Wednesday, 16 October 2013

Compass card: a review

I was one of the lucky recipients of a Compass card that is due to be launched in the next half-year.

Due to my being away in Europe for a good chunk of the testing programme and having Canary to work on, I haven't had the time to play around with the card as much as I want to so what you're getting here is pretty much the raw data. I can gladly answer any questions if you e-mail me.

I do have friends in the local Vancouver information security scene that are poking at the system themselves.

Tapping in and out and flaws



The system in place works no different than other systems such as San Francisco's Clipper card. Boarding a bus or entering a station takes one simple firm tap on the reader (needs to be held down for a half-second) and that will be enough to transmit a signal to and from the card and the reader. It could be a bit slow for a bus, but with enough gates, it won't be an issue at any station.



However, due to the zone system that is currently in place, it is quite easy to board a bus and then once at the back, you can tap out. As you can see in the image above, tapping out too fast will present that above message. Yet if you wait just a few seconds after the bus has started to move, you can immediately tap out.

You can repeat this on the bus at least twice in a row but then the system does lock you out if you attempt to tap more than four times in one trip. I haven't tried this more than once but my fifth and consecutive taps ended up resulting in the same error as above being shown. The card did work however when I entered a SkyTrain station at the bus' terminus.

This flaw was publicised earlier this week and the response from TransLink was nothing more than how much life will be better with the new Compass card system. Needless to say, I am almost certain that they were aware of this issue from the get go and to be honest, it's not much of a flaw to begin with seeing that there aren't that many bus routes that require multi-zone fare and if they do, they generally require you to tap into a gate at some point since they connect to a SkyTrain station.

The loophole so far doesn't exist within the SkyTrain system as you do need to tap out to physically leave the station. This issue will be be more apparent when TransLink eventually adopts a distance-based system, but I imagine that the buses will be taken into account.

Contents of the card itself



So for those who are curious about it from a technical stance, the Compass system uses a Cubic implementation of MIFARE DESFire EV1. At this time, the proprietary standard does not have any known vulnerabilities, but I have included the raw details about it below.

# IC manufacturer:
NXP Semiconductors

# IC type:
MIFARE DESFire EV1 (MF3ICD41)

# DESFire Applications:
1 unknown application

-- NDEF ------------------------------

# NFC data set storage not present:
Maximum NDEF storage size after format: 4094 bytes

-- EXTRA ------------------------------

# Memory information:
Size: 4 kB
Available: 4.0 kB

# IC detailed information:
Capacitance: 17 pF

# Version information:
Vendor ID: NXP
Hardware info:
* Type/subtype: 0x01/0x01
* Version: 1.0
* Storage size: 4096 bytes
* Protocol: ISO/IEC 14443-2 and -3
Software info:
* Type/subtype: 0x01/0x01
* Version: 1.4
* Storage size: 4096 bytes
* Protocol: ISO/IEC 14443-3 and -4
Batch no: 0xBA3417AE30
Production date: week 08, 2012

-- TECH ------------------------------

# Technologies supported:
ISO/IEC 7816-4 compatible
Native DESFire APDU framing
ISO/IEC 14443-4 (Type A) compatible
ISO/IEC 14443-3 (Type A) compatible
ISO/IEC 14443-2 (Type A) compatible

# Android technology information:
Tag description:
* TAG: Tech [android.nfc.tech.IsoDep, android.nfc.tech.NfcA, android.nfc.tech.NdefFormatable]
android.nfc.tech.NdefFormatable
android.nfc.tech.IsoDep
* Maximum transceive length: 261 bytes
* Default maximum transceive time-out: 309 ms
* Extended length APDUs not supported
android.nfc.tech.NfcA
* Maximum transceive length: 253 bytes
* Default maximum transceive time-out: 618 ms
MIFARE Classic support present in Android

# Detailed protocol information:
ID: 04:48:0B:F2:59:22:80
ATQA: 0x4403
SAK: 0x20
ATS: 0x067577810280
* Max. accepted frame size: 64 bytes (FSCI: 5)
* Supported receive rates:
- 106, 212, 424, 848 kbit/s (DR: 1, 2, 4, 8)
* Supported send rates:
- 106, 212, 424, 848 kbit/s (DS: 1, 2, 4, 8)
* Different send and receive rates supported
* SFGT: 604.1 us (SFGI: 1)
* FWT: 77.33 ms (FWI: 8)
* NAD not supported
* CID supported
* Historical bytes: 0x80 |.|

# Memory content:
PICC level (Application ID 0x000000)
* PICC key configuration:
- AES key
- PICC key changeable
- PICC key required for:
~ directory list access: no
~ create/delete applications: yes
- Configuration changeable
- PICC key version: 129

Application ID 0x000001
* Key configuration:
- 14 (3)DES keys
- Master key changeable
- Master key required for:
~ directory list access: no
~ create/delete files: yes
- Configuration changeable
- Key itself required for changing a key
* 1 file present

- File ID 0x00: Standard data, 384 bytes
~ Communication: with MAC
~ Read key: key #1
~ Write key: key #2
~ Read/Write key: key #2
~ Change key: master key
~ (No access)


I do suggest that you look into Adam Laurie's RFIDIOt site if you're interested in looking at the card for yourself.

No comments:

Post a Comment