Matkakortti Evolved cont.

I actually got a reply from YTV! I asked them three specifying questions, and they answered them all. So the new and updated technical information is:

– The “use once cards” are in fact the lowest of the low, MIFARE Ultralight. No crypto, no brains, no nothing.

– The normal cards are DESfire (first generation), not EV1.

– The encryption method used is 3DES.

I wasn’t expecting a reply, but i got one, and pretty quickly too! So thanks YTV.

Matkakortti Evolved

Many of you may have heard about the new Matkakortti, being rolled out as of last week (10.11.2009). Ads for the new card have appeared all over the place, and urge people to change the card during their next re-charge. The new card has a nice flashy green graphic printed on it, no doubt to reflect the new eco-features of the card.

So what changes? According to YTV, the previous blue cards have reached the end of their life-cycle. “As with credit- and debit-cards, the cards have to be changed out every few years”. Also, the new cards are now ISO 14443A compliant (specifications for RFID cards). I have a funny feeling the last cards were compliant as well, but there’s no data on this. They were made by Mifare as well (as the new cards), so i think they were compliant.

The color of the card changes, but also, the type chages. The old cards were MIFARE classic. This is a card that has a 48-bit encryption key, that is seeded based on the “start-date” of the card, i.e. when it was first turned on. This system has been broken multiple times. To give you an idea of how easy it is, it takes about 12 seconds on a standard laptop computer to break the built-in Crypto-1 encryption scheme.

The cards are ASIC based, and have a very limited storage space. There are 1K and 4K versions of the card, and accounting for read-only data put in by the manufacturer, the de-facto storage space of these cards was 752 bytes and 3440 bytes respectively. That’s a whole lot already!

The new cards are based on later revisions of MIFARE technology. There are two basic types that will be rolled out now (the specific models are not listed, but i’m going to find out one way or another):

  • MIFARE DESfire. This is the regular “multiple use” card that most of us use every day. More on this later.
  • MIFARE Ultralight. This is the “use once” tourist card, which can be charged once, and then thrown away after use.

DESfire is a new card type that MIFARE came out with in 2002. There is an EV1 (evolution 1) version of the card, which was released in 2006 and offers more options and better crypto. Which system is used here, i’m not sure as i said, but i’ll find out. This is an entirely new card compared to the old stupid cards. They sport a real NXP made microprocessor, and more memory. There are 2, 4 and 8KB versions of the card. They come with a propietary DESfire operating system, which uses a real directory/file structure in the storage space. The crypto is upgraded from “Crypto-1”, using a 48bit key, to a minimum triple-DES, i.e. 3x56bits keylength, and up to a 128-bit AES in the EV1 variant. The NXP microprocessor is 8051 based, and has separate hardware crypto-accelerators for both AES and 3DES, which makes the crypto transactions even faster than before.

Ultralight is the use-once version of the cards. Cheaper to manufacture, it’s apparently made out of some kind of thick paper. There are also two versions of this card, the  Ultralight, and the  Ultralight C, which are from 2001 and 2008 respectively. The plain-jane version offers no crypto at all, and 512 bits (64 bytes) of memory. The C variant offers crypto, more storage-space, and ISO 14443 compliance. It is highly likely, that the version being rolled out is the C version, because it has features that make it suitable for mass transportation (i.e. abrasion resistance and crypto).

So why are the cards being changed for real? I’ll offer a few guesses. One, is that the new cards are cheaper. That’s a big thing when it comes to public transport and anything government funded. The Apollo astronauts reminded each other that they are going to the moon in a craft built by the company that made the cheapest offer. I’m not saying cheap is bad in this case though.

The new cards are also more ecological. Also a big thing in government projects, and easier to sell to consumers. The cards are either made out of bio-degradable plastic, or paper.

All methods of public transport will be fitted with GPS. Some already have it (trains, trams and some busses), but i suppose they’ll be rolling this out to every damn thing. This makes tracking not only the vehicle easy, but also tracking you. They can stamp your card with exactly the stop you got on. Where you got off is another matter entirely, but in any case. The bus and the reader knows where you are, and when you get on, the card will retain this information, along with personally identifiable information. This information is said not to be readable by regular kiosks and other recharge outlets, but only by ticket inspectors or law enforcement “should the legal need arise”. In any case, the expanded memory and processing capability, plus the new crypto, make the cards very hard to hack, and capable of storing hoards of information, and not just a “one travel” buffer, which contains your last transit. This of course, is pure speculation on my part.

Why replace an already working system? Well, that’s anybody’s guess, and the site they put out doesn’t really give a specific reason. The fact that the new cards are cheaper, is a small issue, when we consider that there are already what.. a million cards in circulation that now all have to be replaced? Expanding the system to new areas? Okay, but why not just expand the current, tried and tested (and broken :)) system? The cards are at the end of their lifespan? Why? My card is seven years old and it works just fine. I’ve had it in my pocket, my wallet and god knows where. There are no moving parts, and no exposed chips, as with regular smart cards. The exposed components tend to wear out and that is a good reason to change your card. But it doesn’t apply to the Matkakortti. Sure, if you bend the card, it’ll snap, but i bet the new cards are just the same.

I also have a hard time believing that standards compliance is a reason for the overhaul. The old cards are based on the same basic technology, i.e. RFID, which should in itself adhere to ISO 14443. If it didn’t, okay, but adhering to standards isn’t a benefit for the consumer in this case. Everyone is forced to either use the cards, or pay each trip with cash, which leaves little options. The standard defines how well the card should withstand physical abuse, but again, i stress that my card is still working after seven years. Abuse-resistance was not an issue with the old cards either.

So the Fox Mulder in me deduces that this is just a way to track us even more closely. The hacking of cards wasn’t an issue in Finland, at least not that i heard of, but with the new cards, this becomes practically impossible, unless there are vulnerabilities in the implementation of the crypto, or predictability in the key-generation (or exchange) as with the previous system. This removes any chance of an “open and fair” system, meaning that i can’t buy a MIFARE reader, and dig out the data that they have store on me personally, on the card. I’m not even looking for free travel or some such shit, i just want to know how the system stores and uses my data.

I’ll be following up on this as i get my hands on the new card. I’ll be retaining a few of the older cards, just to make comparisons, should such an opportunity arise. I’m still in the market for a MIFARE reader, but i haven’t gotten off my lazy ass and bought one yet.

Source to my rambles are:

http://en.wikipedia.org/wiki/MIFARE

http://www.matkakortti.net

Matkakortti, some findings

So, i’ve gathered the information from a few cards, mostly friends and family, and here’s what i’ve got (it’s not a lot!):

The second number is interesting. This is the BUSCOM number. Buscom is the company that makes the readers and other systems related to this, i suppose. The system is built around the Mifare rfid system, which is used around the world. The frequency it operates on is 13.56 Mhz, and the range is not many centimeters. There are mifare readers you can buy on ebay, just look for 13.56 or mifare or something. They cost between 30-50 dollars, which is pretty cheap in real money, e.g. euros.

Anyway, the Buscom number. It’s only four numbers long, which allows for 10 000 permutations. That’s a lot less than the amount of cards in circulation (probably in the hundreds of thousands, if not over a million). So what is this number? I’ve been suggested card revision, or location where it was bought, but that doesn’t track, at least in any way i could figure out. I’ve got a few cards that have been bought in the same place, but they have a different number. Are there over 10 000 retailers of these cards? Maybe, maybe not. But in any case, it doesn’t match. The numbers vary wildly even those bought in the same place. Any ideas are welcome.

There might be a difference between personal, and non-personal cards. I don’t have any non-personal cards yet, so i can not verify this, but it would make sense.

The third number, the actual card number always starts with F246300111, and then after that a seemingly random sequence. Probably just a manufacturing sequence, but there might be a repeating sequence in there, that is for instance area-specific.

The first number, for some reason seems to be worn out on most cards. I have a bunch of numbers, but on one card, which is apparently an early card, has an asterisk in the string, which is very interesting. All the other cards have numbers and/or letters.

About the updating, there needs to be a dynamic update that takes place on every transaction, because, the state of a card needs to be determined. A card can be blocked out by the transit authority people, if you’ve lost your card. This might happen on a daily basis (why do the readers have a buffer?), but i doubt it. I’m suspecting a wireless link, but that needs to be confirmed with a scanner or something akin to one, which can tell me if there is a frequency that is used.

The card has a buffer for a few fares, it seems. My old card, had a bug. It showed a transfer from two years ago, even if that transfer had expired. This is because, when you have a transfer, it can’t get cleared when the time runs out, before you swipe the card again. The card is unpowered when it is just sitting in your pocket. So the transfer sticks until you swipe it past a reader, and it notices that the time the transfer is valid is cleared. For some reason, either due to a garbled read/write operation, or a faulty reader, it didn’t clear the transfer, and it stuck for two years. I use my card on a daily basis, so there isn’t a long delay, except during the summer vacations.

It can keep a few transfers in the card memory (or then it could be in the system, but i doubt it), because at one of those big automats, i’ve seen two transfers on the screen. The card/system also has to store the card type, for instance, the special card types such as handicap, pensioner, student, and other such types. Mine has student on the card, even though that expired 31.8.2008. I’m not sure why that is not cleared.

The card also has a validity, which, for my card, ends 31.10.2015, probably 10 years after i got the card, since i got mine in 2005. Why this is done, im not sure. I’ll wait until 2015 rolls around, and see if they just replace the card, or just update that field. It might also be static, that is written on the cards intialization when you first buy it, or upon its creation.

The next phase i assume, is getting the mifare read/write device. I’m not at all sure about the interface, because it just looks like a pcb with no dicernible interfaces on it. It’s probably some kind of serial traffic, but .. i’ll need to read up more on it.

EDIT: The mifare system, on quick googling, seems to have some serious flaws. It uses crypto (crypto-1) that has been broken by the CCC guys over in Germany. Check out this link for more. Basically, the guys found that only a small part of the gates on the card (about 10 000 in total), are used for crypto. The random number generator is a 16-bit integer, which is seeded based on how long the card has been powered on. Using an open source reader, Openpcd, they could use the same random number over and over again.

A cryptanalysis of the crypto protocol is here, by Karsten Nohl of ccc. The gist of this is that you can recover the secret key in mere minutes using an average desktop machine. The cipher is a pretty basic 48-bit linear feedback shift register encryption. To find bits of the key, use a specific challenge sent to the card, and then examine the first bit of the response.  Using a number of test challenges, an attacker can recover the entire secret key.

General stuff, and the Matkakortti

A new machine was added today, a Sun Netra X1. It’s basically like a weak version of the Netra T1 that i got earlier. I’m not sure what i’ll do with it, but those Sun machines are pretty cool looking, so i couldn’t pass it by.

The specs are basically, a 500 Mhz Ultrasparc IIi, 512 RAM, and two IDE disks. No floppy or CD, and two NIC ports plus a serial interface and two USB ports. It could run something like Sun Solaris 8, 9 or 10, or it could run say, the Debian SPARC port. It would take up a light network task perhaps.

In other news, i’m thinking of ditching Windows 7, because it sucks. I’m serious. The transfer speeds with any drivers that are available, are appalling. I was moving a file and it was doing it at around 2.6 MB/s. Booting to ubuntu, i got speeds between 25 and 40MB/s. How can this be? And in Ubuntu, i don’t even have to install drivers, or think about write caching, or anything else. It just works. So i can’t understand how this shit can be that difficult? I have a modern motherboard, with a modern chipset. The disks are capable of more.

I’m probably replacing the P4 rig inside Agrippa, with the Athlon 64 3700+, simply because i think there’s something wrong with the IDE controller on that P4 board. The two drives in one of the IDE-busses keep disappearing randomly, which makes booting anything from them very challenging.

I’m working on making a server for the intranet, as Agamemnon took a place in the DMZ. The inside server would take care of DHCP allocation, and DNS. There would also be a pf machine (possibly one of the Sun machines?) that would handle traffic coming in and going out from my internal network.

I’m starting in earnest to investingate the Matkakortti system that we use here in Finland. It’s equivalent to the US and Chicago Metrocard system, except that system is primitive, and based on a magstripe and reader, where as Matkakortti uses an RFID chip to send and receive data.

What i’ll start doing now is the following: I’ll collect the numbers of cards and compare them to see if there’s a difference in the two main card types. The types are the personal card, which is bound (and contains) the information of the cardholder, and the non-user-specific card, which is more expensive, but can be transfered between people in a family for instance. The card numbers should contain some information, as it’s a very long string; a lot longer than the amount of cards in circulation.

The card is only used in the capital region. There has been talk of making it Country-Wide, but financial hurdles have so far prevented them from deploying it everywhere. Figures…

Another thing i want to investigate is, getting a device that can tell me if a frequency is transmitting or not. Then,  i could see how long the burst of data is between the reader and the card when you show it to the reader. The next part would be to get a reader, and look at the actual data, i.e. send out 13.xx mhz to the card, and watch what it sends back. It’s probably encrypted, but it can’t be too encrypted, since we are dealing with a very simple, quick system.

Also, i’d like to find out how the busses communicate with some central entity, in order to keep track of what’s on your card. A personal card can be recovered at certain service desks, and they have the exact up to date information on what is on your card. For a fee of 5 euro, to recoup the cost of the card, they’ll give you a clone of your lost/missing/stolen card, and deactivate the old card. This tells me they can do a system wide lock of a certain card number, as well as know the specifics of your card.

The readers themselves have a buffer, because i’ve encountered one beeping constantly and displaying a “Buffer full” message on the screen. The device was locked out and could not be used. Supposedly, the beeping only stopped once the thing was turned off, and then needed to be emptied/reset by a technician. I’ve only seen it once, which leads me to believe that there is a set buffer for a device, and that it perhaps uploads once or twice a day, depending on the line. But how does that work then? It wouldn’t be completey up to date in that case.

The other alternative is that it does send data constantly through some wireless link (the trains are bound to have a link for control purposes, some RF thing), and that the reader had just faulted somehow and not handled the buffer as usual, filling it up with people’s swipes.

It’s an interesting system. As an example, here are the three numbers displayed on the backside of my card:

In the top left edge: 042405535

In the middle: BUSCOM 0523

In the top right corner: F2463001111154998100

If you have a card and want to help me out, send me the info from your card to grelbar ( äet ) grelbar (dot) net.