| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20090805162411.7419EB805A@smtp.hushmail.com>
Date: Wed, 05 Aug 2009 16:24:11 +0000
From: noisebridge@...hmail.com
To: full-disclosure@...ts.grok.org.uk
Subject: BART Card Advisory
www.noisebridge.net
-= Security Advisory =-
Advisory: BART Tickets vulnerable to simple cloning
Release Date: 2008/07/14
Author: Jacob Appelbaum
Application: Bay Area Rapid Transit System (BART)
Severity: All BART blue high-value tickets magstripe encoded
tickets
are vulnerable to cloning.
Risk: Medium/High
Vendor Status: Vendor has not been contacted
"If you only read the books that everyone else is reading,
you can only think what everyone else is thinking."
-- Haruki Murakami
Overview:
Quote from www.bart.gov/tickets/
BART tickets are like debit cards with stored value. All BART
stations
have automatic ticket vending machines that accept nickels,
dimes,
quarters and $1 coins, as well as $1 $5, $10 and $20 bills.
You can also
use credit and debit cards in select machines.
When you enter BART, insert your ticket into the fare gate
and it will be
returned to you. Use the same ticket when you exit. The
correct fare will
be automatically deducted and tickets with remaining value
will be
returned. If your ticket has too little value, a sign on the
fare gate
will read "Underpaid: Go to Addfare." A nearby Addfare
vending machine
will tell you how much additional fare you must add to your
ticket to
exit the BART system.
It turns out that BART high value (blue) tickets and other
magstripe BART
tickets store value ON TICKET, as opposed to centrally via an
authentication
token. Critical information is stored directly on card using
what is probably
a simple block cipher and is vulnerable to a basic replay attack.
In our analysis though, we have found that just like the SFMTA
parking meter
smartcard system, the signature goes UNVALIDATED. It seems
theres a pattern
here in the security systems of San Francisco public services!
Hmmmm. This
type of vulnerability does not extend to the new BART EZ Rider
smart cards.
(Applause)
Track 2 Layout
| SS | PAN | FS | Additional Data | ES | LRC |
SS=Start Sentinel ";"
PAN=Primary Acct. # (19 digits max)
FS=Field Separator "="
Additional Data=Expiration Date, offset, encrypted PIN, etc.
ES=End Sentinel "?"
LRC=Longitudinal Redundancy Check
In the ABA Track 2 system, the magic happens in the "Additional
Data" area.
Depending on bank (some remained completely unencrypted until
mid 2000s!)
the PIN numbers were actually stored on card only encrypted by a
simple
block cipher!
Well it turns out the BART ticketing system, although not
similar in format,
does use the same general encoding format, 75bpi BCD which means
you can
take your standard off-the-shelf MSR-206 magstripe
encoder/decoder and go!
Fortunately for you, we've even provided this handy utility!
http://code.google.com/p/libmsr/
This project is an independent Free Software implementation of
the protocol
for the MSR 206 magnetic stripe reader/writer. It is intended to
be both a
library for use in other programs that wish to interface with
the MSR 206
and as a collection of useful user space programs.
So onto the data.
Bart Card Layout:
| SET | VERSION | ID | DATA | VALUE | CRC |
. set(?) . card id .- plain text value
/ / /
084909 5346 00721486 8432187913029 00405 1610
084909 5346 00721486 2072730117332 00065 2287
\ \ \
- version(?) \ `- CRC(?)
`- data
Set: Seems to be related to the ID but changes infrequently
and doesnt
seem to increment linearly.
Version: This number seems to change infrequently but from time
to time
even for the same type of card (blue/red/green)
ID: Card ID, which seems to be issued semi-sequentially
Data: Most likely the encrypted version of value
Value: Dollar value ($000.00)
CRC: Possibly the checksum
Although, as you can see, a plain-text BCD card value is stored
on the stripe
it is not the only data used to determine the on-card value. By
our simple
analysis (i.e. trying to encode other dollar figures in
plaintext) It's clear
that the plain text value in conjunction with the data field is
used to
validate the on-card value. We assume that the 4-digit value
after the
plain text value is the CRC, because this also changes each time
its used,
it's kinda small and it just seems like one (great evidence,
huh!). In truth
black-box differntial analysis of the magstripe data is
relatively
uninformational, but it turns out if we follow these this simple
rule, we can
effectively clone and use BART cards without any real brains.
Don't use two
clones of the same card at the same time. Anyone whos tried
using a Fast Pass
twice will realize they will be let in twice, but not let out
twice. You'll
end up stuck. Other than than, just copy the card and once in a
while, reset
the data back to a higher value by re-encoding a previous state.
Anyways, if anyone wants to come join us at Noisebridge to clone
some BART
cards for fun and profit just swing by 83C Wiese Street with
your extra
cards (you know, the ones with a nickle on them). Also, if you
would like to
donate to the Noisebridge cause (and now an official 501(c)(3)
non-profit
corporation) we might be able to throw in a BART pass at twice
the donation
value! Just kidding, but hey, they're definately tax deductable
and for a
good cause ;)
Regards,
Jacob Appelbaum
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists