Bluetooth Hacking?
DB Call a Bike

From OpenPCD

Jump to: navigation, search

Contents

New RFID enhanced Call a Bike bike rental system in Berlin

New StadtRAD 'Fix' Station
Call a Bike lock detail - verify if this is (a) a new design and (b) if the small black wire is an antenna (2.4GHz?)
Call a Bike station RFID reader

Since 2011 Deutsche Bahn is deploying an updated Call a Bike system called StadtRAD in Berlin and Hamburg. Interestingly the new system seems to use passive RFID technology] to rent bikes. On this page we will collect technical information in order to evaluate the system security. According to the magazine RFID im Blick Mifare 1K cards will be used.

We received one of these cards recently, and it's shipped empty with the default authentication key. The security is broken as only the card UID is used for authentication - the card content or keys are not used. It's a mistake not having a two factor authentication (card + PIN) to ensure that copied/emulated cards can't be used by attackers. The security can be easily circumvented by using gray market Mifare Classic card clones with changeable UIDs.

Further Reading

Open Questions & Wild Speculations

  • Terminal communicates via RF to the bike. What frequency is used (868 MHz or 2.4GHz ?)
  • A customer card with RFID capabilities can be used to unlock the bike. What (probably ISO 14443A Mifare 1K S50)
  • 2 Systems seem to coexist: Flex and Fix
    • Flex system seem to be a removable installation of a station where the position of your bike is defined by white stripes on the ground. The terminal optionally comes with a concrete pedestal and can be moved.
    • Fix seems to be a fixed installations with concrete blocks or metal pillars where bike positions are mechanically defined.

Other open RFID hardware projects on this site