Back to Home

"Shaw, again?" or hacking Citicard transport cards (Nizhny Novgorod)

mifare · nfc · hacking · transport cards · rfid · android · nxp

"Shaw, again?" or hacking Citicard transport cards (Nizhny Novgorod)

I hasten to warn readers: This article is written for information only, and in no case does not encourage falsification of tickets, as this contradicts article 327 of the Criminal Code of the Russian Federation. The author is not responsible for any illegal actions committed by people using the information from this article.

I am an ordinary girl, relatively recently working in the field of IT, I do not have knowledge in hacking and hacking. But inspired by the articles on Habré about hacking the Troika and Podorozhnik transport cards (which are no longer available, the authors of Ammonia and antoo ), I decided to talk about my own experience of hacking the Citycard transport cards that operate in Nizhny Novgorod.



I must say right away that I am not a hacker or hacker, but a simple front-end developer, my knowledge of working with PCs, if you discard knowledge in the front-end development, can be described as an "experienced user".

I did not develop special applications, as the authors of the mentioned articles did, but I will show how transport cards can be easily cracked using affordable means. Hacking methods have been known for a long time (5-7 years for sure).

If I, as a developer, used old versions of frameworks with known vulnerabilities, the employer would have torn my head for a long time, but this, in my opinion, does not apply to developers of transport systems. Perhaps this is due to the low savvy of the developers themselves.

But back to hacking. So, first things first.

All the actions I described were carried out last fall, but, as far as I know, everything works now.

So, I have an inexpensive smartphone with NFC. I used to buy Citycard transport cards (it so happened that I have several of them - sometimes I forgot the card at home, at work and had to buy a new one).



I downloaded the official application of the Mifare NXP Taginfo card manufacturer and scanned my transport card:



It turned out that the card is based on the Mifare Plus S chip, but most importantly, it works in security mode No. 1. This means that in essence it is a simple Mifare card Classic, which is easy to crack.

I downloaded the wonderful Mifare Classic Tool on Google Playand scanned the transport card with standard keys:



Here I was disappointed - not one of the known keys came up. Accordingly, it was not possible to use the hacking method, as described in the article on "Plantain".
“Wait a minute,” I thought, “but you can try the method, as described in the article about hacking Troika.”

Indeed, Citicard also has an application from Google Play that allows you to check the balance of the card, and subsequently screwed the opportunity and replenish the card.


I downloaded and installed this application. But now a dilemma has arisen before me: the keys to the card are wired either in the application itself or “arrive” from the server. Decompiling Android apps is easy enough, but I'm not very good at it.

Surely, a more or less thoughtful developer can easily do this. I didn’t have such skills and turned to my brother who is repairing intercoms, I thought he had a familiar programmer, but he proposed a more elegant and simple solution.

He had by then received a fee from Kickstarter., which allows you to peek the protocol between the reader and the card. It turns out that in the intercoms they began to use key chains, inside which the same Mifare chip was sewn up, and he needed this board for some tasks related to these key rings (I did not go into details).

So, he took his board, placed it on my smartphone, which acted as a reader, and the transport card itself acted as a card, and removed the data exchange log between the reader and the card.

Then the question arose of what to do with the received log. But a short search on the Internet led to a utility called crapto1gui. Links will not lead, it’s easy enough to find.

I give a screenshot of the utility below (taken from one of the sites on the Internet, so the data there is not real that we used).


In general, it is enough to insert the necessary pieces of the log into this utility and the 6-byte key is instantly calculated. I myself was surprised how easy it is to do, the most difficult thing was to copy the necessary parts from the log and paste into the appropriate program fields.

Then I opened the entire Mifare Classic Tool (MCT) application, inserted the received key into the application, and this time I was shown the contents of the 0th and 8th sectors.


Basically, there were only zeros in the zero sector, but in the eighth there was some data, from which I concluded that the data on the transport card is stored in the 8th sector (like in the Troika card, is it really the same developer?), and the received key turned out to be key B (the sector has two keys A and B).

Further, for the sake of interest, with the help of the open source utility libnfc and a contactless card reader, I received all the other keys from the card (more about this was written in the article about "Plantain" - I also used this method. It is also described on the libnfc website).

Using the keys I received, I tried to read the contents of another transport card. It turned out that key A was the same, but key B was not. But with the help of the mentioned utility it was also easy to get.

Then I began to examine the contents of the transport card. The 8th sector consists of 4 blocks of 16 bytes. With the help of MCT, it became clear that the first block is the so-called. Value block. The first thing that came up was that the card balance is stored in this block. With the help of MCT, it was possible to decode it - it contained the number 2147483647. It clearly did not look like a card balance, even if it was a penny.

Then I toured this map and found, having read the contents of the sector, that the value had not changed, but the contents of the other blocks had changed. From which it was concluded that the card balance is stored in them.

There was no particular desire to disassemble the contents of the card, because I wanted to try the so-called replay attack (I later found out what it is called correctly).

In the morning before the trip to the subway, I saved the contents of the eighth sector, put the card on the turnstile and went to work. In the afternoon, going on business, using MCT, I recorded the previous state of the map and tried to get on the subway ... And I did it!


(the picture is not mine - I did not want to attract attention at all)

So I realized that in this way you can do an “eternal travel card”. I decided to indulge a little and wrote down the contents of the transport card sector in the intercom keychain.


(I used the same keychain to record the transport card into it)

I tried to go through the turnstile with the keychain, but then I was disappointed - the keychain, to my surprise, did not work. I thought that my transport card was blocked (after all, the keychain was its clone), but when I applied the “original” (transport card), I managed to get through the turnstile.

I talked with my brother, wanted to know what he thinks about this, and he told me that each card and keychain has its own identification number. Apparently, my “clone” was not complete, and the contents in the card were somehow tied to its number.

But it turned out that there was a way out of this situation: there are some types of trinkets that look exactly the same, but they can change their number (conventional transport cards cannot do this). Moreover, the MCT has such a function for rewriting a number, since it is stored in the first block of the zero sector.

However, for some reason, changing the number using MCT did not work. But it turned out to be done with the help of a reader and all the same libnfc.

This time I got a complete clone of the transport card in the form of a keychain, because even the number coincided. I tried to go through the turnstile on the intercom keychain, and I easily succeeded. I didn’t dare to put a keychain on the bus, because the aunt conductor could be very surprised, but the “eternal” transport card worked without problems either.

So, summing up, we can say the following: transport cards for paying for travel in Nizhny Novgorod are just as easily hacked as Troika (Moscow) and Podorozhnik (St. Petersburg).

Even I, a girl who did not have special knowledge, but who can download Android applications and use search in Google and Yandex, was able to do this using improvised tools and available in the public domain programs and utilities (if I were a developer, it would probably be even easier , although it’s much easier ...) Yes, it took me some time to search the Internet and study forums, but everything turned out to be very simple.

I want to note right away, anticipating questions that there was no damage to the subway - I took into account all the trips made on the “perpetual travel card”, so I did not spend the balance on the card for the number of such trips, and then destroyed the card itself.

But the attackers are not so conscious, they probably use this vulnerability and damage the city transport. But we get regularly increasing fares (maybe, including due to losses due to forgery of transport cards). By the way, the deposit for the transport card is 50 rubles. But the exact same security cards Mifare Classic cost 12.5 rubles or less.

One gets the feeling that all transport systems where transport cards are used are unsafe. I do not want to argue why this happens (this topic is not for Habr), it remains only to ask the question: who (which city) is next and when to wait for this article on Habr?

PS This story, of course, is fictitious. All characters are fictional, all coincidences are random. Well, you get the point ...

Read Next