[Noisebridge-discuss] clipper card hacking

Ryan Rawson ryanobjc at gmail.com
Tue Oct 5 04:28:20 UTC 2010


It does seem that some swipes take longer than others, perhaps as low
as 300-500ms.

Why would anyone build a high volume transit system based on this?

On Mon, Oct 4, 2010 at 9:20 PM, Jeffrey Malone <ieatlint at tehinterweb.com> wrote:
> This topic was briefly discussed back in May.
> I shared a bit of information back then:
> https://www.noisebridge.net/pipermail/noisebridge-discuss/2010-May/thread.html#14104
> Since writing that, the Clipper card has been released, and now is entirely
> a concactless smartcard (the TransLink cards, which operate identically and
> still work, had contacts).
> The Charlie card is a MIFARE card, the same as London's Oyster cards and
> many other systems.  It's a standard card that you can purchase for under a
> dollar each, and the classic cards contain up to 1kb in storage (effectively
> less, as there are a couple headers and keys that use part of that 1kb).
> They may use a modified version of 14443, but with 35mhz -- something I
> presume is to prevent more casual hacking as the 13.56mhz readers are
> readily available (I have one sitting here).
> As to why they're "so slow", I can guess.  In my experience with MIFARE
>  cards, the datarate was somewhere around 140cps.  That means on a 1kb card,
> to read the entire card would take 7+ seconds.  The data is stored on them
> in sixteen 64-byte sectors, each sector containing up to two 4-byte
> keys/access control data (thus up to 56 bytes per sector).  Assuming the
> clipper card works like this, I would bet at minimum of two sectors are
> used, and probably three to four.
> Maybe they're able to squeeze a faster datarate with their hardware, and
> maybe their design is more efficient for their exact use than MIFARE.  But I
> would guess this is the reason for the ~1s lag of swiping a card, and is
> likely not going to change anytime soon.
> Presuming the TransLink card's contacts offer the same exact data and
> encryption as the contactless interface, they would be the ideal method of
> attack methinks.  Otherwise, go find yourself a USRP or some bizarre 30mhz
> rfid reader...
> I'll be very curious to see what more can be learnt.
> Jeffrey
>
> On Mon, Oct 4, 2010 at 8:40 PM, Ryan Rawson <ryanobjc at gmail.com> wrote:
>>
>> Here is what I know:
>>
>> - Clipper is a smartcard, with stored information, presumably encrypted.
>> - According to wikipedia:  "The Clipper card was developed by
>> Australlian-based ERG Group and Motorola under the ERG-Motorola
>> alliance in April 1999"
>> - According to my coworker: ERG is a typical systems integrator,
>> meaning we can count on jr and ineffective teams being put to work on
>> the project
>> - Will need hardware readers, perhaps clipper card is
>> http://en.wikipedia.org/wiki/ISO/IEC_14443
>> - Encryption might become an issue
>>
>> Some basic experimenting indicates that the terminals seem to have the
>> possibility of operating standalone w/o network connection, they were
>> able to tell me pretty quickly that my card was still good for a
>> transfer, etc.  This information presumably stored back to the card.
>>
>> Still trying to figure out more. I should look at those MIT students
>> who researched charlie card.
>>
>> On Mon, Oct 4, 2010 at 7:34 PM, aditya bhargava <aditya at wefoundland.com>
>> wrote:
>> > This sounds very cool. I have software experience, although no hacking
>> > experience. Does that count?
>> >
>> >
>> >
>> > On Mon, Oct 4, 2010 at 6:56 PM, Ryan Rawson <ryanobjc at gmail.com> wrote:
>> >>
>> >> Anyone interested in doing some hacking on the clipper card?  I'm not
>> >> interested in free trips, but I would like to do things like read my
>> >> card, understand how it works, get to the root cause of why it is
>> >> slow, etc.
>> >>
>> >> I have no hardware, but plenty of software expertise and I can solider
>> >> :-)
>> >>
>> >> -ryan
>> >> _______________________________________________
>> >> Noisebridge-discuss mailing list
>> >> Noisebridge-discuss at lists.noisebridge.net
>> >> https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss
>> >
>> >
>> >
>> > --
>> > wefoundland.com
>> >
>> _______________________________________________
>> Noisebridge-discuss mailing list
>> Noisebridge-discuss at lists.noisebridge.net
>> https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss
>
>



More information about the Noisebridge-discuss mailing list