[Noisebridge-discuss] RFID, TransLink/Clipper

Jeffrey Malone ieatlint at tehinterweb.com
Thu May 20 01:08:13 UTC 2010 

My understanding of Translink:

Translink is a stored value card that verifies against a database.

There are live and cold readers.  Buses, fare inspectors use cold ones
-- they have no uplink and simply rely on the card's value and status
being reliable.  Trains, add value machines typically have live ones
-- they can verify against a database instantly.
The cold readers sync with the database routinely, typically for buses
when they return to the bus yard.  Thus, if you alter the stored value
on your card, it will work on buses -- but once they sync with the
database, it will detect the discrepancy and theoretically block your
card.

The info stored on the card at a minimum contains this info:
 - recent places you tagged your card, and for what.  You can ride a
MUNI bus, take BART, and get back on a MUNI bus and your transfer is
still valid, despite the bus not being live synced.
 - the dollar amount your card has stored
 - any bus passes you may have
 - the unique id as written on the back of your card

The cards themselves operate at 35mhz, a non-standard rfid frequency.
Most rfid readers operate on 13.5mhz or 125khz (typically for
contactless smartcards, 13.5mhz).
I believe a USRP can theoretically read the cards (well, except for
the security the definitely have), or you can try and use a smartcard
reader to hit the contacts.  I have no info on this.

In order to be successful at hacking the card, you would need to be
able to alter the id of the card -- otherwise the card would only work
on buses, and get blocked every night.
It very possible that the card has this hardcoded, which means the way
to hack it is to build your own card to emulate the real ones.  Even
if you managed this, it would still potentially only work on buses,
but you'd be able to change the card id each night when they block
you.

Good luck!

Jeffrey

On Wed, May 19, 2010 at 5:19 PM, Ryan Castellucci
<ryan.castellucci at gmail.com> wrote:
> On Wed, May 19, 2010 at 12:33 AM, Daniel Farina <drfarina at acm.org> wrote:
>> Does anyone have an idea around how available readers are for
>> TransLink/Clipper cards and what useful information can be read off
>> them? If something as simple as an ID-number can be retrieved then I
>> think there are a lot of interesting possibilities since acquiring a
>> TransLink/Clipper card is easy and only going to get easier. Plus it's
>> one less card to carry for those of us who commute via public transit
>> often if this card can be piggybacked.
>>
>> I am a total RFID noob, so I apologize if I have asked some stupid
>> questions in advance.
>
> It seems to me based on the way the system works that data gets
> written to the cards in at least some cases.
>
> The readers the fare enforcement officers have do not seem to have an
> antenna for data uplink, so I presume that it checks the card.
>
> --
> Ryan Castellucci http://ryanc.org/
> _______________________________________________
> Noisebridge-discuss mailing list
> Noisebridge-discuss at lists.noisebridge.net
> https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss
>

More information about the Noisebridge-discuss mailing list