilliance, if not then give them a break.

Look at me
I have NFC
Missing some encryption keys
And linking to my company

/end

P.S. poetix, you’re our of a job.

“If the keys were somehow obtained…”

My old Mum used to say “if wishes were horses, beggars would ride.” If you had the keys to a lot of stuff you’d be a rich man, Or in gaol. Or both.

johnboy said :

I’m pretty sure the balance is stored on the MyWay servers. Card reading is just authentication and debit authorisation?

At least that’s how i’d set it up.

The problem with this is that the reader needs contact with the servers, which on the buses doesn’t exit.

I think you will find how it works is the balance is actually kept on the card and is reconciled with the servers when the bus returns to depot.

So lets say you get a new card and load it up with some cash. The machine that does that is in contact with the server so writes the balance to the card and the server.

When you use on the bus it deducts the fare from the card and keeps a record on the bus equipment. When the bus gets to the depot it copies the information to the servers and deducts from the server.

Say you now topup using bpay the servers will send the reload data to the all the bus machines, you use the card on a bus, the bus says you have new credit, adds this to the card and keeps a record that it has been issued to you. Bus returns to depot servers reconciled.

imagineteamsol said :

No. If you noticed, the machine puts the balance on the card. You can top up your machine instantly at a MyWay center because they have the machines locally. When you recharge online, all the MyWay machines are synced every night at the depot, and when you tap on, the machine on the bus adds the balance to your card.

What do you suppose happens when at the nightly sync, the logs from the MyWay machine on the bus you rode shows that your card balance mysteriously increased at some point? Cloning someone else’s card seems like a better attack.

The MiFare Classic is known to be insecure. See the paper Wirelessly Pickpocketing a Mifare Classic Card by a team at Radboud University Nijmegen, The Netherlands.

At the very least, a lot of news stories on RFID and the lawyering that the credit card companies did to Mythbusters when they wanted to see how hackable the technology was, make me think that it isn’t anywhere near as secure as most people think.

lol that would have been an awesome (and eye opening) MB show if that ever had gone to air *sighs*

imagineteamsol said :

I think you have the wrong impression. At no point will, or have I done this to bypass fares or steal information that wasn’t mine. As I stated, its an academic exercise. Further, I want to make sure someone with ill-intent can’t steal my details, and to make sure we as Canberran’s get the best bang for our buck. We spent $65 million on the MyWay system, and all I want to do is make sure that its not something that can be bowled over in an afternoon’s work.

Oh, I fully appreciate that, surely someone intending to steal information wouldn’t make a post about it on RA. I was referring only to the hypothetical that Duffbowl presented.

imagineteamsol said :

On that note, the encryption on credit cards are not at all as trivial as the MyWay balance encryption- so not comparable mate.

I’m not intimately familiar with either, so I’ll have to trust you on that. At the very least, a lot of news stories on RFID and the lawyering that the credit card companies did to Mythbusters when they wanted to see how hackable the technology was, make me think that it isn’t anywhere near as secure as most people think.

interesting article Zakaria. If the hack is successful, you might find yourself being offered a job at the MyWay securities team.
The thing is, if Zakaria manages to hack it successfully, there’s no telling how many others are able to do this and exploit the system. Personally if the myway can be hacked, I’d contact MyWay straight away.
Something similar’s happened with the Victorian Myki system:
http://www.crn.com.au/News/276587,victorias-myki-cards-hacked-dumped.aspx

imagineteamsol11:22 am 29 Nov 12

arescarti42 said :

If you were going to do this, you might as well go sniffing for RFID credit card details. Going through all that effort is hardly worth it when you can only use it to save two-fitty on a bus fare.

I think you have the wrong impression. At no point will, or have I done this to bypass fares or steal information that wasn’t mine. As I stated, its an academic exercise. Further, I want to make sure someone with ill-intent can’t steal my details, and to make sure we as Canberran’s get the best bang for our buck. We spent $65 million on the MyWay system, and all I want to do is make sure that its not something that can be bowled over in an afternoon’s work.

On that note, the encryption on credit cards are not at all as trivial as the MyWay balance encryption- so not comparable mate.

Duffbowl said :

What would be interesting to some would be if you could clone the information of the card, gathered by some surreptitious sniffing, and have someone else’s card (or a group of cards) reside in either your smartphone or a card of different manufacture.

If you were going to do this, you might as well go sniffing for RFID credit card details. Going through all that effort is hardly worth it when you can only use it to save two-fitty on a bus fare.

imagineteamsol10:41 am 29 Nov 12

Here_and_Now said :

Yes, I think this is akin to “I’ve realised that if someone goes out and leaves their door open, it’s easy to just walk in and take all of their stuff!’

I definitely see where you’re coming from, but its more of an academic exercise than anything. I think more what I’m trying to do, extending your example, is to let the owners know their door is unlocked to begin with.

kos said :

Your myway card doesn’t store a balance, it should only take 5 seconds for you to figure that out;

http://www.transport.act.gov.au/myway/topup.html

If you can top up your card online, how do you think the balance then gets back physically to your card?

No. If you noticed, the machine puts the balance on the card. You can top up your machine instantly at a MyWay center because they have the machines locally. When you recharge online, all the MyWay machines are synced every night at the depot, and when you tap on, the machine on the bus adds the balance to your card.

PantsMan said :

With all the power within your Galaxy Nought, you choose to target a bus ticketing system?

That, and looking like an idiot while making phone calls- its huge!

The card acts as JB says, for authentication and authorisation only.

What would be interesting to some would be if you could clone the information of the card, gathered by some surreptitious sniffing, and have someone else’s card (or a group of cards) reside in either your smartphone or a card of different manufacture. Select who you want to be, have them pay for your fare, and Robert is your Mum’s brother. Have a fairly wide pool, preferably sourced from near bus routes that you will regularly take, and spread the pain over say 50 MyWay users. Once a month, they will fork out for an extra fare, and it most likely will go unnoticed.

Of course, doing so would most likely end up in you being charged as a criminal when caught, under the same sections as those that source and misuse credit cards that don’t belong to them. Attempting to reverse engineer the card and their protections would most likely be on the edge of criminal. Publishing here that you are doing it at work, or using your work account on RA, could be seen to opening up your employer to investigation as well.

Golden rule: Do nothing without getting explicit permission from the system owner.

devils_advocate10:35 am 29 Nov 12

johnboy said :

I’m pretty sure the balance is stored on the MyWay servers. Card reading is just authentication and debit authorisation?

At least that’s how i’d set it up.

Even if this is the case, the capability to dupe someone else’s card details would allow you to use up their balance, rather than your own.

eyeLikeCarrots10:32 am 29 Nov 12

Stratsec did it 2 yerars ago

johnboy: the issue with it being only on the servers would be when the bus can’t talk to the servers. There must be some ability to use the card without needed to talk to the servers. It’s probably a mix of both offline and online.

With all the power within your Galaxy Nought, you choose to target a bus ticketing system?

Your myway card doesn’t store a balance, it should only take 5 seconds for you to figure that out;

http://www.transport.act.gov.au/myway/topup.html

If you can top up your card online, how do you think the balance then gets back physically to your card?

I didn’t underatand a word of it. Sheesh, technology ay.

??? I’m realy going to have to start reading more about new techo things. I didn’t understand any of imagineteams note.

Not sure about the rest of Japan, but in Tokyo you can associate the chip on your phone with your smart card, so you don’t even need the card- just swipe your phone to pay for things at vending machines, shops, train stations etc. My friend showed me this technology in 2006… we’ve got a long way to go. Sigh.

What I want to know is can you get the phone to emulate a myway card in the same way that it can emulate a credit card, so you don’t actually have to carry it on you when you ride the bus.

Sounds a tad Romanian to me!

Here_and_Now9:23 am 29 Nov 12

Yes, I think this is akin to “I’ve realised that if someone goes out and leaves their door open, it’s easy to just walk in and take all of their stuff!’

steveu said :

I think unless you have permission to do so from the owner of the technology, what you are proposing us very illegal. Illegal in the sense that you could find afp on your doorstep with a warrant very quickly.

Yeah, in the immortal words of Chris Rock… “man I wouldn’t do dat sh*t if I was you”

I think unless you have permission to do so from the owner of the technology, what you are proposing us very illegal. Illegal in the sense that you could find afp on your doorstep with a warrant very quickly.

I’m pretty sure the balance is stored on the MyWay servers. Card reading is just authentication and debit authorisation?

At least that’s how i’d set it up.

Daily Digest

Want the best Canberra news delivered daily? Every day we package the most popular Riotact stories and send them straight to your inbox. Sign-up now for trusted local news that will never be behind a paywall.

By submitting your email address you are agreeing to Region Group's terms and conditions and privacy policy.