If you pay attention to tech news, you’ve probably heard about the increasing ubiquity of RFID devices — small chips attached to antennae and embedded inside plastic housings, capable of simple storage and a little limited computation. Chances are you’re carrying a few around with you — RFID is used in card keys to open doors and key fobs to unlock cars. Companies use them for inventory, supply chain management, and theft prevention. Car-sharing companies use them to let you into the cars you’ve rented. FasTrak uses them to charge bridge tolls, and transit agencies use them in fare cards, like Clipper.
If you pay a little more attention to computer security news, you’ve probably also heard concerns over RFID’s security when it comes to your private information. Cards like Clipper are meant to be readable only with a tap, but as you probably know, usually a few inches will do. That’s with the power levels and antennae in the readers that SFMTA/BART are deploying.
With more power and a larger antenna, the range increases; the practical limits vary with the frequencies and chips involved. At Clipper’s 13.56MHz, you can read the card from a few feet with an antenna that can fit in a backpack. The most common concern is that RFIDs can then be read by anyone who can mount a reader on something that you walk past, without your knowledge or control.
When an RFID device is being read, most do nothing but announce a long number — but it’s a unique number, and it’s enough to recognize you next time. There are some innocuous uses for that, and some malicious ones.
Clipper is a fancier beast — Clipper cards contain MMIFARE DESFire chips. They have a
rudimentary operating system, with a file system capable of reading and writing data and simple cryptographic authentication. That’s pretty much all you need to implement a contactless fare system. They implement a standard protocol, part of a range of technologies emerging in portable gadgets. Some Android phones support it now, and the next iPhone is rumored to be adding it too. You might have heard of MIFARE one other place — the MIFARE Classic chip was used in London’s Oyster cards, and was badly flawed in ways that could be exploited to evade fares, clone cards, etc. NXP Semiconductor, who devised the chips, unsuccessfully sued to stop publication of research demonstrating those flaws.
To date there have been no published attacks against the DESFire in Clipper cards. Chances are there are still flaws — most software is like that. The Associated Press reported that an employee of Cubic Transportation Systems, the same vendor that makes and distributes Clipper cards, had a cottage industry selling perfectly usable forged fare cards in Boston, though not enough details have come out to know whether the methods involved could affect Clipper (the MBTA, meanwhile, terminated Cubic’s contract and plans to seek reimbursement for $5M in suspected losses).
I’ve been interested in what’s actually stored on these cards, and what could be read from it. So, I did a bit of experimenting. I paid cash for a fresh Clipper card. I ran up some trips on it, and then scraped it out using FareBot for Android. Here’s what you can read from my Clipper card, with equipment no more sophisticated than a cellphone:
- Various unique card IDs, manufacturing dates, batch numbers, versioning data, etc.
- Card balance
- Passes loaded (which I didn’t test, but it’s in there)
- What trips you’ve taken. For Muni, it’s when you tagged the reader. For BART, the card records every station you visited and when. Caltrain, Golden Gate Transit, and the ferries record fare zone and time at either end of the ride.
- History of cash reloads. This includes the amount, the agency and the specific machine you visited.
Looking over the raw data a bit, the designers allocated themselves enough space to record 16 trips and six refill histories. There’s also a large (1280 byte) buffer of no documented purpose, but my sample card did have data with some clear patterns written there.
The good news, I suppose, is that Clipper isn’t storing very much about Muni trips — it’s pretty much nothing but what time you tagged to board the vehicle. On the other hand, BART is storying a large amount of information, especially on a card that can be read by anyone who can hold a phone up to your pocket. Records of past trips are useful for all sorts of nefarious parties and of no use to legitimate fare inspectors. Payment history really shouldn’t stored on the card either — all a fare inspector really needs is a fare balance, not a history of my financial transactions.
How accessible is the data on your Clipper card? It depends. If you’re using it to stalk someone on BART using nothing but a cellphone, you’d have to get within a few inches of their pocket or purse when they’re not looking. Doable, if you’re motivated. Embarassingly easy on packed trains or buses, really, where it’s hard not to get close. If you wanted to scan a dozen people on a 38-Geary to see who just refilled their card and is likely to be carrying cash, you might have to do some conspicuous squirming around. To scan everyone coming out of Montgomery BART in the morning to see what station they live near, you might build a larger antenna and reader into a briefcase or newspaper box.
Would you? Enh.
The good part about technological crime is that those with the skills and equipment to do it usually have no motivation for petty crimes. The bad part is that it tends to facilitate major complex ones, and economies tend to generate around vulnerabilities these days. Security researchers worry about RFID because it enables clandestine spying on people’s activities, which I think Clipper certainly makes easier. Use of RFID in fare systems is also worrisome because transit systems are usually run by government agencies and built by contractors, which is an environment prone to fallible design and poor security design decisions.
At any rate, it was an interesting little tour. With NFC chips moving inside cellphones and controllable from software, I hope to see transit fare cards replaced with on-phone equivalents that are properly backed up against loss and only allow the data to be read when I authorize it.