Our Sponsors:

Read more »

Our Members

Many thanks to Eileen Quigley and Barbara Whorton some of our many supporters.

ALL MEMBERS »

The Geeks Who Cracked the ORCA Card

Local techies make homegrown Android app that reads data from ORCA and other transit cards. Can you say "security breach?"
Karl Koscher

Karl Koscher

Eric Butler

Eric Butler

Eric Butler, 25, is a self-taught programmer and app developer who went to Seattle's Nathan Hale High. In February, 2011 Butler launched FareBot, the app that lets some Android cell phones read ORCA and other transit card data. 
 
Butler drew upon the earlier work of Karl Koscher, 30, a University of Washington grad student in computer security. Koscher found a way to reverse engineer ORCA cards and get details about the card holder’s transit travels.
 
According to Koscher, groups at the UW were concerned about ORCA because the plan was to integrate the cards with the university's student ID and "U-Pass" system. Koscher obtained some beta ORCA cards and used a third-party software developer kit to gain access to the raw data.

"I was able to read the data out of the beta cards,” says Koscher. “However, we didn't know what kind of data would actually be stored on the cards, or whether the actual ORCA cards would be any better protected." 
 
Once the ORCA system launched, Koscher and a UW colleague decided to find out how the card collected and stored information as a user traveled through the system. They rode the bus "several times with different cards, logging the time, date, route, fare, etc.,” he says. “We could then easily correlate data stored on the cards with our notes, which told us how to decode most of the trip and fare data."

Koscher continues: "We hacked together a demo to show exactly what we could do with this data. For a few weeks, we kept a history of where each bus was located at any given time. We could then use the bus number and timestamp from the trip history to display a map of where people took the bus. I think the people we showed this to found it quite disturbing that we could fairly precisely determine where they lived."
 
Cracking the ORCA required specialized knowledge and tools at the time. Technological changes have since made it easier. "We had cautioned the transit agencies that one day cell phones might be equipped with compatible readers, which would reduce the complexity to simply installing an app," says Koscher.

That's pretty much what happened. Once Koscher met Butler the idea went from hack to app. Koscher shared his intel on how ORCA worked; Butler used what he knew about developing usable apps. FareBot launched in February, 2011. To date, more than 10,000 people have downloaded the app. It also works for the Clipper card in San Francisco, transit cards in Japan and elsewhere.
 
Despite assurances of strong security by the creators of the ORCA system — transit agencies and suppliers — hacking the card and launching the app has seemed to occur without anyone breaking much of a technical sweat. "The process of actually reverse-engineering the cards only took a few days," says Koscher. “Correlating the trip data only took a handful of bus rides." Butler built the app in about a month, as a side project.
 
There is one hack that both Butler and Koscher say hasn't, as far as they know, succeeded yet; that is, "spoofing" an ORCA card so that you can ride for free. For the original ORCA system developers, it seems guarding against scofflaws was more important than protecting privacy.

It's not that Butler and Koscher haven't thought about ways to spoof ORCA. "We can't load new passes on to your card or update its balance,” says Koscher. “I can think of at least a handful of ways you might be able to defeat this protection though."

But he adds: "I don't see it being particularly cost-effective." Not yet, anyway.

 

Matt Fikse-Verkerk (Twitter: @mattfikse) covered urban affairs, politics, tech, and business at Crosscut from 2009 to 2014. He lives in Seattle and works for a biotechnology firm in Redmond, WA.


Like what you just read? Support high quality local journalism. Become a member of Crosscut today!

Comments:

Posted Wed, Feb 13, 8:05 a.m. Inappropriate

Or you could just go to Seattle.Craigslist and buy a multi year ORCA for cheap and ride anything to anywhere for peanuts.

007

Posted Wed, Feb 13, 11:14 a.m. Inappropriate

Knowing what bus stops a person boards and deboards a bus doesn't really give a "fairly precise" indication of where they live. It tells you a 1/4 mile radius, most likely... although I suppose you could just wait at their regular bus stop to meet up with them for ill will.

Mickymse

Posted Wed, Feb 13, 6:52 p.m. Inappropriate

There is no such thing as a "multi year" ORCA card. Any ads you see on Craigslist offering one is a scam. All business that provide employees a full pass, known as the ORCA Passport program, are on a one year contract. While, those contracts are renewed most times extending the life of the card, at most there is only going to be one year of use left on a card at any given time.

Additionally, selling those cards is a violation of the user agreement the business has with the passholder. If the sale is found out, the business can deactivate the card any time it wants.

gking727

Posted Thu, Feb 14, 3:39 p.m. Inappropriate

Really? I could give two rips if someone can see what buses I have been on recently. Seems like some people have delusions of self-importance.

They are protecting all of the data that needs to be protected. Unless someone can start using the money in ORCA purse or stealing my debit card transaction information, who cares?

Not sure I think this is great journalism. "Hackers find a way to hack something and steal innocuous infomation." Can someone explain to me what I am missing?

The one positive thing that will come from this is both "geeks" will land six figure jobs at tech companies (maybe even with ORCA) doing RFID security and app development.

Posted Mon, Feb 18, 5:26 p.m. Inappropriate

I'm technical management consultant and deal with security quite often. My own assessment of this is that there is no great threat here. I installed the app and pulled out my Orca Card and the app worked very well. It showed the current balance on the card and several trips I've taken on Washington State Ferries and Metro Transit Buses. The only specificity was the bus number, not the route number. If one could find a database of which routes specific buses were using on specific dates, one could find the route number. In sum, this adds little to no security risk relative to the myriad of other risks we deal with on a daily basis. I find this to be a helpful utility which circumvents the need to logon to a web site to determine my Orca balance. This article is overblown.... yellow journalism using the parlance of a different era.

Dougga

Login or register to add your voice to the conversation.

Join Crosscut now!
Subscribe to our Newsletter

Follow Us »