[Noisebridge-discuss] clipper card hacking

Jeffrey Malone ieatlint at tehinterweb.com
Tue Oct 5 04:20:16 UTC 2010


This topic was briefly discussed back in May.
I shared a bit of information back then:

https://www.noisebridge.net/pipermail/noisebridge-discuss/2010-May/thread.html#14104

Since writing that, the Clipper card has been released, and now is entirely
a concactless smartcard (the TransLink cards, which operate identically and
still work, had contacts).

The Charlie card is a MIFARE card, the same as London's Oyster cards and
many other systems.  It's a standard card that you can purchase for under a
dollar each, and the classic cards contain up to 1kb in storage (effectively
less, as there are a couple headers and keys that use part of that 1kb).
They may use a modified version of 14443, but with 35mhz -- something I
presume is to prevent more casual hacking as the 13.56mhz readers are
readily available (I have one sitting here).

As to why they're "so slow", I can guess.  In my experience with MIFARE
 cards, the datarate was somewhere around 140cps.  That means on a 1kb card,
to read the entire card would take 7+ seconds.  The data is stored on them
in sixteen 64-byte sectors, each sector containing up to two 4-byte
keys/access control data (thus up to 56 bytes per sector).  Assuming the
clipper card works like this, I would bet at minimum of two sectors are
used, and probably three to four.
Maybe they're able to squeeze a faster datarate with their hardware, and
maybe their design is more efficient for their exact use than MIFARE.  But I
would guess this is the reason for the ~1s lag of swiping a card, and is
likely not going to change anytime soon.

Presuming the TransLink card's contacts offer the same exact data and
encryption as the contactless interface, they would be the ideal method of
attack methinks.  Otherwise, go find yourself a USRP or some bizarre 30mhz
rfid reader...
I'll be very curious to see what more can be learnt.

Jeffrey


On Mon, Oct 4, 2010 at 8:40 PM, Ryan Rawson <ryanobjc at gmail.com> wrote:

> Here is what I know:
>
> - Clipper is a smartcard, with stored information, presumably encrypted.
> - According to wikipedia:  "The Clipper card was developed by
> Australlian-based ERG Group and Motorola under the ERG-Motorola
> alliance in April 1999"
> - According to my coworker: ERG is a typical systems integrator,
> meaning we can count on jr and ineffective teams being put to work on
> the project
> - Will need hardware readers, perhaps clipper card is
> http://en.wikipedia.org/wiki/ISO/IEC_14443
> - Encryption might become an issue
>
> Some basic experimenting indicates that the terminals seem to have the
> possibility of operating standalone w/o network connection, they were
> able to tell me pretty quickly that my card was still good for a
> transfer, etc.  This information presumably stored back to the card.
>
> Still trying to figure out more. I should look at those MIT students
> who researched charlie card.
>
> On Mon, Oct 4, 2010 at 7:34 PM, aditya bhargava <aditya at wefoundland.com>
> wrote:
> > This sounds very cool. I have software experience, although no hacking
> > experience. Does that count?
> >
> >
> >
> > On Mon, Oct 4, 2010 at 6:56 PM, Ryan Rawson <ryanobjc at gmail.com> wrote:
> >>
> >> Anyone interested in doing some hacking on the clipper card?  I'm not
> >> interested in free trips, but I would like to do things like read my
> >> card, understand how it works, get to the root cause of why it is
> >> slow, etc.
> >>
> >> I have no hardware, but plenty of software expertise and I can solider
> :-)
> >>
> >> -ryan
> >> _______________________________________________
> >> Noisebridge-discuss mailing list
> >> Noisebridge-discuss at lists.noisebridge.net
> >> https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss
> >
> >
> >
> > --
> > wefoundland.com
> >
> _______________________________________________
> Noisebridge-discuss mailing list
> Noisebridge-discuss at lists.noisebridge.net
> https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.noisebridge.net/pipermail/noisebridge-discuss/attachments/20101004/95f8868f/attachment-0003.html>


More information about the Noisebridge-discuss mailing list