This is the new fare card for Boston's MBTA transit system, a stored-value
system that communicates with fare machines and turnstiles via a high-speed
proximity RF link. The cards are supplied by Giesecke & Devrient, a German
A friend had one begin to go bad after developing a crack along one edge, and then finally die completely. It was pretty obvious that the antenna coil had broken open. A closer look at the card's innards seemed appropriate.
|When the card is lit from just the right angle, a small region becomes evident with two slightly dipped shapes on either side. This is where the embedded chip sits.|
|A strong light behind the area and through the plastic clearly shows the shape of the chip inside, and the coil wires leading up to it.|
|Shaving off one corner shows the plastic layering, and how the coil wires run through the mid-layer.|
The wires are very solidly embedded and fairly soft copper, making them
difficult to separate from the surrounding plastic. Trying to cut away just
the plastic is pretty much futile, as both substances come away as one.
Pulling on the wires just breaks them.
We're also starting to see a little bit of the chip itself here.
|If the opaque layer is carefully shaved off, however, the coil winding layout becomes fairly obvious. The coil is four turns with a slight overlap. The nearer wire feeds under the rest and up toward the chip.|
|Soon thereafter it is possible to pop the chip unit up out of the mid-layer. The chip itself is firmly encapsulated under a harder plastic, though. The wires are spot-welded to the metal wings and continue past there for a short distance and simply end.|
The back of the chip carrier, showing the interconnects.
Is this misuse? Do we think they'd want this one back?
|The encapsulant is shaved down until the first evidence of a bonding wire surfaces. We've gone under the microscope at this point, because the scale of everything has become much smaller. The coil wires start to look like tree trunks by comparison.|
Now what? Without the necessary solvents to cleanly dissolve away the
encapsulant, we're left with relatively brutal techniques to try and get a
look inside this thing. We're not aiming to do any sort of electrical or
software analysis -- we just want to get an eyeball on what's physically in
So, plunging clumsily onward ... the chip carrier is held down at one end with a fingernail, and an x-acto knife is rapidly getting dulled down against hard encapsulant that basically acts upon it like a honing stone.
|More shaving and attempts to cut in around where the actual chip sits quickly leads to more destruction.|
|Finally we've extracted some actual electronics and cleaned off the surface a little, although I think this is only about half the chip die since the stresses cracked some of it off and made it fly away to parts unknown. It's probably in the carpet somewhere. This shows the scale of the remaining piece -- about 1 x 1.5 mm.|
On a closer look at what's left, we can see significant complexity. See
the big picture for a much larger view -- probably about 100x worth, between
the 30x from the 'scope and the magnifying effect of the picture crop.
Tilting the die at a particular lighting angle makes regions show up in different colors due to diffraction effects across different feature sizes. It's pretty obvious that there's quite a lot going on inside these cards.
What happens at the RFID and software levels is far beyond the scope of this,
but an extensive overview and policy/design discussion can be found
if you're able to deal with windows .DOC format or can find a cached copy
of the text. Googling for "transit" and "contactless smart card" and "mifare"
will find numerous other starting points for further study.
It is already clear that the system is not as secure as hoped; evidently some students have performed some deep analysis [which involved doing similar procedures, but much more carefully] and report weaknesses in the encryption and other interaction that the cards do with the readers. Read about it here.