Clipper cards and transit privacy in the Bay Area

This could also have been called “much ado over Clipper card” history.

A recent cause of civil outrage in the ever-sensitive Bay Area is the discovery that Clipper cards used for MUNI and BART public transit systems store a history of recent locations where the card was used. For a more dramatic demonstration, Bay Citizen points out that the location can also be read using the FareBot application on Android phones. (Sorry, iPhone carrying would-be privacy infringers: no iOS version because Apple has not included NFC in any of their mobile devices yet.)

By conflating several different risks, the article is painting an alarmist picture that is not warranted by the very facts cited. First is the concern that procedures access to transit history can be misused by law enforcement for tracking. This has nothing to do with NFC, the design of the transit card or the way data is stored on the card. For the record, Clipper cards use Mifare DESfire. Data on the cards is divided into sectors, and each sector can be access-controlled to limit read/write operations to parties that possess cryptographic keys. But it is also possible to mark sectors as world-readable, or more precisely readable with default Mifare keys and this appears to be the case for location log. None of this would matter for access by law enforcement, since they would not be trying to scrape history from the card: instead a subpoena would be sent to BART (or Cubic, the company that operates the system, depending on how the process works) to produce this information from logs stored in the backend. Not even microwaving the card itself can stop this. While knowing the Mifare UID of the card can be helpful as an index into the database, it’s conceivable that law enforcement can also uniquely identify a user by providing data points of known locations, without access to the card. For example if it is known the suspect entered 24th St & Mission BART station between 10:00-10:30 and existed Embarcadero between 10:15-11:00. With enough these data points about the person known via other channels, there is likely a single Clipper card satisfying all the constraints.

Given the better known controversy over access to location history from cell phones, there is cause for concern about whether law enforcement would be too eager to request such information. But Bay Citizen itself quotes a spokesperson for the transit agency, putting the number of subpoenas at a whopping three so far. It’s difficult to argue that this constitutes a pattern of abuse.

A second independent risk is other people could attempt to learn the user’s location history by surreptitiously reading the card. As the Farebot developer notes, this would require physical proximity to the card-carrying person as the range of NFC is on the order of several inches without using bulky high-powered equipment. The attacker has to be able to activate the card including powering it via induction field. This is much harder than passively listening to existing communication between a card and NFC reader which is already powering the card. While such passive interception has been demonstrated from much greater distances than intended read range that capability does not help in this case because under normal usage the card-holder would not be performing an operation that reads out history– unless they happen to be running Farebot at the precise instant they are targetted. Even then the logs would be limited by the most recent entries that can be stored on the limited space reserved on the card eg a truncated version of full history where older entries are lost over time.

The other limitation of attacks requiring physical proximity is they do not scale easily and they expose the attacker to greater risk.  If our hypothetical villains were walking around trying to tap people’s pocket with Android phones to read out their location history, they would be expending the same effort to target a second user. (There may be some alternatives to scale the attack at constant cost: for example if an NFC reader is placed at an existing location where users would be inclined to tap their Wallet.) For this reason it is a greater risk for targetted attacks where a small number of useres are singled out for surveillance, as opposed to large-scale tracking. It would be far more efficient to breach the backend databases where all of the information is stored, if the goal is keeping tabs on all users in the system.

In summary, there is little reason to reach for the tinfoil for wrapping transit cards yet.


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s