-1

Myself and some fellow students are doing some "Independent Security Research" on campus and trying to crack the campus paid parking system to better understand how it might work. The system works like this:

  • You pull a ticket with a mag stripe upon entering
  • When leaving, you take your ticket to a pay station, it reads the ticket and charges you the appropriate ammount.
  • After paying, it writes some more data on the mag stripe and then gives you the ticket back
  • You then give the ticket to the exit machine, it checks that the ticket is paid, and then lets you exit.

So we have used a mag-stripe reader to look at the data on the card. Here is the data on the second track of an unpaid ticket (first and third tracks are empty):

0140308303000 160227 1720 000000 0000 037

The first 8 digits are a count of how many tickets have been pulled from that entrance machine. (we have seen that the large number simply increments between ticket pulls). The next 2 digits (in this case 03) seem to be some sort of garage code. There are a few different garages on campus and each of them consistently puts the same number in this spot. Then the next chunk of data is a time-stamp. 1602271720 translates to 2016 - February 27, 17:20. This is when the ticket was pulled. Then there are some more zeros, and then a "seemingly" meaningless number at the end.

Now here it is paid:

0140308303003 160227 1720 160227 1740 264

Most of the numbers have remained the same, but a new time-stamp has appeared directly following the first one. This time-stamp (1602271740) is the time at which the ticket was paid for. Also, the digit before the first timestamp was changed from 0 to 3. This change has been consistent across all tickets when going from unpaid to paid. Finally, the last 3 digits have been changed.

The problem now is the last 3 digits. We have tried just writing in a valid time-stamp and adding the arbitrary "3", but the machine is not fooled. It reported that the ticket was "damaged" (and I do know it's not because of a shoddy mag-stripe write). I am confident that the machines are not connected on some network, so they don't check some database for consistency.

Theory: The last three digits are some kind of hash calculated from the rest of the data on the stripe so that the exiting machine can check that hash to ensure no foul play.

Problem: I don't really know much about hashes or how to potentially crack them...

Questions: Do you all think my theory is correct? Is it something you can immediately identify? If not, what is a good resource where I can learn more about cracking this problem?

Here is some more data. Ticket data coming in pairs of unpaid and paid:

0140308303000 160227 1720 0000000000 037 -- 0140308303003 160227 1720 160227 1740 264
0140309903000 160227 1749 0000000000 047 -- 0140309903003 160227 1749 160227 1829 284
0140310003000 160227 1749 0000000000 038 -- 0140310003003 160227 1749 160227 1829 275
0224593708000 160226 1332 0000000000 029 -- 0224593708003 160226 1332 160226 1449 261
0224608708000 160227 1633 0000000000 040 -- 0224608708003 160227 1633 160227 1659 275
0145023608000 160227 1633 0000000000 031 -- 0145023608003 160227 1633 160227 1658 265

I hope someone might find this either easy to answer or a fun problem to crack! Thanks in advance for any help!

Biv
  • 9,979
  • 2
  • 39
  • 67
It's Pronounced Oiler
  • 1
  • Asking to decipher block data of data is against the rules of Crypto.SE. So I doubt you will be able to find answers here. – Biv Feb 28 '16 at 10:19
  • 1
    It looks like the verification that is applied to the card number in France. The result of the modulus by 97 equals the 2 last digit... I would check some modulus with a prime number under 1000 starting by 293. – Biv Feb 28 '16 at 10:31

1 Answers1

3

Caveat: Hacking a live system involving real assets is a recipe for disaster, that can have dramatic consequences for those involved. Things can get worse than in the second bullet of this answer. I've seen it at my engineering school in a time more forgiving to students bending the rules; and then in the Smart Card industry. In retrospect I'm happy of having been at a (just-)safe-enough distance.

If you attempt it despite warnings, don't assume you won't be caught, and at least define a line you won't cross. In the industry, one may write a policy at the early start of investigations, including the objective, the means, how the findings will be reported (perhaps: under tight wrap for a decade, exclusively to those making the attacked thing, leaving it to them what to do about it).

Literally glancing at your question (which is a useful tool to find structure in dumps and where entropy is), it does not look like there is strong cryptography involved. If there was, your approach would be hopeless. If there is not, it is off-topic, and academically uninteresting. In any case, I won't touch it with a 10 feet pole.

Community
  • 1
fgrieu
  • 140,762
  • 12
  • 307
  • 587