Get SF Weekly Newsletters
Pin It

Fare Hack: Exploiting a Clipper Card Flaw Is Easy 

Wednesday, Feb 1 2012
Comments

Not that we think you would, but with a visit to Radio Shack you could hack into that Clipper card in your wallet, allowing you to load it with free rides or create and sell copies for profit — and funnel money away from the Bay Area's crash-strapped public-transit agencies.

What it would take: an oscilloscope, an antenna, a transponder, a bit of know-how, and about seven hours.

That's according to David Oswald, a Ph.D. student in IT security at the Ruhr University of Bochum in Germany, who broke the encryption in Clipper and similar transit cards last year. Clipper cards contain a chip that uses radio signals to talk to fare gates and the transponders on buses, making it easy to "eavesdrop" on the conversation."It's comparable to a professional thief who can open a safe by listening to the mechanical clicks of the lock. In our case, we are listening to electromagnetic fields," says Oswald.

From there, a hacker can narrow down which key will break the encryption and gain access to the information on the chip. Lest you think it takes an IT degree to read the data, the Farebot app for Android phones lets you peek at the travel history and balance on your own card — or anyone else's nearby.

The vulnerability poses "a severe threat to the security of real-world systems" that use the chip, Oswald wrote in a paper published in October.

Cubic Transportation Systems, the company that supplies Clipper cards, downplays the finding. "Cubic continually monitors card activity to determine if unauthorized modifications have been made," says Derick Benoit, vice president of customer services.

However, Metropolitan Transportation Commission spokesman John Goodwin says card-cloning is possible. That's a problem, since Andres Townes, a former employee of Boston's Massachusetts Bay Transit Authority and later Cubic, was indicted for selling millions of dollars' worth of cloned magnetic-stripe transit cards on Craigslist. Townes kicked off his alleged racket in 2007, before Cubic took over the MBTA's transit-card system, but wasn't arrested until 2011 — well after Cubic got involved.

The MTC has asked Cubic to finesse the Clipper system in light of Oswald's findings, and Cubic is "considering this request," Goodwin said. Cubic also plans to use a new, less-vulnerable chip in Clipper cards this year, but that still leaves over 1 million weaker cards in circulation.

"No smart card is, or will ever be, absolutely 100 percent hack-proof," Goodwin said. "The goal is to stay at least one step ahead of the people that would look to take advantage of discovered vulnerabilities."

That's easier than staying out of cities with Radio Shacks.

About The Author

Beth Winegarner

Comments

Subscribe to this thread:

Add a comment

Popular Stories

  1. Most Popular Stories
  2. Stories You Missed

Slideshows

  • clipping at Brava Theater Sept. 11
    Sub Pop recording artists 'clipping.' brought their brand of noise-driven experimental hip hop to the closing night of 2016's San Francisco Electronic Music Fest this past Sunday. The packed Brava Theater hosted an initially seated crowd that ended the night jumping and dancing against the front of the stage. The trio performed a set focused on their recently released Sci-Fi Horror concept album, 'Splendor & Misery', then delved into their dancier and more aggressive back catalogue, and recent single 'Wriggle'. Opening performances included local experimental electronic duo 'Tujurikkuja' and computer music artist 'Madalyn Merkey.'"