Matkakortti Evolved

Many of you may have heard about the new Matkakortti, being rolled out as of last week (10.11.2009). Ads for the new card have appeared all over the place, and urge people to change the card during their next re-charge. The new card has a nice flashy green graphic printed on it, no doubt to reflect the new eco-features of the card.

So what changes? According to YTV, the previous blue cards have reached the end of their life-cycle. “As with credit- and debit-cards, the cards have to be changed out every few years”. Also, the new cards are now ISO 14443A compliant (specifications for RFID cards). I have a funny feeling the last cards were compliant as well, but there’s no data on this. They were made by Mifare as well (as the new cards), so i think they were compliant.

The color of the card changes, but also, the type chages. The old cards were MIFARE classic. This is a card that has a 48-bit encryption key, that is seeded based on the “start-date” of the card, i.e. when it was first turned on. This system has been broken multiple times. To give you an idea of how easy it is, it takes about 12 seconds on a standard laptop computer to break the built-in Crypto-1 encryption scheme.

The cards are ASIC based, and have a very limited storage space. There are 1K and 4K versions of the card, and accounting for read-only data put in by the manufacturer, the de-facto storage space of these cards was 752 bytes and 3440 bytes respectively. That’s a whole lot already!

The new cards are based on later revisions of MIFARE technology. There are two basic types that will be rolled out now (the specific models are not listed, but i’m going to find out one way or another):

  • MIFARE DESfire. This is the regular “multiple use” card that most of us use every day. More on this later.
  • MIFARE Ultralight. This is the “use once” tourist card, which can be charged once, and then thrown away after use.

DESfire is a new card type that MIFARE came out with in 2002. There is an EV1 (evolution 1) version of the card, which was released in 2006 and offers more options and better crypto. Which system is used here, i’m not sure as i said, but i’ll find out. This is an entirely new card compared to the old stupid cards. They sport a real NXP made microprocessor, and more memory. There are 2, 4 and 8KB versions of the card. They come with a propietary DESfire operating system, which uses a real directory/file structure in the storage space. The crypto is upgraded from “Crypto-1”, using a 48bit key, to a minimum triple-DES, i.e. 3x56bits keylength, and up to a 128-bit AES in the EV1 variant. The NXP microprocessor is 8051 based, and has separate hardware crypto-accelerators for both AES and 3DES, which makes the crypto transactions even faster than before.

Ultralight is the use-once version of the cards. Cheaper to manufacture, it’s apparently made out of some kind of thick paper. There are also two versions of this card, the  Ultralight, and the  Ultralight C, which are from 2001 and 2008 respectively. The plain-jane version offers no crypto at all, and 512 bits (64 bytes) of memory. The C variant offers crypto, more storage-space, and ISO 14443 compliance. It is highly likely, that the version being rolled out is the C version, because it has features that make it suitable for mass transportation (i.e. abrasion resistance and crypto).

So why are the cards being changed for real? I’ll offer a few guesses. One, is that the new cards are cheaper. That’s a big thing when it comes to public transport and anything government funded. The Apollo astronauts reminded each other that they are going to the moon in a craft built by the company that made the cheapest offer. I’m not saying cheap is bad in this case though.

The new cards are also more ecological. Also a big thing in government projects, and easier to sell to consumers. The cards are either made out of bio-degradable plastic, or paper.

All methods of public transport will be fitted with GPS. Some already have it (trains, trams and some busses), but i suppose they’ll be rolling this out to every damn thing. This makes tracking not only the vehicle easy, but also tracking you. They can stamp your card with exactly the stop you got on. Where you got off is another matter entirely, but in any case. The bus and the reader knows where you are, and when you get on, the card will retain this information, along with personally identifiable information. This information is said not to be readable by regular kiosks and other recharge outlets, but only by ticket inspectors or law enforcement “should the legal need arise”. In any case, the expanded memory and processing capability, plus the new crypto, make the cards very hard to hack, and capable of storing hoards of information, and not just a “one travel” buffer, which contains your last transit. This of course, is pure speculation on my part.

Why replace an already working system? Well, that’s anybody’s guess, and the site they put out doesn’t really give a specific reason. The fact that the new cards are cheaper, is a small issue, when we consider that there are already what.. a million cards in circulation that now all have to be replaced? Expanding the system to new areas? Okay, but why not just expand the current, tried and tested (and broken :)) system? The cards are at the end of their lifespan? Why? My card is seven years old and it works just fine. I’ve had it in my pocket, my wallet and god knows where. There are no moving parts, and no exposed chips, as with regular smart cards. The exposed components tend to wear out and that is a good reason to change your card. But it doesn’t apply to the Matkakortti. Sure, if you bend the card, it’ll snap, but i bet the new cards are just the same.

I also have a hard time believing that standards compliance is a reason for the overhaul. The old cards are based on the same basic technology, i.e. RFID, which should in itself adhere to ISO 14443. If it didn’t, okay, but adhering to standards isn’t a benefit for the consumer in this case. Everyone is forced to either use the cards, or pay each trip with cash, which leaves little options. The standard defines how well the card should withstand physical abuse, but again, i stress that my card is still working after seven years. Abuse-resistance was not an issue with the old cards either.

So the Fox Mulder in me deduces that this is just a way to track us even more closely. The hacking of cards wasn’t an issue in Finland, at least not that i heard of, but with the new cards, this becomes practically impossible, unless there are vulnerabilities in the implementation of the crypto, or predictability in the key-generation (or exchange) as with the previous system. This removes any chance of an “open and fair” system, meaning that i can’t buy a MIFARE reader, and dig out the data that they have store on me personally, on the card. I’m not even looking for free travel or some such shit, i just want to know how the system stores and uses my data.

I’ll be following up on this as i get my hands on the new card. I’ll be retaining a few of the older cards, just to make comparisons, should such an opportunity arise. I’m still in the market for a MIFARE reader, but i haven’t gotten off my lazy ass and bought one yet.

Source to my rambles are:

Added PGP-key

I added my PGP public key, so you can send me mail with it. You can get it here, or by clicking the PGP-key link in the sidebar. If you want to send me something using PGP, use my grelbar {ät-sign} gmail \dot\ com

Oh yeah, and i also recommend the FireGPG addon for Firefox. It can do encryption and decryption in a webmail environemnt, say gmail. You need gpg installed, in windows it’s something like wingpg? Or something. It comes installed in most Gnu/Linux distros. Import or create your own key to the key manager. Once it’s configured, you can just open an encrypted mail in gmail, and it’ll ask for your password to decrypt. It’s very easy, and works well.

The only thing we noticed with P is that when i reply to his mails from gmail, the encoding is all fucked, probably due to either gmail or Firefox or my systems or all of the above, but in any case, the decryption works fine.

Matkakortti, some findings

So, i’ve gathered the information from a few cards, mostly friends and family, and here’s what i’ve got (it’s not a lot!):

The second number is interesting. This is the BUSCOM number. Buscom is the company that makes the readers and other systems related to this, i suppose. The system is built around the Mifare rfid system, which is used around the world. The frequency it operates on is 13.56 Mhz, and the range is not many centimeters. There are mifare readers you can buy on ebay, just look for 13.56 or mifare or something. They cost between 30-50 dollars, which is pretty cheap in real money, e.g. euros.

Anyway, the Buscom number. It’s only four numbers long, which allows for 10 000 permutations. That’s a lot less than the amount of cards in circulation (probably in the hundreds of thousands, if not over a million). So what is this number? I’ve been suggested card revision, or location where it was bought, but that doesn’t track, at least in any way i could figure out. I’ve got a few cards that have been bought in the same place, but they have a different number. Are there over 10 000 retailers of these cards? Maybe, maybe not. But in any case, it doesn’t match. The numbers vary wildly even those bought in the same place. Any ideas are welcome.

There might be a difference between personal, and non-personal cards. I don’t have any non-personal cards yet, so i can not verify this, but it would make sense.

The third number, the actual card number always starts with F246300111, and then after that a seemingly random sequence. Probably just a manufacturing sequence, but there might be a repeating sequence in there, that is for instance area-specific.

The first number, for some reason seems to be worn out on most cards. I have a bunch of numbers, but on one card, which is apparently an early card, has an asterisk in the string, which is very interesting. All the other cards have numbers and/or letters.

About the updating, there needs to be a dynamic update that takes place on every transaction, because, the state of a card needs to be determined. A card can be blocked out by the transit authority people, if you’ve lost your card. This might happen on a daily basis (why do the readers have a buffer?), but i doubt it. I’m suspecting a wireless link, but that needs to be confirmed with a scanner or something akin to one, which can tell me if there is a frequency that is used.

The card has a buffer for a few fares, it seems. My old card, had a bug. It showed a transfer from two years ago, even if that transfer had expired. This is because, when you have a transfer, it can’t get cleared when the time runs out, before you swipe the card again. The card is unpowered when it is just sitting in your pocket. So the transfer sticks until you swipe it past a reader, and it notices that the time the transfer is valid is cleared. For some reason, either due to a garbled read/write operation, or a faulty reader, it didn’t clear the transfer, and it stuck for two years. I use my card on a daily basis, so there isn’t a long delay, except during the summer vacations.

It can keep a few transfers in the card memory (or then it could be in the system, but i doubt it), because at one of those big automats, i’ve seen two transfers on the screen. The card/system also has to store the card type, for instance, the special card types such as handicap, pensioner, student, and other such types. Mine has student on the card, even though that expired 31.8.2008. I’m not sure why that is not cleared.

The card also has a validity, which, for my card, ends 31.10.2015, probably 10 years after i got the card, since i got mine in 2005. Why this is done, im not sure. I’ll wait until 2015 rolls around, and see if they just replace the card, or just update that field. It might also be static, that is written on the cards intialization when you first buy it, or upon its creation.

The next phase i assume, is getting the mifare read/write device. I’m not at all sure about the interface, because it just looks like a pcb with no dicernible interfaces on it. It’s probably some kind of serial traffic, but .. i’ll need to read up more on it.

EDIT: The mifare system, on quick googling, seems to have some serious flaws. It uses crypto (crypto-1) that has been broken by the CCC guys over in Germany. Check out this link for more. Basically, the guys found that only a small part of the gates on the card (about 10 000 in total), are used for crypto. The random number generator is a 16-bit integer, which is seeded based on how long the card has been powered on. Using an open source reader, Openpcd, they could use the same random number over and over again.

A cryptanalysis of the crypto protocol is here, by Karsten Nohl of ccc. The gist of this is that you can recover the secret key in mere minutes using an average desktop machine. The cipher is a pretty basic 48-bit linear feedback shift register encryption. To find bits of the key, use a specific challenge sent to the card, and then examine the first bit of the response.  Using a number of test challenges, an attacker can recover the entire secret key.