[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] BART Card Advisory



                                                                    
 
                                                                    
 
                                                                    
 
                                             

                         www.noisebridge.net

                      -= Security Advisory =-

     Advisory: BART Tickets vulnerable to simple cloning
 Release Date: 2008/07/14
       Author: Jacob Appelbaum

  Application: Bay Area Rapid Transit System (BART)
     Severity: All BART blue high-value tickets magstripe encoded 
tickets
               are vulnerable to cloning.
         Risk: Medium/High
Vendor Status: Vendor has not been contacted

   "If you only read the books that everyone else is reading, 
   you can only think what everyone else is thinking."
      -- Haruki Murakami

Overview:

   Quote from www.bart.gov/tickets/

      BART tickets are like debit cards with stored value. All BART 
stations
      have automatic ticket vending machines that accept nickels, 
dimes,
      quarters and $1 coins, as well as $1 $5, $10 and $20 bills. 
You can also
      use credit and debit cards in select machines.

      When you enter BART, insert your ticket into the fare gate 
and it will be
      returned to you. Use the same ticket when you exit. The 
correct fare will
      be automatically deducted and tickets with remaining value 
will be
      returned. If your ticket has too little value, a sign on the 
fare gate
      will read "Underpaid: Go to Addfare." A nearby Addfare 
vending machine
      will tell you how much additional fare you must add to your 
ticket to
      exit the BART system.

   It turns out that BART high value (blue) tickets and other 
magstripe BART
   tickets store value ON TICKET, as opposed to centrally via an 
authentication
   token. Critical information is stored directly on card using 
what is probably
   a simple block cipher and is vulnerable to a basic replay attack.

   In our analysis though, we have found that just like the SFMTA 
parking meter
   smartcard system, the signature goes UNVALIDATED. It seems 
theres a pattern
   here in the security systems of San Francisco public services! 
Hmmmm.  This
   type of vulnerability does not extend to the new BART EZ Rider 
smart cards.
   (Applause)

   Track 2 Layout

           | SS |  PAN  | FS |  Additional Data  | ES | LRC |

   SS=Start Sentinel ";"
   PAN=Primary Acct. # (19 digits max)
   FS=Field Separator "="
   Additional Data=Expiration Date, offset, encrypted PIN, etc.
   ES=End Sentinel "?"
   LRC=Longitudinal Redundancy Check 

   In the ABA Track 2 system, the magic happens in the "Additional 
Data" area.
   Depending on bank (some remained completely unencrypted until 
mid 2000s!)
   the PIN numbers were actually stored on card only encrypted by a 
simple
   block cipher!

   Well it turns out the BART ticketing system, although not 
similar in format,
   does use the same general encoding format, 75bpi BCD which means 
you can
   take your standard off-the-shelf MSR-206 magstripe 
encoder/decoder and go!

   Fortunately for you, we've even provided this handy utility!

   http://code.google.com/p/libmsr/

   This project is an independent Free Software implementation of 
the protocol
   for the MSR 206 magnetic stripe reader/writer. It is intended to 
be both a
   library for use in other programs that wish to interface with 
the MSR 206
   and as a collection of useful user space programs.

   So onto the data.

   Bart Card Layout:

           | SET | VERSION | ID | DATA | VALUE | CRC |


      . set(?)      . card id             .- plain text value
     /             /                     /
   084909 5346 00721486 8432187913029 00405 1610
   084909 5346 00721486 2072730117332 00065 2287
           \                 \                \
            - version(?)      \                `- CRC(?)
                               `- data

       Set: Seems to be related to the ID but changes infrequently 
and doesnt
            seem to increment linearly.
   Version: This number seems to change infrequently but from time 
to time
            even for the same type of card (blue/red/green)
        ID: Card ID, which seems to be issued semi-sequentially
      Data: Most likely the encrypted version of value
     Value: Dollar value ($000.00)
       CRC: Possibly the checksum

   Although, as you can see, a plain-text BCD card value is stored 
on the stripe
   it is not the only data used to determine the on-card value. By 
our simple
   analysis (i.e. trying to encode other dollar figures in 
plaintext) It's clear
   that the plain text value in conjunction with the data field is 
used to
   validate the on-card value. We assume that the 4-digit value 
after the
   plain text value is the CRC, because this also changes each time 
its used,
   it's kinda small and it just seems like one (great evidence, 
huh!). In truth
   black-box differntial analysis of the magstripe data is 
relatively
   uninformational, but it turns out if we follow these this simple 
rule, we can
   effectively clone and use BART cards without any real brains.  
Don't use two
   clones of the same card at the same time. Anyone whos tried 
using a Fast Pass
   twice will realize they will be let in twice, but not let out 
twice. You'll
   end up stuck. Other than than, just copy the card and once in a 
while, reset
   the data back to a higher value by re-encoding a previous state.

   Anyways, if anyone wants to come join us at Noisebridge to clone 
some BART
   cards for fun and profit just swing by 83C Wiese Street with 
your extra
   cards (you know, the ones with a nickle on them). Also, if you 
would like to
   donate to the Noisebridge cause (and now an official 501(c)(3) 
non-profit
   corporation) we might be able to throw in a BART pass at twice 
the donation
   value! Just kidding, but hey, they're definately tax deductable 
and for a
   good cause ;)

   Regards,
   Jacob Appelbaum


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/