The St. Petersburg student learned to ride for free (but illegally) in the transport on the “Plantain” card, overwriting it via an Android-smartphone with NFC.
A 20-year-old student of the correspondence department of LETI named Anton tested the possibility of re-recording the Podorozhnik travel cards used in the metro and ground transportation of St. Petersburg. As it turned out, the metro system quickly blocks the modified maps, however, in buses and trolley-buses of the city the check works differently and in fact allows you to ride for free.
Maps “Plantain” work on the basis of the standard MIFARE, and for their reading and writing, almost any NFC-reader, including built-in smartphones based on Android. Using the technique of attacking these cards and an external NFC-reader, describedin 2015, Anton got access to the contents of its 4K of internal memory.
The programmer found out that from 40 sectors of memory the data changes only in three of them: most likely, they record information about the balance of the map and the time of the last trip. In one of these sectors there is an imitation – code that is created according to a certain algorithm on the basis of rewritable data: if you do not know this algorithm, you will not be able to specify arbitrary values stored on the map (for example, a balance of 1000 rubles).
Therefore, Anton decided to follow a different path: he filled up the map, wrote down the contents of her memory, applied it (passing through the turnstile or in the automatic replenishment machine), and then tried to restore the old contents of the memory and tried to use the “Plantain” again. For convenience, he wrote his own application for Android and called it Plantain (“Plantain”): thanks to him, he could rewrite cards on the move, applying them to the smartphone.
It turned out that if you insert a re-recorded “Plantain” in the machine, it is immediately blocked, and you can no longer use it. If you pass through it through the metro turnstile, the map is blocked in about two hours. However, in land transport, Anton was able to use the re-recorded maps without restrictions: within two weeks of testing, no one blocked them.
In a conversation with , the student explained that although the Moscow Troika and the Petersburg Plantain work in a similar way (they even plan to unite them), their security systems are different.
The system of protection in the metro in St. Petersburg works much better than in Moscow: it blocks the map after two hours, while in Moscow, using similar schemes, “Troika” can live for weeks, and for some months.
With ground transportation the situation is worse: blocked in the subway “Plantain” works in the ground until now, so the bases there are updated very rarely or not updated at all.
“Plantain” has a flexible system of tariffs, but one of its parameters is unchanged: before using the card you need to buy for 60 rubles, but later it can be returned to the cashier. The programmer believes that its cost is actually lower than production costs, and this measure does not protect against fraud.
The cost of the card is only due to the fact that the carrier itself with the chip costs some money. If you buy a blank card at retail, the price may be even more than the cost of “Plantain” in the subway.
Moreover, “Plantain” can be returned to the cashier and get its value back: then it can even be sold to someone else. I did not try to return the blocked cards, I did not want to risk it. But in general, the policy of locks is correct: the main goal is to make a fake inexpedient, and they get everything in the subway, but there is something to work on in the ground.
According to Anton, it is very difficult to get the key with the help of which the contents of the card are protected: it is sewn into turnstiles and validators, only developers have access to it. If this key goes off, this will be a much more serious problem than the ability to travel on the map in ground transportation.
Anton stressed that he conducted the research out of interest, and not for the sake of economy, especially since the falsification of the travel is punishable under the Criminal Code of the Russian Federation: “Sharing experience is more interesting for me than trying to save on travel, especially breaking the law.”
While testing “Plantains” in the subway, it turned out that with him in his pocket were three cards, two of which were already blocked. Began to apply the first – the red indicator light was on and the inscription “PB forbidden” appeared. The second happened the same.
Then the controller came out of the booth and headed towards me: they see passages or errors on their desk. I decided to avoid dialogue and quickly went through using the third card. Nobody tried to catch me up, but after that I tried to behave a little more carefully.
Updated : Almost a week after the publication of Anton, the newspaper Fontanka reported that the city authorities knew about the possible vulnerability of the map. At the same time, the publication hinted that the study of the safety of the “Plantain” by the student coincided with the active phase of the introduction of a new monitoring system for travel. Anton himself was summoned to a meeting at the Transport Committee, but nothing is still known about the nature of the meeting.
The Transport Committee confirms that they knew about the theoretical possibility of such hacking and explained the use of the old protocol in that it is universal: for example, cards for beneficiaries are used, including in the Leningrad region, and if we now modernize the encryption, it is not the fact that this card can be taken by extraneous terminals.