NFC reader success: HSL matkakortti

Public transportation in Helsinki and cities near it (Espoo, Vantaa etc..) use a card for payments. This card is called HSL matkakortti and it is based on RFID technology. I heard that it would be possible to read those cards with NFC enabled Android phone. I was recommended to try the following useful applications: Matkakortinluku and HSL live data

Matkakortinluku program says it costs 0.99 Euros and it is based on free source code released on GPLv3. When this is GPL program, it is probable that there are also other applications on Play shop. I did a little search and found free alternatives Matkakortin lukija ilmainen by M.Salomaa and HSL-lukija.

I installed Matkakortin lukija ilmainen by M.Salomaa to my phone. It allows easily to read HSL “Matkakortti” -card information with a NFC equipped Android phone: Current balance, season ticket validity. In addition to that the software can read information on recent trips (Last 7 trips. Last value ticket and season ticket trips in detail). The only downside of the program I see are the advertisements that can be sometimes annoying (but that’s the price of the free software).

If you care not living near Helsinki Finland, the software could still be of some interest to you, because Matkakortin lukija ilmainen by M.Salomaa supports also some several other cards used all over the world (check the software page for list of supported card types). If you are a RFID hacker, you might want to check the MIFARE public transit cards reader software source code.

When you can read the card, can you hack it? There has been examples of some hacks on this like like one shown atNot fare: Hacker app resets subway card for free rides (w/ Video) article. There was even a video that claimed to be HSL card hack, but was found bogus joke. HSL has systems on their back-office that allows them to detect is someone tries to do something nasty with their cards. There are some plans for web or smart phone based way to charge HSL card sometimes in the future.

3 Comments

  1. Dragonvale says:

    Thanks very &X6E;ice blog!

    Reply
  2. Tomi Engdahl says:

    Android NFC hack allow users to have free rides in public transportation
    https://securelist.com/blog/virus-watch/67283/android-nfc-hack-allow-users-to-have-free-rides-in-public-transportation/

    “Tarjeta BIP!” is the electronic payment system used in Chile to pay for public transportation via NFC incorporated in the user’s smartphone. Numerous projects enabling mobile NFC ticketing for public transportation have been already executed worldwide. This is a trend. It means that criminal minds should be interested in it. Moreover, they are.

    More and more people keep talking about the feature of payments via NFC. The problem in this particular case is that somebody reversed the “Tarjeta BIP!” cards and found a means to re-charge them for free. So, on Oct. 16 the very first widely-available app for Android appeared, allowing users to load these transportation cards with 10k Chilean pesos, a sum equal to approximately $17 USD.

    Immediately after appearing on the Internet, many users downloaded it and proved they were able to recharge their travel cards.

    Since the app is a hot one and a lot of people from Chile are looking for it, I expect some bad guys to come along and create fake similar apps but trojanized to infect mobile users and take some advantage of their interest.

    Reply
  3. Tomi Engdahl says:

    What’s On Your Bank Card? Hacker Tool Teaches All About NFC And RFID
    https://hackaday.com/2021/10/04/whats-on-your-bank-card-hacker-tool-teaches-all-about-nfc-and-rfid/

    The Flipper Zero hacker tool is a multipurpose hacker tool that aims to make the world of hardware hacking more accessible with a slick design, wide array of capabilities, and a fantastic looking UI. They are struggling with manufacturing delays like everyone else right now, but there’s a silver lining: the team’s updates are genuinely informative and in-depth. The latest update is all about RFID and NFC, and how the Flipper Zero can interact with a variety of contactless protocols.

    Contactless tags are broadly separated into low-frequency (125 kHz) and high-frequency tags (13.56 MHz), and it’s not really possible to identify which is which just by looking at the outside. Flipper Zero can interface with both, but the update at the link above goes into considerable detail about how these tags are used in the real world, and what they look like from both the outside and inside.

    Low-frequency tags are “dumb” and incapable of encryption or two-way communication, but what about high-frequency (often referred to as NFC) like bank cards and applications like Apple Pay? One thing demonstrated is that mobile payment methods offer up considerably less information on demand than a physical bank or credit card. With a physical contactless card it’s possible to read the full card number, expiry date, and in some cases the name as well as recent transactions. Mobile payment systems (like Apple or Google Pay) don’t do that.

    Diving into RFID Protocols with Flipper Zero
    https://blog.flipperzero.one/rfid/

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*