Spoofing magnetic swipe cards
November 12, 2010 20 Comments
About a year ago I threw a magnetic swipe card reader into a larger Digikey order. I didn’t have any specific plans for it at the time; mostly I was just curious to learn about swipe cards and what kind of hidden information I was carrying around in my wallet.
The reader is one of the Omron V3A series, which if you read some of the many websites discussing swipecard readers is a pretty popular choice due to it being easy to interface. Mine is a 4K model ($30 from Digikey) and reads track 2 data. Ideally you want all three tracks, but it gets expensive and for the majority of cards track 2 is where the interesting data is. For an in-depth discussion about swipe card encoding standards the best reference source is the “Magtek IO” pdf , which is very google-able.
Eventually I did get around to hooking it up to a microcontroller and satisfying my curiosity about my various cards. For the most part there was nothing all that interesting on any of them, until I ran my university ID card through. The only data encoded on it was my university ID number!
Why is that significant? Well, that ID card is used to access a variety of offices and laboratories across the campus. Staff and student ID numbers are publicly available. If you had the ability to either fake a card or encode a blank, this implies that you could open any door provided you knew the name of one person authorized to open it. You’d never need to lay hands on their card – just look up their university ID number, operate your device and walk on in. I was dying to know if the situation could really be that bad.
Card writers are readily available – Sparkfun has one for $140 and blank cards for a dollar. However since I’m not actually planning to illegally access anything or steal equipment (most of the good stuff is in my lab, anyway!) I’m not really keen to sink a lot of money into it. $140 is cheap for the technology, but too pricey just to satisfy my curiosity. We are left with option B: a swipe card spoofer. That is, a device which will fool a card reader into thinking you swiped an arbitrary card.
The basic design behind such a device is not my own work and I’m not the first to do this; you can find a few projects around to implement a device like this. That said, I’m just a dude choosing his projects for no higher purpose than his own amusement, so let’s set aside issues of redundancy and enjoy this, a fourth example of a mag-stripe spoofer.
Very basically, a card stripe contains a certain sequence of magnetic fields which the reader detects as you swipe the card through it. The basis of all the card-spoofing circuits is to make some kind of electromagnet, put it next to the read-head and manipulate the magnetic field in just the right way to mimic a card. My design is heavily based on Jarek’s design which you can find here (highly recommended reading). The idea is to create your own electromagnet by winding a coil, but since your coil will probably not fit inside the card slot you employ a ‘shim’. In this case that means a thin ferromagnetic core for your electromagnet which nicely couples the field to the detector in the card reader.
Before we go too far into the details, let me show you my finished shim so you have some idea of what I’m talking about:
I used an old knife blade for this purpose. You first need to check that the thickness is good for the card slot and that the blade is ferromagnetic (e.g. will a fridge magnet stick to it?). I used a dremel to file out the dimensions I wanted and get all the edges smooth, which generated all kinds of sparks and made me feel extremely manly. Smooth edges are important for the next step; you can see in the picture where I’ve used some black electrical tape to cover some leftover sharp corners.
I then set about wrapping a coil of enamel coated wire around the shim, the thinnest I could get locally (0.25mm diameter, from Jaycar). Enamel coating is important because you don’t want the coil to short itself out. Sharp edges are bad news because they will cut through the enamel coating and give a short.
The strength of a magnetic field generated by a coil goes linearly with the number of turns, so for best results you want a lot. I honestly don’t remember how many I did, but it was a lot – maybe 100 or so turns? It was not optimized in any way, I just wanted to be sure it would work first time. If you wanted to keep the size down I’m sure you could do some testing of the minimum field strength required. After I finished I wrapped the coil in some more tape to protect it, and soldered on a standard 0.1″ 2 pin connector.
Now that the difficult part is done, you need something to intelligently power this coil so it creates the right field sequence. I put together an AVR board based on the Tiny2313, which as we will soon discover was not a clever choice.
The features I wanted were:
- Should be as small as practical so I feel more like an awesome spy. Lots of surface mount components, and a professionally made PCB (from batchPCB.com)
- Needs a powerful, compact battery to run the coil. Also needs to be something I have hanging around. I went for a 9V, and designed the PCB to have the same outline as a 9V battery so it could sit on top of it.
- Should be able to store card sequences in memory and let me select which sequence to generate
- Should be able to interface to a card reader so I can record a new card just by swiping it instead of needing a computer
- However if I do have a computer handy, I should be able to use it as an RS232 adapter for the card reader and display decoded info on a terminal.
Here’s what I came up with:
Completed, assembled board
(Note the ‘aftermarket’ resistor at the top – I forgot a pulldown resistor for the transistor base. The schematic has been corrected with resistor R4. Also the pullup R2 was actually 4k7, I’m just lazy with putting in component values on schematics)
There is a main on/off power switch and a 5V linear regulator for the Tiny2313, which is running on an internal 1MHz oscillator. The Tiny outputs the selected card sequence once a second on one of its IO pins, but a momentary push switch isolates that from the transistor driver. So nothing actually happens at the coil unless I’m holding down the ‘SEND’ switch. The transistor driver is required since we want to use the highest current possible to get the biggest magnetic field possible. AVRs have pretty high source/drain ratings on IO pins, but we want even more.
Note that you don’t actually need to swap the polarity of the coil current; it suffices to just switch it on and off. That makes the drive electronics a lot easier. I put a reverse biased LED in parallel with the coil to be my snubber diode for the inductive ‘kickback’. I would not in general recommend this, but it was the only kind of diode I had on hand so I went with it. As a nice side effect you get some visual feedback when the coil operates. It turns out you also get some audible feedback – the magstripe reader makes some sick-sounding bleepy noises when you fire the coil with the shim in place. Not entirely sure why, but it heightens the sense of being a wicked cool hacker from a 90′s film.
The rest is pretty ordinary; a menu switch and some leds to cycle through memory slots, headers for a serial link connection and for a magstripe reader connection. The final assembly looks something like this: (Battery ‘unfolded’ from the PCB; logic analyser on the Omron reader)
Tomfoolery in progress
The good news is that it works! As captured by a logic analyser, here is the output from swiping my real ID card, and under that is the output from faking my ID card. The extra channel on the spoofed data shows you what the I/O pin driving the coil was doing to generate this.
Logic capture of an entire card swipe / fake card swipe
To clarify the operation of the ‘card detect’ signal from the reader: I initially thought this was based on some kind of mechanical switch that detected a card in the slot. But it’s not – it’s just based on getting a certain number of coil toggles. So you don’t need to swipe the shim, you can just place it in the swipe slot so it’s sitting on the read-head and go for gold.
Zoomed out this far it doesn’t look like a very good match, but if we look a little closer we can see that the spoofer did indeed make the card reader produce the same output sequence:
Zoomed in logic captures
(This also hopefully clarifies the coil sequence; within one clock period a single toggle causes data high and two toggles causes data low)
So awesome, I succeeded at the dubious art of magstripe spoofing! However as mentioned earlier the Tiny2313 was a bad choice on my part – there was not quite enough program memory to implement all the neat features I listed above. I should have gone with something like a TQFP mega88. Lesson learned, always leave yourself plenty of headroom while you’re still at the prototype stage. Slashed down source code for the Tiny2313 is available
here here (link fixed!). It’s very much thrown together; I’m putting it up so you can pick out any interesting parts if you’re having trouble making your own.
So after this technical diversion, let’s resume the story. Now that I can fake a card, was I able to open a door knowing only an ID number?
Sadly (but at the same time happily) no, it didn’t work. There are a few possibilities here, but my suspicion is that whoever designed this security system did a decent job of it and used more than one data track. So in reality there is probably more than just the ID number on the card, but with only a track 2 reader that’s all I saw. The design of the spoofer I’ve discussed can only fake one data track, which could still be interesting in some applications but is not enough here. (In principle you could fake three tracks at once but you would need a very complicated shim).
So my suspicious looking entry device was rejected and my office door remains secure against this manner of skulduggery.