TAP Card and Shipping Info BUY COMMUTER EXPRESS PASSES AND TICKETS, DASH 31-DAY PASS OR STORED VALUE FOR YOUR TAP CARD All Commuter Express and DASH 31-Day Passes and Commuter Express Tickets are now on the TAP card.
Top 5 Posts from Refreshes every 30 mins. Visit for more!.
Want to visit & at the same time?. Glad you could join us: you smell wonderful.
We just have a couple of things to go over before you post, k?. Rules & Guidelines. For Sale/Wanted. Jobs in LA. LOS ANGELES MAPS. Buying, selling, hiring, and housing.
For Pictures of delicious food in our city. For questions not answered on the. Neighborhood Flair Tag - Hit the 'edit' link by your username higher up in the sidebar ⬆️️ to pick a neighborhood. FILTER: Posting Guidelines Please visit the for all rules & guidelines.
Harassing other users will not be tolerated and may result in a ban. Racist or homophobic remarks will not be tolerated and will result in a ban. This includes:. tracking people down by photo, license plate or any other personal identification. posts about lost relatives or friends (with the exception of linking to credible news articles/police numbers/reports). posting personal information about a user.
La Metro Tap Card Number
Editorialized titles will be removed. is for news about the City and County of Los Angeles. Broader California news should be posted to. If you post something that was clearly outlined in the, you're gonna have a bad time. Meet-Ups Posting about a meet-up?
Start your post with Meet-up and it will have a little icon before it!. Check out site. For meet-ups of a different kind - or Social Networking Like roaches, LA redditors are everywhere. Resources. (made by ).
Short version: The MIFARE Ultralight chips used in Metrolink passes (that you TAP on Metro) are NOT set to read only. Because they are rewritable, it may be possible to change the date that these cards are good for. More research needs to be done; this is not even at a proof of concept stage. Longer Version: The following is the data readout from the TAP chip (MIFARE Ultralight) in a Metrolink Ticket purchased at about 9:40 AM on July 30th, 2013.
The pass was used on the Red Line twice that day. Data was read with the NXP TagInfo app on a Nexus 4, and copied here. Key: Page - Write Locked? - HEX Codes - (Information) 00 - Y - 04:76:B2:48 - (chip ID bytes 0 to 2, last byte is checksum 0) 01 - Y - B2:6C:28:80 - (ID bytes 3 to 6) 02 - N - 76:48:00:00 - (Checksum 1, Internal, LOCK0 and LOCK1) 03 - N - 00:00:00:00 - (OPT0 to OPT3) 04 - N - 0A:18:00:5C - (This and all following pages are data. May contain a time stamp and all day Metro pass data) 05 - N - 1B:01:D5:00 06 - N - 00:00:00:00 07 - N - 00:00:82:A5 08 - N - 62:77:5A:0F 09 - N - 03:00:00:00 0A - N - 59:18:00:01 0B - N - 87:5D:70:65 0C - N - 02:7D:5A:0F 0D - N - 04:00:00:00 0E - N - 59:0B:00:01 0F - N - 9C:62:43:0F The structure of a MIFARE Ultralight chip is really simple. It consists of 16 pages of 4 bytes each. The first two pages are the chip's unique ID and check sum, set at the factory.
The first byte of the third page (02h) is the final ID check sum and it is also not changeable. The second byte is reserved for internal data, according to the data sheet. The final two bytes on page three are where things get interesting. Each bit of the two bytes are a bit-wise mask that set the individual pages of memory to a read-only lock, however, none of the lock bits are set! This means that all of the user data section is rewritable! (see section 8.5.2 of the data sheet included in this post for how the bit lock works) The OPT pages are also interesting.
This area of memory is write-once using a bit-wise OR function. One suggested use of this area is use as a 32 tick counter (e.g., a bus pass that can only be used 32 times). However, even after two uses on the subway, none of these bits are set, thus Metro doesn't use this page. (See section 8.5.3 of the data sheet for details) The last 12 pages are data, and are not locked by the Metrolink vending machines. When I 'checked the balance' in Union Station at the machine where you can add balance to a normal TAP card, the Metrolink pass is identified as a special Metrolink to Metro Day Pass only good for that day. I highly suspect that this information is hidden in the DATA pages of the chip. Possible uses of the chip:.
At the very least, you can reuse your former Metrolink passes as rewritable NFC tags instead of buying them online. As they only hold a small amount of information, it's only good for a short URL or something to make Tasker launch on your phone. Cloning passes is quite likely possible. I believe that if someone were to take my pass data from above and copy it onto a pass issued at a different day it would show up as being issued July 30th. As long as there isn't a check against the chip ID, then cloning the DATA section onto a different pass should work.
If cloning is possible, then it may be possible to completely change the date that the day pass is good for. This would make a pass buy once, hide in a normal TAP card, and get free rides every day you want just by changing the date. I don't think that the TAP system is interconnected, e.g., that the Metrolink ticket stands communicate with TAP and give it a list of authorized cards for the day. Ultimately, more testing needs to be done. Perhaps by gathering more DATA sections from Metrolink passes issued on different days we can crack the code?
What about monthly passes? I've never attempted anything like this before, so I have no clue on the possibilities here. Just a person with an NFC enabled phone poking around. What do you guys/gals think? Update I have found that my friend who purchased a ticket a few minutes before I purchased the one above still has his. I'll post the memory dump as soon as I can to compare.
Some of you have ask why I have published my findings. I originally created this post not because I wish to have people evade the fare, but because I wish to gather further information. More heads are better than one, and I'm hoping someone can help shed more light on this possible hole.
I've already sent an anonymous letter to MTA documenting the potential hole with all the information I have so far. By simply contacting MTA, I am taking a risk because. Unlike that case, I am not even breaking any cryptography, just simply touching the Metrolink pass to my phone and posting the memory dump cross-referenced with the data sheet produced by the chip manufacturer. This is something anyone else can do with a free app (also produced by NXP) and an Android smart phone that has NFC capabilities. Security by obscurity is no security at all, and I want to see Metro close this hole ASAP. This issue only applies to Metrolink paper tickets that are TAP compatible, not the standard TAP card.
These paper tickets are not designed to be re-usable. I believe that each chip is set by the Metrolink vending machine when it prints your ticket. The way that MTA/Metro could fix this hole is by updating the code on the Metrolink machines to set the chip into read-only mode after writing the Metro day pass to the chip. It should be an easy fix.
In the mean time, I've reused the chip. It's taped to my nightstand to set my phone into a Silent/Night mode when I place it down to charge when I go to bed.
Thanks Metrolink for continuing to make my life better, besides convenient transportation to downtown!:D. Here's some information for you: the fare inspectors and Sheriffs have a pass that reads 'SpeclEmp' with an expiration date of. That stands for Special Employee. I found this out when I realized I'd forgotten to load my weekly pass on the card. I tapped, but never entered the turnstile, walked back to load up a weekly pass, but could not re-enter because the TAP card had already been used. One of the guys let me back in with his card.
What's the range on your Nexus 4? You could stand close to them if the pass is on their belt, or bump your hip up against the reader as they reach out to tap their card. Another thing that irks me about the system is that you cannot reuse the TAP card at the same station within a short time. For example, you're a family on vacation with a wife and several younger children. In most places, you'd just pay the whole cash fare or re-swipe your card for each family member. Instead, everyone has to have a unique TAP card. That means you have to trust your kids not to lose it, or manage multiple cards in your bag.
Another agent told me that the time limit for reusing the same card at the same place is 7 minutes. I wish they'd reduce that time limit to something more practical, like 5-10 seconds. It would still be enough time to prevent accidental double-taps, but allow for situations like the above.
Clipper Card in the Bay Area is using the same technology and is also read-write. It doesn't need to be read-only, and some thought should cause you to realize that it can't be read-only. It would require every single TAP card reader to have a constantly-available connection to a central server. That's preposterous. Clipper Card data is cryptographically signed, and I would assume that TAP Card data is signed as well. EDIT: I think the Wikipedia article on Clipper has a bunch of good information about how MIFARE is secured.
First, thank you for your service! I love my local bus drivers, and I really appreciate the public transit system. Secondly, I'm posting this because I want to call attention to the flaw.
I want MTA to close this issue before it becomes a problem, hence I wrote them a letter and will be following it up with any new discoveries I make. I fear that if I said nothing, someone else less honest than I would discover and exploit it. I've updated the original post to reflect this a little more.