Glass Encapulation for Uncommon / Secured tags

edited June 2015 in RFID/NFC
As much as I dig Boston's Charlie Card system, I'd dig it a lot more if I could interface with it with an RFID implant. Issue is security, specifically I'm not sure how I'd be able to clone the details onto a new clear chip (Mifare classic 1k). Not only that, but I have a feeling I'd piss off some folks I'd rather avoid drawing attention from.

It's basically impossible to carve the chip out of the card because of the way this super thin wire is pressed between plastic, but I'm thinking some form of an acid bath might be a viable way to extract it. It's not unheard of. Sounds like there's a method using basic nail polish remover, already. Once extracted, I need to encapsulate it. Are there currently any services that provide glass encapsulation? Or a kit of some form I can order? Right now I'm checking out Schott's transponder glass (http://www.us.schott.com/epackaging/english/glass/transponder.html) but I'm not sure if there's another better-known option (or if I'm even able to order from these folks as an 'independent researcher'. Never ordered from a large company like this). They also come with a fire-polished open end, and I have no clue how I'd close that up. The product manual suggests "a clean room atmosphere using laser or infrared" but I don't exactly have such resources.

Guidance in the right direction would be super rad! Thanks!
Tagged:
«1

Comments

  • edited June 2015
    There is a project where someone dissolved their London tube card using acetone (nail polish remover) to isolate the chip and the wire. However, he also mentioned that newer cards use a different material and dont break down like that.

    It's worth trying tho.

    If that doesn't work, then you need to figure out a solvent that will break down that plastic without destroying the chip. I'll mull it over...

  • edited June 2015
    Acetone(nail polish remover) is really the best way to go. Acid might take out the wires too. If it won't break down in acetone, you can try heating your solvent, or perhaps using brake cleaner.
  • Brake cleaner is just acetone and toluene. Which may work a bit better, but it really is still a mild solvent, comparatively... if acetone doesn't cut it, more intense methods will need to be taken.
  • edited June 2015
    Acetone it is, then! Thanks! I'll report back on if that's successful or not (once I hit payday and can go get some).

    Once the chip is free, I'm still at a loss on encapsulation. Feeling pretty safe in assuming that DIY glassblowing / torching the hole shut could ruin the biocompatability (And cause issues with the texture, giving contaminates a foot-hold).
  • I'd start by getting a hold of Alex from cyberise. Are you sure he can't clone this for you? I understand that it may be proprietary or something but he put something similar onto an NFC for me.

    In terms of glass, I think you can seal those schott tubes with a blowtorch and a spin. Kind of like playing with glass capillary tubing but a bit thicker.
  • edited June 2015
    BirdMachine  once you've got the circuit free from the casing, PM me, I just so happen to have a whole box of schott glass capsules for one of my projects.


    Edit: I can clone mifare classic cards.... but it will depend on exactly how the chip is used...
  • Can you clone rfid bus passes to a ready made chip? Or is it easier to try and extract and coat an chip from a card?
  • Depends on the type of card. For one that just holds an ID number, cloning is as simple as finding a suitable RFID and flashing. 

    The more complex cards are a whole 'nother ball game. To learn more about them, breeze through this old Defcon presentation that was blocked from actually presenting by an injunction: http://tech.mit.edu/V128/N30/subway/Defcon_Presentation.pdf

    This kind of card would need encapsulation.

  • @ElectricFeel everything you said is correct, but why do you think we can't clone the Boston Charlie Card system?
  • edited June 2015
    I believe that you can probably clone it, but the card's predecessor was broken by MIT researchers in the talk I mentioned, so I'll bet they have some quirks to prevent easy cloning.

    The cards also expire after five years, so your implant has a defined obsolescence, unless it's rewritable and you can flash it while implanted.

    Also, you might want to try getting in contact with these guys : http://www.ringtheory.com/
    They sell MTBA RFID's embedded in a ring. They might be able to provide more specifications, or a raw chip. It could be easier than dissolving a card.

    Further reading suggests cloning is totally feasible, and this : https://dangerousthings.com/shop/13-56mhz-s50-glass-nfc/ would be perfect for the implant. It's the same chip in the card.

    Dangerous Things' FAQ has a different point:
    Now let’s talk about transit and laundry cards (token systems).
    Typically these systems use their own method of leveraging memory blocks
    and access keys (Mifare Classic and DESFire access keys), meaning even
    if you could get your implant added to their system, it would require
    formatting your tag and setting up access keys in such a way that it
    would become totally dedicated to that purpose. You could no longer
    access memory blocks on your own tag or use it for any other purpose.
    This might be ok for some of you, but for many I could see that as being
    a problem.

    See if you can encapsulate a known working card.
  • @ElectricFeel It's mifare classic, it's a predefined standard, they can't change that, therefore there won't be quirks, so yes, I can clone it, and yes, I can just rewrite the implant after 5 years.

    yeah, I read the Ring Theory page before, having their help would make things easier, but it is still doable without them.
  • I see you edited your post above after I posted my comment, so I'll double post to respond to your edit.

    The DT mifare chip may or may not allow cloning of the card in question. If the Boston system uses only the data on the card, then yes, the DT chip could be used to clone it, however if the Boston system also uses the chip UID, then the DT chip cannot be used to clone it, since the first block of the DT chip is read only, and cannot be changed.
  • Oh hey, I actually backed that Ring when it hit kickstarter. Neat, but always gets caught on everything. That's a good point though... if they have a process for creating the chip or reducing the card down enough to mass produce these things, they're worth chatting with!

    AlexSmith

    I will absolutely reach out once I get a card or few boiled down, thanks! I tried getting data from the card using nfc tools on android, but I mostly get read errors (https://blackboxjack.com/charlie.xml). I have a bundle of 'cancelled' cards I can send to you or anyone else who wants to examine them in depth. If you can clone it, that would be exceptionally rad! (Especially since the ones I get through work are discounted. Buying my own replacement is full price.)

    Good to know a torch is a viable sealing method. Think the Artists Asylum nearby has one (super good to know if, ah, I need to make multiples for friends and such. Or other chips I may want to try!) Thanks!
  • I'm keen to give this a shot as well. I would love to be able to get a bay area clipper card into an implantable state. From what I understand it has some sort of encryption that keeps it from being cloned. 
  • If you have the gear, german researchers broke the chip in the clipper card. Unless what wikipedia is out of date about the chip in the card, you should be able to hack a solution. They used a side channel attack to find the encryption keys. https://www.iacr.org/archive/ches2011/69170208/69170208.pdf

  • BirdMachine The reason you're getting read errors is because you don't have the correct access keys. but mifare crypto is super weak, I have a proxmark3, with which I can crack the keys.


    ElectricFeel Yeah, DESfire is potentially crackable, but it's super heard to do, and the newer DESfire EV2 is fixed, so those side channel attacks don't work.
    do you know if the clipper card is EV1 or EV2?
    but if we could break it, making an implant would be secondary to the fact that we could have unlimited funds!



  • The funds are stored in the main server, not on the card. The card only acts as a mirror, so you'd get flagged fast. It would be more ideal to just skim other people's cards and impersonate them.
  • Honestly I'm not trying to beat the system. I just want to get out of carting around an extra card - and would love to be able to just wave my hand to get on the Bart. Hacking cards properly would be interesting, but not really the point here. 
  • @ElectricFeel nope, read this http://en.wikipedia.org/wiki/Clipper_card#Technology
    funds are on the card itself, I've hacked transport systems like this in the past ;)
  • Read a little further:
    The waiting period between synchronizations may cause some cards to
    report lower funds than are actually on the corresponding Clipper
    account. In order to alleviate this problem, Clipper allows riders to go
    as low as −$11.25 on the card before funds need to be added, and/or the
    card needs to be scanned at an internet-enabled or recently
    synchronized device.

    Every system has the database on it. The only question is how long out of date is it. You would still hit the negative balance and be declined within a day once you were negative. The server has your balance on it, and the card is synced to the server. Changing the card doesn't change the server. Even if you spoof a balance increase, you will still be caught out when the server catches the discrepancy.

    Nearly every subway has moved to this since 2006, due to the publicizing of how to easily hack their systems.
  • edited June 2015
    I read that, it doesn't matter, it's still possible to exploit. but this is getting off topic, this is not a hacker forum.
  • Oh where there's some bits to shift, there's a way >:) only issue is it's hard to grind from prison. At least I'm assuming so. Personally I'm not up to doing a study on whether or not a filed-down toothbrush is a suitable replacement for a scalpel... Nor do I really want to be a target for a grumpy Boston police officer. (Pretty sure waving my wrist at the lock and getting in will be risky and scary enough.)
  • edited June 2015
    OK! So for the sake of science and sharing knowledge and all that good stuff, I'll post pictures and updates in this thread. I was able to get some nail polish remover last night, and thus I can get started with this :)

    image

    One of these is busted, and one is valid but at a 0.00 balance. Can't tell which is which, so let's reduce both of em!

    image

    This is the stuff I'll be using. Turns out there are multiple kinds these days.

    image

    I was originally going to dump them into some tupperware, but then I figured hey... if this is supposed to use the power of acid to reduce a charlie card to a bundle of wires and ex-plastic goo... a ziplock probably wouldn't survive. Pyrex it is!

    image

    Enough to cover em, but we're not filling the entire thing up. Please ignore the dirty pots in the background.

    image

    It's always wise to label your work, yo.

    image

    So, I don't have a lab yet, sadly. So no lab storage. I do have a room, but it has my bird kids and they both have quite sensitive lungs. Plus my liz kid who likes to eat stuff he shouldn't. So my room is out. Have to keep this thing somewhere though. So for now I have it tucked away on top of the fridge where hopefully I can quasi forget about it (to avoid constantly impatiently poking at it) and my roomates won't pry.

    Will eventually post more pictures on https://blackboxjack.com/visual/index.php?/category/10
  • I am loving this project and your break down.
    For further reference, you are technically doing a depolymerization.
    Did you seal the container? Acetone is highly volatile and will evaporate out super fast with that much surface area.
    Keep up the updates, this is cool!
  • Thank you! The container is sealed, though a bit unconventionally. The lid normally has a little tab that seals a small hole. Said tab has been lost to the void, sadly. So I crammed some paper towels into the hole instead.

    image
    Science!

    It seems to have done the trick! There's still plenty of liquid left as of last night, and I got too curious to leave one alone.

    image

    Got a little ahead of myself and against judgement, just had to pry one open...

    image

    it was a bit hard to split, but eventually gave way. Letting it continue to cook along with the other unopened card, so here's hoping that thin array of wires along the rim comes off easily.

    image

    Hello there charlie :)
  • I'm with glims. I love this project. So neat and simple and could lead to some fun projects and new tag styles. keep up the updates!
  • This is not depolymerization. The resulting sludge will never achieve monomer state. It's a process called acetone solvolysis.
  • @BirdMachine I have done this to a bunch of different cards I have here, with pretty much the same results.

    The next step is to removed the wires from the remaining plastic, which needs to be done somewhat carefully to avoid breaking the wire.

    But now the hard part. that casing on the chip is too big to fit in these capsules, which have an inner diameter of 2.5mm. if it is to fit, you need to cut/sand the metal connectors down until it no more than 2.5mm wide. it can be longer though.

  • I'm going to spend some time this weekend trying to remove the NFC interface from our chip-and-pin cards here in New Zealand and see if I can keep them in a readable state. Probably will play around with those tiny wires and see if we can remove em by soldering just a tiny bit on instead or whatever.
    Hopefully by this time next year I'll be able to pay for this with a magic wave of my hands...
  • @Cassox very true. I did not realize that the card would respond this way, good catch.
Sign In or Register to comment.