31 May

Matkakortti, some findings

So, i’ve gathered the information from a few cards, mostly friends and family, and here’s what i’ve got (it’s not a lot!):

The second number is interesting. This is the BUSCOM number. Buscom is the company that makes the readers and other systems related to this, i suppose. The system is built around the Mifare rfid system, which is used around the world. The frequency it operates on is 13.56 Mhz, and the range is not many centimeters. There are mifare readers you can buy on ebay, just look for 13.56 or mifare or something. They cost between 30-50 dollars, which is pretty cheap in real money, e.g. euros.

Anyway, the Buscom number. It’s only four numbers long, which allows for 10 000 permutations. That’s a lot less than the amount of cards in circulation (probably in the hundreds of thousands, if not over a million). So what is this number? I’ve been suggested card revision, or location where it was bought, but that doesn’t track, at least in any way i could figure out. I’ve got a few cards that have been bought in the same place, but they have a different number. Are there over 10 000 retailers of these cards? Maybe, maybe not. But in any case, it doesn’t match. The numbers vary wildly even those bought in the same place. Any ideas are welcome.

There might be a difference between personal, and non-personal cards. I don’t have any non-personal cards yet, so i can not verify this, but it would make sense.

The third number, the actual card number always starts with F246300111, and then after that a seemingly random sequence. Probably just a manufacturing sequence, but there might be a repeating sequence in there, that is for instance area-specific.

The first number, for some reason seems to be worn out on most cards. I have a bunch of numbers, but on one card, which is apparently an early card, has an asterisk in the string, which is very interesting. All the other cards have numbers and/or letters.

About the updating, there needs to be a dynamic update that takes place on every transaction, because, the state of a card needs to be determined. A card can be blocked out by the transit authority people, if you’ve lost your card. This might happen on a daily basis (why do the readers have a buffer?), but i doubt it. I’m suspecting a wireless link, but that needs to be confirmed with a scanner or something akin to one, which can tell me if there is a frequency that is used.

The card has a buffer for a few fares, it seems. My old card, had a bug. It showed a transfer from two years ago, even if that transfer had expired. This is because, when you have a transfer, it can’t get cleared when the time runs out, before you swipe the card again. The card is unpowered when it is just sitting in your pocket. So the transfer sticks until you swipe it past a reader, and it notices that the time the transfer is valid is cleared. For some reason, either due to a garbled read/write operation, or a faulty reader, it didn’t clear the transfer, and it stuck for two years. I use my card on a daily basis, so there isn’t a long delay, except during the summer vacations.

It can keep a few transfers in the card memory (or then it could be in the system, but i doubt it), because at one of those big automats, i’ve seen two transfers on the screen. The card/system also has to store the card type, for instance, the special card types such as handicap, pensioner, student, and other such types. Mine has student on the card, even though that expired 31.8.2008. I’m not sure why that is not cleared.

The card also has a validity, which, for my card, ends 31.10.2015, probably 10 years after i got the card, since i got mine in 2005. Why this is done, im not sure. I’ll wait until 2015 rolls around, and see if they just replace the card, or just update that field. It might also be static, that is written on the cards intialization when you first buy it, or upon its creation.

The next phase i assume, is getting the mifare read/write device. I’m not at all sure about the interface, because it just looks like a pcb with no dicernible interfaces on it. It’s probably some kind of serial traffic, but .. i’ll need to read up more on it.

EDIT: The mifare system, on quick googling, seems to have some serious flaws. It uses crypto (crypto-1) that has been broken by the CCC guys over in Germany. Check out this link for more. Basically, the guys found that only a small part of the gates on the card (about 10 000 in total), are used for crypto. The random number generator is a 16-bit integer, which is seeded based on how long the card has been powered on. Using an open source reader, Openpcd, they could use the same random number over and over again.

A cryptanalysis of the crypto protocol is here, by Karsten Nohl of ccc. The gist of this is that you can recover the secret key in mere minutes using an average desktop machine. The cipher is a pretty basic 48-bit linear feedback shift register encryption. To find bits of the key, use a specific challenge sent to the card, and then examine the first bit of the response.  Using a number of test challenges, an attacker can recover the entire secret key.

Leave a Reply

Your email address will not be published. Required fields are marked *