
Decoding the MetroCard, Part 2: Research and Past Attempts - codezero
http://blog.woodruffw.us/2016/07/17/Decoding-the-Metrocard-Part-2
======
eric_h
This post actually puts to rest (and confirms) a theory that my coworker had
when I thought I had a truly unlimited metrocard.

Basically, I bought an unlimited monthly pass from a machine. By the third day
of using it, I noticed that every day I used it, the expiration date displayed
at the turnstile would advance a day. Obviously, I thought I had somehow
become the owner of the golden metrocard that would work forever (I was
admittedly optimistic, hoping it would be true).

Several days later, when I had confirmed that it wasn't a fluke and shared the
story of my fortunate acquisition of the "golden metrocard" my coworker
suggested that perhaps the expiration date stored on the card was null, and
the default behavior of the turnstile was to always show an expiration date 30
days out.

Sure enough, when thirty days passed, the card stopped working, and I
apparently blew the booth attendant's mind when I asked why the card wasn't
working (something about a negative balance or some such, she'd never seen
such a thing before).

My coworker was absolutely right, the expiration date was cached on the card
(as a null or some other invalid value in this case) and it was then checked
against a list of actually expired cards over the network.

~~~
woodruffw
Do you happen to still have that card? I'd love to see a dump of it (and line
it up with known fields circa 2006 on tracks 1 and 2).

~~~
eric_h
I'm afraid not. I'd intended to hold onto it, but it fell through the cracks
during a move.

------
woodruffw
Oh, wow. I just came home and found this on the front page.

I'm a little embarrassed, since that post had been sitting on my drive for
over a year. It's not very well written, and it doesn't do the prior research
justice.

------
error54
After living in NYC and now living in San Francisco, I wonder why the MTA
hasn't switched to contactless cards yet similar to what Boston or SF has. As
someone who has missed many a train trying to swipe my metro card, it seems
like this would be an easy win for them and less wasteful than a disposable
paper card.

~~~
Fej
Expensive.

Expensive expensive expensive.

They would have to replace all of the turnstiles (for some reason I doubt they
could retrofit them) which is a _ton_ of turnstiles. The MTA subway is BIG (as
far as I know, bigger than SF and Boston, in terms of number of stations).

They would need dedicated central servers to handle everything, unlike they
have now, which the article says "complements" the existing system but which
is not required for operation.

MetroCard came out over a decade before CharlieCard (Boston) so they have tons
of infrastructure that would cost an absurd amount of money to replace. I
imagine they figure it isn't worth it, especially when there are so many other
subway projects that need money.

~~~
tjohns
Central servers are not required for contactless cards. The card itself holds
the current balance inside a tamper-proof secure element, and it's updated
with every ride.

A central server can be used for things like web-based reloads and auditing,
complementing the system... but it's entirely possible for a terminal to
remain in offline-mode and just check-in at the end of the day to get any
pending messages and upload logs. This is why it takes longer to
reload/unblock a SF Clipper card using a reader in a bus (offline mode) as
opposed to at a BART turnstile (online mode).

~~~
tetrep
> ...tamper-proof secure element...

It doesn't even need to be held in anything secure, you just need to sign the
balance when writing and check the signature when it's used.

~~~
throwanem
If your turnstiles can't talk to a server, they can't check key revocation
lists, and I tend to imagine that in a city the size of New York somebody's
going to leak a key every now and again - it's been known to happen with
physical keys; why not digital ones, too?

~~~
dsr_
But they don't need to have a realtime revocation list -- it's fine if a
broken card works until the end of the day, or even the end of the week, as
long as it stops working faster than keys are leaked or cracked.

So a bus turnstile can do transactions when it returns to the garage, and
turnstiles in locations where it's hard to run data for whatever reason can
get a plug-in every so often on a regular maintenance run.

------
vinbrando
I used the same sources a couple years back to develop a MetroCard balance
checker for iPhones. It used a cheap headphone jack magnetic stripe reader
from China. Never got around to actually doing anything with it though.

~~~
woodruffw
Interesting! Do you happen to still have your source and/or research? I'd love
to add it as a bullet on the post.

------
Animats
It's a good system. The fact that the hacker crowd hasn't even figured out the
basics yet is amusing.

MetroCards are validated by both the station computer and the central data
center. Once a card has been used, it can't be used again for 18 minutes. This
makes copies of cards almost useless. There's a lot of mutual mistrust
designed into the system. The MTA isn't stupid.

~~~
gricardo99
> Once a card has been used, it can't be used again for 18 minutes

I'm not sure what you mean. I've used mine twice in quick succession to pay
for a friend.

~~~
specialp
That limit does not apply to prepaid MetroCards at the same station. What the
OP is referring to is that one cannot clone an unlimited weekly or monthly
card while having it be useful. They have a 18 min lock out. Using a prepaid
card repeatedly will just drain the value of that card.

~~~
sib
That's unfortunate. There were definitely times when I lived in NYC (pre-
Metrocard) when I took two rides within 18 minutes (take short ride, jump out
of station for quick errand, come back in for next part of journey). Are you
saying that would not be possible?

~~~
registered99
Nope, that's only for the same station. Assuming you swipe into station A,
exit station B, and swipe again at station B, you're fine.

If you swipe into station A, realise you got into the wrong entrance, you can
usually just walk to the 24-hour booth and ask them to let you in the gate.

Also you can walk to another station.

------
devy

         Despite being over a decade old, these slides 
         (and accompanying 2600 articles) still represent 
         the best publicly-available research on the MetroCard format. 
    

Isn't that an endorsement of Cubic Transportation Systems'[0][1] security by
obscurity work quite well in this case?

[0]:
[https://youtu.be/YSmqwJmKh2E?t=1833](https://youtu.be/YSmqwJmKh2E?t=1833)

[1]:
[https://en.wikipedia.org/wiki/Cubic_Transportation_Systems](https://en.wikipedia.org/wiki/Cubic_Transportation_Systems)

~~~
woodruffw
I think it's worth keeping in mind that that presentation (and accompanying
papers) came out in the spring/summer of 2006. Google Patents didn't appear
until December of that year [0], and the USPTO certainly didn't have an online
search or API back then (it does now [1]).

The information was always _there_ , but it's only become easily _accessible_
in the past few years. To me, that speaks tremendously towards Battaglia's
research.

[0]:
[https://en.wikipedia.org/wiki/Google_Patents](https://en.wikipedia.org/wiki/Google_Patents)

[1]: [http://assignment.uspto.gov/](http://assignment.uspto.gov/)

------
kixpanganiban
Interesting read, but somewhat disappointing. I expected something like a
demonstration of a card reader dumping the contents of the card, and an
Arduino-controlled magstripe spoofing it. Excellent writeup nonetheless!

~~~
woodruffw
I actually have dumped MetroCards using a reader, but I'm saving that for a
third post ;)

~~~
dsfyu404ed
I take it that if you figure out you can write a stripe that overflows the
scanner firmware in a way that unlocks the gate you won't post it until you're
done using it...

~~~
woodruffw
If you're asking whether I'd exploit it, the answer is a firm no. I'm not the
biggest fan of the MTA (nobody who lives in NYC for any substantial amount of
time is), but the personal benefit would be minuscule compared to the
consequences.

More to the point, making a public display of weaknesses in the MetroCard
might finally get the MTA off their ass and onto that modernization project
they've been promising for the last 15 years ;)

