arisuchan    [ tech / cult / art ]   [ λ / Δ ]   [ psy ]   [ ru ]   [ random ]   [ meta ]   [ all ]    info / stickers     temporarily disabledtemporarily disabled

/cyb/ - cyberpunk and cybersecurity

low life. high tech. anonymity. privacy. security.
Name
Email
Subject
Comment

formatting options
File
Password (For file deletion.)

Help me fix this shit. https://legacy.arisuchan.jp/q/res/2703.html#2703

Kalyx ######

File: 1534372094475.pdf (698.15 KB, FareEvasionOnMuni.pdf)

 No.3161

!SANDBOX THE PDF!

This looks like it would be a topic of interest to Arisu. I've recently learned that many of the fare cards can often be altered to one's desire.Using software like mfoc or mfcuk you can change data on an insecure Mifare Classic card.In other words you can give yourself unlimited rides on transit.I recently bought some hardware that would support this for under 10 USD, and even if it does not end up working on my city's transit I'd like to use it for plenty of other projects I've heard of online.What does Arisu think of this?

I'd also like to note that the system in my city has tracking to some degree(not Orca).It supposedly has a theft prevention feature and a feature to track your balance online which I've seen 0 reviews of online(In one of the biggest cities in the USA(odd)).These features can only be used once you have done some sort of sign up or have called the city for a pass to get your balance.I thought of a way to see if they are tracking you but I'm not sure it would work or if my previous statements already answer that.I will elaborate.

>When you sign up you get option to pay a scheduled fee
>the ammount added to the card is not shown until you tap, which means a userid is involved(should be changed to something random).
>these funds may not be available for 24-48 hours after online payment(serious lag(maybe))
now the ideas:
>reload using compatable hardware
>tap a machine
>check online and see if it's reloaded if yes -> (reafirms userid theory)
>reload at a machine and check before next tap (tells me that the reload stations do not have internet connection) -> which would mean there is no way to tell if I or a valid machine reloaded the card
>get a new card and test one with a sign up and one not with to find out if any new identification(tracking) is created for sign up card.
If all goes well: charge with a very large amount -> change userid(no tracking(maybe)) ->profit?
*I got the pdf online and I don't know how safe it is opening it :/

 No.3163

If you're worried about the pdf you can open it as plain text or run a file to remove any javascript that may be in it. As for your idea it sounds fucking sick and I think you should try it and let us know how it goes.

 No.3164

Will do >>3163 alsoh thx for the tip

 No.3165

The same also goes for turnstiles that is used for businesses, schools etc. I have mingled with MIFARE1K cards in the past which are already broken and can be easily duplicated. When they are used they are not even used properly, some institutions only check for the first 10 bytes which in theory should be immutable. But thanks to our chink lords, there are "chinese magic cards" with mutable UID sections. Also they use default factory encryption keys. This is what happens when you leave that kind of security sensitive stuff to average IT people I guess.

Now the transit system in my city is an entirely different story. They use MIFARE DESFire instead of 1K, which is a little bit complicated with additional 3DES encryption. I have yet to research it further when I have more time, but I also suspect it should be also crackable albeit a little harder.


[Return] [Go to top] [ Catalog ] [Post a Reply]
Delete Post [ ]