Skip to content Skip to main navigation

News

Buying off the plan?
View our developments

MyWay Card Hacking

By imagineteamsol 29 November 2012 31

Hey All,

I just got an awesome Galaxy Note 2 to do some development on, and to my extreme delight, I found it has NFC capabilities. For those who haven’t heard of NFC, its an extension of RFID technologies, which allows for wireless data transfer over a 10cm range. Obviously, I had some good fun scanning different things to see what was read, and eventually, my focus turned to my MyWay card.

I was intrigued. Seeing that NFC capabilities in handsets is to become the norm, I was curious to see how secure the cards were. If I could possibly top my card up without having actually paid, or get the details of someone else’s card, it would defeat the purpose of a $65 million dollar system. The MyWay card uses the MiFare Classic 1k standard, which has 16 sectors of 64 bytes. After doing some digging, each sector is encrypted using two 48-bit keys, and the last sector contains these keys, and a configuration file (which specifies which blocks are read-only/write).

At this point I was stuck. If the keys were somehow obtained, it would be a simple matter of seeing which block contains the information regarding the balance, and editing the value, or copying the values onto the phone to spoof someone else’s phone. On the flip side, the legitimate advantage for all of this is to use your phone as your MyWay card, as opposed to the actual card itself. It would also allow for instant top ups (no more fumbling for change when you realise you forgot to top up your card!)

It was an interesting exercise, and I’d love to hear your guy’s thoughts/insights!

Cheers,
Zakaria
Imagine Team

UPDATE . This in from the Imagine Team
Hey all,

We’ve had a think about our last blog post and taken a fresh look on how it could be mis-interpreted.

We didn’t intend to give the impression that we were maliciously going after the security of the MyWay system. Nothing of the sort, this was an exploration of what MyWay is and how it works: nothing was hacked or similar, nor are we encouraging it. On that note, the title “MyWay Card Hacking” was a reference to technical exploration, not the criminal connotation of the term.

We’d be really keen to see ACTION/MyWay adopt the positive possibilites of incorporating MyWay into phones with NFC.

Imagine Team

What’s Your opinion?


Please login to post your comments, or connect with
31 Responses to
MyWay Card Hacking
Filter
Showing only Website comments
Order
Newest to Oldest
Oldest to Newst
TMcMahon 9:27 pm 01 Mar 15

I know this is old but did you manage to get a copy of the card data, not for misuse but for uploading to something like this http://nfcring.com/ I would love to not have to carry my card.

ML-585 10:20 am 01 Dec 12

On the flip side, the legitimate advantage for all of this is to use your phone as your MyWay card, as opposed to the actual card itself. It would also allow for instant top ups (no more fumbling for change when you realise you forgot to top up your card!)

Please explain. How does this allow for instant top ups? Or are you only talking about “hacked” top ups by loading the card data onto the phone and then altering the card balance?

Keijidosha 2:01 pm 30 Nov 12

Tagging, not tapping.

astrojax 11:55 am 30 Nov 12

why is it called ‘tapping’ on – i don’t ‘tap’ anything…

aceofspades 10:31 am 30 Nov 12

Lazy I said :

Look at me
I have NFC
Missing some encryption keys
And linking to my company

/end

P.S. poetix, you’re our of a job.

What is wrong with that. These guys wrote the MyBus 2.0 app for our city and have quite a collection of awards and achievements. They seem to be doing quite fine without cheap plugs and I doubt if that was their intension. Even if it was just to get recognition for what they have done then so what, they have earnt it. If you can do better then go ahead and dazzle us with your brilliance, if not then give them a break.

Lazy I 9:28 am 30 Nov 12

Look at me
I have NFC
Missing some encryption keys
And linking to my company

/end

P.S. poetix, you’re our of a job.

Deref 8:59 am 30 Nov 12

“If the keys were somehow obtained…”

My old Mum used to say “if wishes were horses, beggars would ride.” If you had the keys to a lot of stuff you’d be a rich man, Or in gaol. Or both.

JC 8:03 pm 29 Nov 12

johnboy said :

I’m pretty sure the balance is stored on the MyWay servers. Card reading is just authentication and debit authorisation?

At least that’s how i’d set it up.

The problem with this is that the reader needs contact with the servers, which on the buses doesn’t exit.

I think you will find how it works is the balance is actually kept on the card and is reconciled with the servers when the bus returns to depot.

So lets say you get a new card and load it up with some cash. The machine that does that is in contact with the server so writes the balance to the card and the server.

When you use on the bus it deducts the fare from the card and keeps a record on the bus equipment. When the bus gets to the depot it copies the information to the servers and deducts from the server.

Say you now topup using bpay the servers will send the reload data to the all the bus machines, you use the card on a bus, the bus says you have new credit, adds this to the card and keeps a record that it has been issued to you. Bus returns to depot servers reconciled.

caf 6:42 pm 29 Nov 12

imagineteamsol said :

No. If you noticed, the machine puts the balance on the card. You can top up your machine instantly at a MyWay center because they have the machines locally. When you recharge online, all the MyWay machines are synced every night at the depot, and when you tap on, the machine on the bus adds the balance to your card.

What do you suppose happens when at the nightly sync, the logs from the MyWay machine on the bus you rode shows that your card balance mysteriously increased at some point? Cloning someone else’s card seems like a better attack.

caf 6:38 pm 29 Nov 12

The MiFare Classic is known to be insecure. See the paper Wirelessly Pickpocketing a Mifare Classic Card by a team at Radboud University Nijmegen, The Netherlands.

Related Articles

CBR Tweets

Sign up to our newsletter

Top
Copyright © 2018 Riot ACT Holdings Pty Ltd. All rights reserved.
the-riotact.com | aboutregional.com.au | b2bmagazine.com.au | thisiscanberra.com

Search across the site