Security study of the Tbilisi transport system - or how to ride a car and earn money

I immediately hasten to warn that in Georgia there is no analogue to 327 article of the Criminal Code of the Russian Federation, therefore, all the actions described here are legal until damage is done in the amount of> 2,000 GEL (~ 50,000 rubles).

It is worth noting that the idea itself was inspired by three other articles: "Three" , "Plantain" , "Citycard" .

image

The transport system in Tbilisi is somewhat different from the usual for residents of Russia. You will not see trams or trolleybuses here. There is only a bus, subway, minibus and cable car. The first and second will cost you 50 tetri (~ 12.5 rubles), a fixed-route taxi - 80 tetri, and a cable car - 2 or 3 lari. All this transport can be paid with a Metromoney card.

To study the map, Proxmark3 was used. First of all, we will determine the type of rfid tag:

image

As you can see, this is mifare classic 1k with a 4-byte uid. Proxmark supports three types of attacks on mifare classic: darkside, nested, and hard nested. This card is vulnerable to all three, in contrast to the Troika and Plantain known to us. This attack has long been known, it was described back in 2009 .

The next step is to check the card with a set of standard keys:

image

As a result, we find the standard key - FFFFFFFFFFFFF . Then go to the most nested attack:

image

In response, we get such a key card, which we needed. As we recall, in the previous three publications, the authors used a replay attack due to encryption, but we will turn our attention to the data structure here using MCT .

image

There is no encryption here, so all that remains for us to do is to write in the value block, where the sum is 5 GEL, any amount we need (it is worth remembering that> 2000 GEL). If you want to clone such a card, you need to clone uid cards as well. its hash is stored in a separate block. There is no online system for checking cards here; turnstiles in the subway, like turnstiles on the funicular, work offline, buses also. Georgia is an interesting country, there are payment terminals that work with transport cards offline.

image
The photo is on the far right. On it below you can see a special place where you should apply the rfid-tag.

We can bring the card with any of our balance and, without any problems, it will display it and offer to replenish.

There is also a small nuance, such a card can be handed over to the cashier with the return of the entire amount on it (!) And the deposit value within 30 days from the date of purchase upon presentation of the check and the card itself.

The article would be incomplete if I did not mention the local express bank debit cards. In my hands, quite by accident, there was a social card of a Georgian student, it looks like this:

image

The rfid tag itself is jcop41 with mifare classic 1k emulation.

image

Of course, I won’t pay for anything with a credit card with a changed balance, because jokes with banks rarely end well, so I didn’t
go beyond reading data from the card .

image

As correctly noted by the user 532CDCCC1022, all transport systems are more or less unsafe. Using solutions a decade ago makes them only more vulnerable.

PS All coincidences are random, and these actions are accomplished by some unnamed Jedi.

Also popular now: