Fare Hack: Exploiting a Clipper Card Flaw Is Easy
by Beth Winegarner
Wednesday, February 1, 2012
Not that we think you would, but with a visit to Radio Shack you could hack into that Clipper card in your wallet, allowing you to load it with free rides or create and sell copies for profit — and funnel money away from the Bay Area’s crash-strapped public-transit agencies.
What it would take: an oscilloscope, an antenna, a transponder, a bit of know-how, and about seven hours.
That’s according to David Oswald, a Ph.D. student in IT security at the Ruhr University of Bochum in Germany, who broke the encryption in Clipper and similar transit cards last year. Clipper cards contain a chip that uses radio signals to talk to fare gates and the transponders on buses, making it easy to “eavesdrop” on the conversation.”It’s comparable to a professional thief who can open a safe by listening to the mechanical clicks of the lock. In our case, we are listening to electromagnetic fields,” says Oswald.
From there, a hacker can narrow down which key will break the encryption and gain access to the information on the chip. Lest you think it takes an IT degree to read the data, the Farebot app for Android phones lets you peek at the travel history and balance on your own card — or anyone else’s nearby.
The vulnerability poses “a severe threat to the security of real-world systems” that use the chip, Oswald wrote in a paper published in October.
Cubic Transportation Systems, the company that supplies Clipper cards, downplays the finding. “Cubic continually monitors card activity to determine if unauthorized modifications have been made,” says Derick Benoit, vice president of customer services.
However, Metropolitan Transportation Commission spokesman John Goodwin says card-cloning is possible. That’s a problem, since Andres Townes, a former employee of Boston’s Massachusetts Bay Transit Authority and later Cubic, was indicted for selling millions of dollars’ worth of cloned magnetic-stripe transit cards on Craigslist. Townes kicked off his alleged racket in 2007, before Cubic took over the MBTA’s transit-card system, but wasn’t arrested until 2011 — well after Cubic got involved.
The MTC has asked Cubic to finesse the Clipper system in light of Oswald’s findings, and Cubic is “considering this request,” Goodwin said. Cubic also plans to use a new, less-vulnerable chip in Clipper cards this year, but that still leaves over 1 million weaker cards in circulation.
“No smart card is, or will ever be, absolutely 100 percent hack-proof,” Goodwin said. “The goal is to stay at least one step ahead of the people that would look to take advantage of discovered vulnerabilities.”
That’s easier than staying out of cities with Radio Shacks.
This article originally appeared in the SF Weekly.