Local techies make homegrown Android app that reads data from ORCA and other transit cards. Can you say "security breach?"
Eric Butler, 25, is a self-taught programmer and app developer who went to Seattle's Nathan Hale High. In February, 2011 Butler launched FareBot, the app that lets some Android cell phones read ORCA and other transit card data.
Butler drew upon the earlier work of Karl Koscher, 30, a University of Washington grad student in computer security. Koscher found a way to reverse engineer ORCA cards and get details about the card holder’s transit travels.
According to Koscher, groups at the UW were concerned about ORCA because the plan was to integrate the cards with the university's student ID and "U-Pass" system. Koscher obtained some beta ORCA cards and used a third-party software developer kit to gain access to the raw data.
"I was able to read the data out of the beta cards,” says Koscher. “However, we didn't know what kind of data would actually be stored on the cards, or whether the actual ORCA cards would be any better protected."
Once the ORCA system launched, Koscher and a UW colleague decided to find out how the card collected and stored information as a user traveled through the system. They rode the bus "several times with different cards, logging the time, date, route, fare, etc.,” he says. “We could then easily correlate data stored on the cards with our notes, which told us how to decode most of the trip and fare data."
Koscher continues: "We hacked together a demo to show exactly what we could do with this data. For a few weeks, we kept a history of where each bus was located at any given time. We could then use the bus number and timestamp from the trip history to display a map of where people took the bus. I think the people we showed this to found it quite disturbing that we could fairly precisely determine where they lived."
Cracking the ORCA required specialized knowledge and tools at the time. Technological changes have since made it easier. "We had cautioned the transit agencies that one day cell phones might be equipped with compatible readers, which would reduce the complexity to simply installing an app," says Koscher.
That's pretty much what happened. Once Koscher met Butler the idea went from hack to app. Koscher shared his intel on how ORCA worked; Butler used what he knew about developing usable apps. FareBot launched in February, 2011. To date, more than 10,000 people have downloaded the app. It also works for the Clipper card in San Francisco, transit cards in Japan and elsewhere.
Despite assurances of strong security by the creators of the ORCA system — transit agencies and suppliers — hacking the card and launching the app has seemed to occur without anyone breaking much of a technical sweat. "The process of actually reverse-engineering the cards only took a few days," says Koscher. “Correlating the trip data only took a handful of bus rides." Butler built the app in about a month, as a side project.
There is one hack that both Butler and Koscher say hasn't, as far as they know, succeeded yet; that is, "spoofing" an ORCA card so that you can ride for free. For the original ORCA system developers, it seems guarding against scofflaws was more important than protecting privacy.
It's not that Butler and Koscher haven't thought about ways to spoof ORCA. "We can't load new passes on to your card or update its balance,” says Koscher. “I can think of at least a handful of ways you might be able to defeat this protection though."
But he adds: "I don't see it being particularly cost-effective." Not yet, anyway.