30 November 2012

MyWay Card Hacking

| imagineteamsol
Join the conversation
31

Hey All,

I just got an awesome Galaxy Note 2 to do some development on, and to my extreme delight, I found it has NFC capabilities. For those who haven’t heard of NFC, its an extension of RFID technologies, which allows for wireless data transfer over a 10cm range. Obviously, I had some good fun scanning different things to see what was read, and eventually, my focus turned to my MyWay card.

I was intrigued. Seeing that NFC capabilities in handsets is to become the norm, I was curious to see how secure the cards were. If I could possibly top my card up without having actually paid, or get the details of someone else’s card, it would defeat the purpose of a $65 million dollar system. The MyWay card uses the MiFare Classic 1k standard, which has 16 sectors of 64 bytes. After doing some digging, each sector is encrypted using two 48-bit keys, and the last sector contains these keys, and a configuration file (which specifies which blocks are read-only/write).

At this point I was stuck. If the keys were somehow obtained, it would be a simple matter of seeing which block contains the information regarding the balance, and editing the value, or copying the values onto the phone to spoof someone else’s phone. On the flip side, the legitimate advantage for all of this is to use your phone as your MyWay card, as opposed to the actual card itself. It would also allow for instant top ups (no more fumbling for change when you realise you forgot to top up your card!)

It was an interesting exercise, and I’d love to hear your guy’s thoughts/insights!

Cheers,
Zakaria
Imagine Team

UPDATE . This in from the Imagine Team
Hey all,

We’ve had a think about our last blog post and taken a fresh look on how it could be mis-interpreted.

We didn’t intend to give the impression that we were maliciously going after the security of the MyWay system. Nothing of the sort, this was an exploration of what MyWay is and how it works: nothing was hacked or similar, nor are we encouraging it. On that note, the title “MyWay Card Hacking” was a reference to technical exploration, not the criminal connotation of the term.

We’d be really keen to see ACTION/MyWay adopt the positive possibilites of incorporating MyWay into phones with NFC.

Imagine Team

Join the conversation

31
All Comments
  • All Comments
  • Website Comments
LatestOldest
TMcMahon9:27 pm 01 Mar 15

I know this is old but did you manage to get a copy of the card data, not for misuse but for uploading to something like this http://nfcring.com/ I would love to not have to carry my card.

Reply
ML-58510:20 am 01 Dec 12

On the flip side, the legitimate advantage for all of this is to use your phone as your MyWay card, as opposed to the actual card itself. It would also allow for instant top ups (no more fumbling for change when you realise you forgot to top up your card!)

Please explain. How does this allow for instant top ups? Or are you only talking about “hacked” top ups by loading the card data onto the phone and then altering the card balance?

Reply
Keijidosha2:01 pm 30 Nov 12

Tagging, not tapping.

Reply
astrojax11:55 am 30 Nov 12

why is it called ‘tapping’ on – i don’t ‘tap’ anything…

Reply
aceofspades10:31 am 30 Nov 12

Lazy I said :

Look at me
I have NFC
Missing some encryption keys
And linking to my company

/end

P.S. poetix, you’re our of a job.

What is wrong with that. These guys wrote the MyBus 2.0 app for our city and have quite a collection of awards and achievements. They seem to be doing quite fine without cheap plugs and I doubt if that was their intension. Even if it was just to get recognition for what they have done then so what, they have earnt it. If you can do better then go ahead and dazzle us with your brilliance, if not then give them a break.

Reply
Lazy I9:28 am 30 Nov 12

Look at me
I have NFC
Missing some encryption keys
And linking to my company

/end

P.S. poetix, you’re our of a job.

Reply
Deref8:59 am 30 Nov 12

“If the keys were somehow obtained…”

My old Mum used to say “if wishes were horses, beggars would ride.” If you had the keys to a lot of stuff you’d be a rich man, Or in gaol. Or both.

Reply
JC8:03 pm 29 Nov 12

johnboy said :

I’m pretty sure the balance is stored on the MyWay servers. Card reading is just authentication and debit authorisation?

At least that’s how i’d set it up.

The problem with this is that the reader needs contact with the servers, which on the buses doesn’t exit.

I think you will find how it works is the balance is actually kept on the card and is reconciled with the servers when the bus returns to depot.

So lets say you get a new card and load it up with some cash. The machine that does that is in contact with the server so writes the balance to the card and the server.

When you use on the bus it deducts the fare from the card and keeps a record on the bus equipment. When the bus gets to the depot it copies the information to the servers and deducts from the server.

Say you now topup using bpay the servers will send the reload data to the all the bus machines, you use the card on a bus, the bus says you have new credit, adds this to the card and keeps a record that it has been issued to you. Bus returns to depot servers reconciled.

Reply
caf6:42 pm 29 Nov 12

imagineteamsol said :

No. If you noticed, the machine puts the balance on the card. You can top up your machine instantly at a MyWay center because they have the machines locally. When you recharge online, all the MyWay machines are synced every night at the depot, and when you tap on, the machine on the bus adds the balance to your card.

What do you suppose happens when at the nightly sync, the logs from the MyWay machine on the bus you rode shows that your card balance mysteriously increased at some point? Cloning someone else’s card seems like a better attack.

Reply
caf6:38 pm 29 Nov 12

The MiFare Classic is known to be insecure. See the paper Wirelessly Pickpocketing a Mifare Classic Card by a team at Radboud University Nijmegen, The Netherlands.

Reply
Zeital3:31 pm 29 Nov 12

At the very least, a lot of news stories on RFID and the lawyering that the credit card companies did to Mythbusters when they wanted to see how hackable the technology was, make me think that it isn’t anywhere near as secure as most people think.

lol that would have been an awesome (and eye opening) MB show if that ever had gone to air *sighs*

Reply
arescarti4212:01 pm 29 Nov 12

imagineteamsol said :

I think you have the wrong impression. At no point will, or have I done this to bypass fares or steal information that wasn’t mine. As I stated, its an academic exercise. Further, I want to make sure someone with ill-intent can’t steal my details, and to make sure we as Canberran’s get the best bang for our buck. We spent $65 million on the MyWay system, and all I want to do is make sure that its not something that can be bowled over in an afternoon’s work.

Oh, I fully appreciate that, surely someone intending to steal information wouldn’t make a post about it on RA. I was referring only to the hypothetical that Duffbowl presented.

imagineteamsol said :

On that note, the encryption on credit cards are not at all as trivial as the MyWay balance encryption- so not comparable mate.

I’m not intimately familiar with either, so I’ll have to trust you on that. At the very least, a lot of news stories on RFID and the lawyering that the credit card companies did to Mythbusters when they wanted to see how hackable the technology was, make me think that it isn’t anywhere near as secure as most people think.

Reply
noma12:00 pm 29 Nov 12

interesting article Zakaria. If the hack is successful, you might find yourself being offered a job at the MyWay securities team.
The thing is, if Zakaria manages to hack it successfully, there’s no telling how many others are able to do this and exploit the system. Personally if the myway can be hacked, I’d contact MyWay straight away.
Something similar’s happened with the Victorian Myki system:
http://www.crn.com.au/News/276587,victorias-myki-cards-hacked-dumped.aspx

Reply
imagineteamsol11:22 am 29 Nov 12

arescarti42 said :

If you were going to do this, you might as well go sniffing for RFID credit card details. Going through all that effort is hardly worth it when you can only use it to save two-fitty on a bus fare.

I think you have the wrong impression. At no point will, or have I done this to bypass fares or steal information that wasn’t mine. As I stated, its an academic exercise. Further, I want to make sure someone with ill-intent can’t steal my details, and to make sure we as Canberran’s get the best bang for our buck. We spent $65 million on the MyWay system, and all I want to do is make sure that its not something that can be bowled over in an afternoon’s work.

On that note, the encryption on credit cards are not at all as trivial as the MyWay balance encryption- so not comparable mate.

Reply
arescarti4210:51 am 29 Nov 12

Duffbowl said :

What would be interesting to some would be if you could clone the information of the card, gathered by some surreptitious sniffing, and have someone else’s card (or a group of cards) reside in either your smartphone or a card of different manufacture.

If you were going to do this, you might as well go sniffing for RFID credit card details. Going through all that effort is hardly worth it when you can only use it to save two-fitty on a bus fare.

Reply
imagineteamsol10:41 am 29 Nov 12

Here_and_Now said :

Yes, I think this is akin to “I’ve realised that if someone goes out and leaves their door open, it’s easy to just walk in and take all of their stuff!’

I definitely see where you’re coming from, but its more of an academic exercise than anything. I think more what I’m trying to do, extending your example, is to let the owners know their door is unlocked to begin with.

kos said :

Your myway card doesn’t store a balance, it should only take 5 seconds for you to figure that out;

http://www.transport.act.gov.au/myway/topup.html

If you can top up your card online, how do you think the balance then gets back physically to your card?

No. If you noticed, the machine puts the balance on the card. You can top up your machine instantly at a MyWay center because they have the machines locally. When you recharge online, all the MyWay machines are synced every night at the depot, and when you tap on, the machine on the bus adds the balance to your card.

PantsMan said :

With all the power within your Galaxy Nought, you choose to target a bus ticketing system?

That, and looking like an idiot while making phone calls- its huge!

Reply
Duffbowl10:36 am 29 Nov 12

The card acts as JB says, for authentication and authorisation only.

What would be interesting to some would be if you could clone the information of the card, gathered by some surreptitious sniffing, and have someone else’s card (or a group of cards) reside in either your smartphone or a card of different manufacture. Select who you want to be, have them pay for your fare, and Robert is your Mum’s brother. Have a fairly wide pool, preferably sourced from near bus routes that you will regularly take, and spread the pain over say 50 MyWay users. Once a month, they will fork out for an extra fare, and it most likely will go unnoticed.

Of course, doing so would most likely end up in you being charged as a criminal when caught, under the same sections as those that source and misuse credit cards that don’t belong to them. Attempting to reverse engineer the card and their protections would most likely be on the edge of criminal. Publishing here that you are doing it at work, or using your work account on RA, could be seen to opening up your employer to investigation as well.

Golden rule: Do nothing without getting explicit permission from the system owner.

Reply
devils_advocate10:35 am 29 Nov 12

johnboy said :

I’m pretty sure the balance is stored on the MyWay servers. Card reading is just authentication and debit authorisation?

At least that’s how i’d set it up.

Even if this is the case, the capability to dupe someone else’s card details would allow you to use up their balance, rather than your own.

Reply
eyeLikeCarrots10:32 am 29 Nov 12

Stratsec did it 2 yerars ago

Reply
mneuling10:27 am 29 Nov 12

johnboy: the issue with it being only on the servers would be when the bus can’t talk to the servers. There must be some ability to use the card without needed to talk to the servers. It’s probably a mix of both offline and online.

Reply
PantsMan10:20 am 29 Nov 12

With all the power within your Galaxy Nought, you choose to target a bus ticketing system?

Reply
kos10:03 am 29 Nov 12

Your myway card doesn’t store a balance, it should only take 5 seconds for you to figure that out;

http://www.transport.act.gov.au/myway/topup.html

If you can top up your card online, how do you think the balance then gets back physically to your card?

Reply
Alderney9:54 am 29 Nov 12

I didn’t underatand a word of it. Sheesh, technology ay.

Reply
MERC6009:52 am 29 Nov 12

??? I’m realy going to have to start reading more about new techo things. I didn’t understand any of imagineteams note.

Reply
Mr Waffle9:40 am 29 Nov 12

Not sure about the rest of Japan, but in Tokyo you can associate the chip on your phone with your smart card, so you don’t even need the card- just swipe your phone to pay for things at vending machines, shops, train stations etc. My friend showed me this technology in 2006… we’ve got a long way to go. Sigh.

Reply
arescarti429:38 am 29 Nov 12

What I want to know is can you get the phone to emulate a myway card in the same way that it can emulate a credit card, so you don’t actually have to carry it on you when you ride the bus.

Reply
poetix9:36 am 29 Nov 12

Sounds a tad Romanian to me!

Reply
Here_and_Now9:23 am 29 Nov 12

Yes, I think this is akin to “I’ve realised that if someone goes out and leaves their door open, it’s easy to just walk in and take all of their stuff!’

Reply
rainmaker9:16 am 29 Nov 12

steveu said :

I think unless you have permission to do so from the owner of the technology, what you are proposing us very illegal. Illegal in the sense that you could find afp on your doorstep with a warrant very quickly.

Yeah, in the immortal words of Chris Rock… “man I wouldn’t do dat sh*t if I was you”

Reply
steveu9:11 am 29 Nov 12

I think unless you have permission to do so from the owner of the technology, what you are proposing us very illegal. Illegal in the sense that you could find afp on your doorstep with a warrant very quickly.

ReplyView 1 reply
johnboy9:20 am 29 Nov 12

I’m pretty sure the balance is stored on the MyWay servers. Card reading is just authentication and debit authorisation?

At least that’s how i’d set it up.

ReplyHide replies
View more conversations

What's Trending

News20

Lake Burley Griffin floating sauna approved to open 2025, despite smoke concerns

wildturkeycanoe12 hours ago

The amount of solar panels required and batteries, would impact the environment and aesthetics of… View

wildturkeycanoe12 hours ago

Electric saunas are rubbish compared to good wood fired ones. I just can't believe all the moaning… View

Tony Pringle13 hours ago

Christine's Comments good on you I suppose you drove your electric 4WD to the cabin as well but that… View

Join the conversation
News26

Net zero milestone: Construction starts on Williamsdale Battery Energy Storage System

Seano12 hours ago

LMAO....nuclear is way more expensive but don't let that get in the way.… View

Seano12 hours ago

Unless you have a magic wand, it's not going to happen over night. View

Seano12 hours ago

Nuclear is massively more expensive than coal, which is more expensive than renewables.… View

Join the conversation
Property5

'We want green space more than concrete towers': Woden residents react to Geocon's plans for pool site

Bennett Bennett13 hours ago

For the betterment of the environment, it's in the best interests for the good citizens of Woden to… View

Andrew Denny20 hours ago

Is there data on current pool usage/patronage that is publicly available? How many citizens are… View

Join the conversation
Public Sector51

No one's rushing to help Pocock get more senators for the ACT

JustSaying17 hours ago

@chewy14 The problem that exists, is that the current Senate representation of the territories is… View

chewy142 days ago

Justsaying, Once again, how does Pocock's proposal result in any improvements to the things you… View

Ken M2 days ago

Based on, well, climate 200 bankrolling them, and as we all know, billionaires never want anything… View

Join the conversation
Lifestyle

This iconic little Canberra store is going national

By James Coleman
Start the conversation
News

Tourism leader Jackie McKeown mourned after death in Jerrabomberra crash

By Albert McKnight
21
Property

The million-dollar townhouse with a visitor car park but no separate entry to the back yard

By Ian Bushnell
30
Lifestyle

Canberra school kids now have their own racetrack to learn the basics of driving

By James Coleman
6
Food & Wine

After 45 years, Little Theo's is still going strong!

By Michelle Taylor
22
Opinion

Flight data shows Canberra is still being taken for a ride

By Ian Bushnell
10

Featured Properties

Zango Logo

Today's Poll

Do you support banning under 16s from social media?

View Results

Loading ... Loading ...
Explore 'Probing the Polls'

Featured Businesses

Mortgage Brokers

Clarity Home Loans

A passionate team of Canberrans helping other Canberrans secure their home loans. No frills, no commissions, no brainer.

Find out more

Lawyers

Kamy Saeedi Law

When you need a criminal or commercial lawyer, you don’t want to take any chances. You want someone in your corner that you can trust like your life depends on it - because it does.

Find out more

Lawyers

MV Law

Through a spirit of entrepreneurialism, collaboration, and future-forward thinking, MV Law have earned an industry-leading reputation.

Find out more

Lawyers

BDN Lawyers

BDN has provided legal services to to Canberra, Queanbeyan and the region for over 160 years.

Find out more

Community Club

Canberra Southern Cross Club

We're proud to give you a place where friends and family can come together for good food and great entertainment.

Find out more

Electricians

True Connection Electrical

Since 2014, True Connection Electrical have been servicing residential and small commercial clients with reliable, trustworthy and top-quality electrical work.

Find out more

Insurance Brokers

allinsure

Allinsure has been a trusted insurance advisory to thousands of Australian business owners for almost 20 years.

Find out more

Podiatrists

The Walking Clinic

The Walking Clinic has perpetuated an attitude of excellence in foot health provision. The experienced Podiatric team provide current and innovative care to all patients.

Find out more
View the best of Canberra

What's On

Research Festival 2024
View all upcoming events

Related Stories

MyWay's millions: Steel urges Canberrans to register cards for balance transfers to new system

MyWay's millions: Steel urges Canberrans to register cards for balance transfers to new system

14 August 2024 | By Ian Bushnell
9
What will MyWay+ do? That's a $64 million question

What will MyWay+ do? That's a $64 million question

26 May 2023 | By Ian Bushnell
7
MyWay+ starts 'learning journey' around public transport network before November launch

MyWay+ starts 'learning journey' around public transport network before November launch

9 May 2024 | By Ian Bushnell
Start the conversation
Seven years in the making, MyWay+ set to debut in 2024 (and there'll be a demo bus to practise on)

Seven years in the making, MyWay+ set to debut in 2024 (and there'll be a demo bus to practise on)

24 October 2023 | By Ian Bushnell
56
Start date announced for new ticketing system on buses, light rail

Start date announced for new ticketing system on buses, light rail

15 November 2024 | By Ian Bushnell
Start the conversation
Andrew Barr's Twitter account hacked, posting crypto and stock trading tweets

Andrew Barr's Twitter account hacked, posting crypto and stock trading tweets

26 April 2023 | By Lizzie Waymouth
5
ACT Government pressured to offer free public transport if MyWay+ system isn't ready by September

ACT Government pressured to offer free public transport if MyWay+ system isn't ready by September

6 March 2024 | By Claire Fenwicke
16
What the heck are hackathons, and why do they matter?

What the heck are hackathons, and why do they matter?

9 May 2024 | By Morgan Kenyon
1
Canberra's buses should have Business Class

Canberra's buses should have Business Class

25 June 2024 | By John Coleman
37

Daily Digest

Want the best Canberra news delivered daily? Every day we package the most popular Riotact stories and send them straight to your inbox. Sign-up now for trusted local news that will never be behind a paywall.

By submitting your email address you are agreeing to Region Group's terms and conditions and privacy policy.