 Thank you very much That is a surprising number of people and John T was not joking about the spiders Hey, I'm here to talk to you about hacking train tickets. I have 72 slides to get through so it's going to be quick I am a cyberbacteria engineer at Worth. We're hiring I also help out at these events as was alluded to come to mch 22 as well in the Netherlands. It's going to be awesome So why am I here? Back in 2016 the BBC ran an article about people making copies of train tickets This was really interesting to me, especially this specific paragraph which says they couldn't write the mag stripe now Obviously anyone with a thermal printer can you know make a and photoshop can make the front of a train ticket Make it look real, but if you can't make it go through the gate line. Is it really a ticket? So I asked TFL who were the only public body you could fyi about this stuff. What's on the mag stripe? They said they wouldn't tell me so There had to be another way to find out So for the agenda We're going to take a brief detour maybe not brief through some historical stuff from National Archives because that is literally the Only way to find out about some of this stuff We'll talk about the data layout and how you read a ticket And then very briefly if we get to the end about digital ticketing and stuff like that Some things you don't want to learn more about these are bad Yeah, don't do them and Just for clarity. I don't have enough time to be comprehensive. So I'm sorry if I missed something out or make a mistake This is purely research Please don't go and act train tickets because and put them through barriers because that'd be bad and the opinions are obviously only mine So some history for those of you from not from the UK You'll probably want to know a bit more about the weird train system that we have here So back in like the 19th century was private then it was public that was private again And now it's maybe public again This means the specification for tickets kind of Changes through different organizations. It belongs to different people and it's changed throughout the years No one specification has really belong to one organization at any one time And it can often be very difficult to find out Exactly what was Going on at any any particular time So back in the 60s we had these these were called Edmondson tickets. They were invented in the Victorian era They are You would go to a station by them. They would have like a massive rack of them. They were serial numbered But they were pre-printed You could buy a ticket from a place to a place They had any sort of bookkeeping was all in manual ledgers It was all written down and then sent to a head office who would work out who had sold what they were very basic British rail did update them a bit. So they looked a bit fancier I'm not sure they really were very much fancier, but there you go But then we started to get like in the 60s and 70s we went to we invented things like computers And better mechanical So they started to issue these now these are machine-issued tickets They were very as I say sort of very mechanical machines So you would not encode anything on them really, you know, no nothing machine readable It would just be printing stuff. There was no again. No real tabulation other than manual edges and There were a lot of them every region had a different type of machine so we had some something like this and Some more they look like this These are actually made by NCR national cash registers who still exist today This obviously created a problem By the 80s these machines that were making these tickets were really unreliable No one knew how to maintain them the manufacturers didn't want to maintain them So British rail had to find another way to make tickets. Otherwise, they wouldn't be able to and you can see here The number of different ticket machines that they had So, you know Different manufacturers most of them not in support by this point. This is this document is from the from the 80s and Most of them like falling to pieces So British rail came up with something called intis. So intis is the intermediate ticketing issues to take an issuing system Not a huge amount is known about it because it didn't exist for very long But it does resemble the ticket that you would buy today. So this is an intis ticket The very interesting thing about it is the what's called the NLC the national I think it's national location code So that's the numeric values at 8355 represents South Emsel and 859 1 represents Wakefields West. So these are not like CRS codes like rdg or You know London terminals LOM. These are mainly for accountancy purposes and Represents are basically an office so You can see at this point. We do have You know some kind of Accountancy going on some some actual tracking within a ledger from a machine and they're actually tape driven so they would write out onto a a tape tape deck, which would get posted off And would give them back in the in the head office some idea of which office had sold how many tickets to wear Which was a really big thing because before this was like completely manual And This is what it looks like in the ticketing manual in the National Archives slightly different style of ticket But very similar thing But this is interest so it's intermediate It wasn't designed to be a permanent solution. It didn't even it didn't have mags, right? It didn't really Do all the things they wanted it to they still had to mail tapes backwards and forwards It had a very limited amount of things it could do so they had to come up with something else Obviously, you know more specifications. That's definitely what we need So they came up with something called Aptis and Portis, which is the portable version. So Aptis was basically an evolution of interest so Aptis Looks very similar, which we'll see in a moment It was designed to do basically everything so you would be able to go to a station and buy a ticket from British Rail an Aptis ticket and it would have The the ticket machine would be able to record that they sold it to you that you had bought it And it would encode all the information they needed on it not on the mag stripe On the front of the ticket so they could do ticket checking and all that kind of stuff And so now this ticket looks like this Which is the type of ticket you see today. So this is back in the back in the 80s And Yeah, they as I said, they do look very similar say a comparison side-by-side One's a travel card one's sort of British Raleigh a ticket and they also did sort of variations Which is sort of side notes. So this one does have a mag stripe But yeah, they they you could buy like rail cards and stuff Which would all be printed on Aptis tickets. So it was really was like the The new ticket system for British rail British rail came up with some future requirements for it. So the main one was that if you look at 7.1.2 That they wanted to be able to issue Will read credit cards That wasn't a thing they've been able to do before Aptis was supposed to help them with that And they also in 7.1.1 wanted to be able to encode mag mag Magnetic stripe data on the back of the tickets for some reasons It was at the time perceived to be an anti-fraud measure basically in the 80s people starting to get Printers dot matrix that you could print tickets with Not dissimilar to the people in 2016 printing tickets That they had made on a thermal printer And British rail were worried that people would print their own tickets and not pay for them and there was also sort of Legal thing about it as well, but it wasn't the only reason because at that time London Underground Wanted to issue mag stripe tickets and so for political reasons, which aren't really specified British rail had to basically implement the London Underground specification for these and That really drives a lot of the data layout. I think that we see on the tickets today One of the very interesting things is that British rail actually got London Transport to pay for the upgrade to Aptis So bigger processing power bigger memory for their machines They had to change the printer to do to print like different characters and stuff British rail managed to get London Transport to pay for that, which I think is very ingenious of them But it does mean that we get a specification for some of the mag stripe So this is actually really important document because this tells us Exactly how the mag stripe data. Well, not how it is laid out, but what type of mag stripe it is So as you may be aware, it is a single track mag stripe That's not very common. You won't see it outside many transports applications Even the New York matter uses side-aligned Tickets and that means that it's really really difficult to read It's also not any ISO standard. It was invented in the 80s to a weird Other specification that no one really knows about And as a consequence, this is really difficult to read And from this document we can deduce the data layout So we have a 16 bit header at the front and a 16 bit further back in between we have 152 bits of stuff and some kind of checks on I Don't know how to compute the checks on That's something we can look at working out at some point in the future This is what the header should look like so you should have a load of zeros at the beginning and then one zero one zero And to tell you that it's forward direction and then reverse direction So if you feed the ticket in the wrong way, it knows it's reading backwards. You should get a load of zeros and then four ones This is actually really really useful Because it means that when we're trying to read the tickets We can actually work out if we're reading something that looks like valid data or whether we're just reading a mistake Which turns out is most of what I spent my time doing So reading and writing it these is really hard Back in 2017. I did try to do this With a standard magstripe reader writer you can buy on the internet. It doesn't work. You get garbage They expect ISO standard credit cards. They expect it to be sidetracked They do not they can't read these. It's just not what they're designed to do and as a result you get like Like complete garbage show that doesn't mean anything there was a talk a while ago I think in 2005 at CCC Which was about the New York Metro and reading stuff of that Reading the data off that and reverse engineering it Back then they suggested this method of doing it. So Having a jack and basically reading the audio Through that and then writing software to decode that I thought that was a bit too difficult So I decided to go for an alternative approach This is a ticket printer the ND 402 hunt 402. Oh, it's made by Newbury data It's prints tickets. It's also magnetically encodes them And they are fairly common. You will Certainly in the early days of privatization You would have come across one as Aptis died out and they started replacing Aptis with new systems and these were one of them very common machines that we used They are actually designed to have a whole sort of hopper system on the back So you can feed like huge amounts of tickets through them for things like posting them out to you So if you want don't want to collect them at the station and get them posted to you And they have a sort of whole automated thing that you can set up with this But the most interesting thing is you can buy these on eBay Yes, they're quite expensive So you can see a bit what it looks like the bit at the top is where the tickets go in they sit They sit like along the top of that There's a whole bit above this that isn't here and they will fall down and get Pulled through to the front. So the ticket path is usually down and out But as I mentioned, they do have the facility to have a whole sort of hopper system at the back So they can actually be fed straight through Which is what I was doing later on Yeah, it comes with a lot of electronics So this is what the electronics actually looks like There's some ROM chips on there. They are surface mount reading them as a pain Don't try that But what we can try and do because it has RS232 is Try and talk to it by serial So it turns out this is actually quite difficult because again Like tickets is not publicly documented It does after a lot of trying. Thank you our lab Letting me sit there for a long time and all the various people that helped me You eventually can get it to my Fiddling with some pins on the board and flicking the power switch enough time so you can get it to give you some cereal So that's what serial connection looks like to it. It is just RS232 the board rates one five two Zero zero, I think I may be missing a zero And you can talk to it. It has a serial interface. You can send it data and it will send you data back like this I don't know how legible that is. Sorry So it has a whole menu thing you can even set the time It doesn't have a backup battery. So if you unplug it, it will forget the time I don't know why it needs a timestamp. It doesn't really use it as far as I know The interesting thing is it has quite a lot of onboard storage So it has a whole facility for you to be able to write data into memory locations and then read it back This is a kind of a weird feature because it's not really how I would expect Something like this to work. I'm sure there's some very good reasons. It's designed like this And I'm sure there are some excellent drivers for it I did try and decompile some software that works with it But I couldn't find anything useful because I'm not very good with assembly. So, yeah This is what the data bank looks like before I overwrote it with ones because obviously You can specify a register and get it to pull data back for you the other thing you can do is tell it where you want to execute so you can give it a memory address and It will then ask you some details about that function, but it assumes it's a function So you can say I want to execute something does the function return the value? Yes How many parameters does it have? I don't know zero And then hopefully it will execute it Well, no, it's actually just resets. So This is when it kind of got a bit boring because Without any manual for this without any idea how to interface with the serial stuff how to even generate data for it Because it's not just feeding it binary, but it has to print stuff as well. Remember, so Don't know how to do that so gave up, but this is probably how it works From a bit of googling it probably uses pectab that it does most definitely use pectab Which is a way of defining a layout it's most commonly used for airline tickets and baggage tags Apparently, it's also used for train tickets. No idea how that works if someone's like to tell me I'd love to know You load that with some ticket parameters stick it into the printer and then press execute and it print out ticket is the theory As I say don't really know because I went for the alternative approach Which was taking it to pieces and putting it on the oscilloscope The it actually takes 24 volts DC in as I discovered after playing one of them up, but we'll get to that and You can drive the motors separately. It's actually really quite well engineered if you want to come to have a look at it later You can it's got geared motors and everything so You can just drive the motors through the ticket path and put tickets through it and then because it has a magstrak Reader on it so you can read the tickets at rights because quality you actually want to verify that you've written correct data to the ticket You can then Interface with that and pull data off it. So this is what it looks like when you run a ticket through it So the yellow line is a clock line The blue line is a data line. So if we remember the data spec from before the magstrak spec It does mention clock sync bikes So this is why they exist so that you have enough time to sync your clock Well, not sync your clock too. Do you have enough clock bytes to align with the data that you're going to start coming through? so This actually took quite a while of fiddling around with different settings to try and get it to actually do this you do actually need to feed it with power and Then power the motor separately in order to get this because it does some weird voltages with the magstrak reader The easiest thing is just to feed it power Which turns the magstrak reader on and then power the motor separately But tickets through and you get data on the scope But that's not immensely useful because I can't read binary from a trace on scope But luckily you can do scope captures There's an open-source software for regal scopes and you can pull a CSV of the trace that you have on there amongst other things This means you get data like this now As you might be aware you have a rising edge and a falling edge So you need to in order to know when you have data You need to detect the rising edge on both the clock and the data lines and then that's the one if you get a And it's actually falling edge. It's It pulls the line low when it's activating it So you actually you're detecting a falling edge on both of them for one and a falling edge on just a clock for zero And this is quite difficult to do with the data that comes out the scope capture because it's not really designed for that As far as I can make out and there's no way to alter the resolution and all that kind of stuff So you end up with data that looks like that Which is not what we expected This is also when I blew up one of them It turns out that AC is not DC and 230 volts. It's not 24 volts Who knew it blew the track right off the board as well. It was quite impressive So it was expensive another hundred quid to eBay One and a half weeks ago Yes, I like cutting it fine with my talks And we have another board. So this one excitingly has it wrongs that you can pull off It's an earlier revision has a botch wire on the back, but we can do a very similar thing. We can plug it into the scope We can plug it We can power the motor and we can put a ticket through except this time You can see there's a circuit playground. I think it's cool. I blew up my One of my microcontrollers in the 230 volt episodes. I have to borrow one. Thank you to the person that got me that To do the voltage comparison on some hardware so Instead of having to pull something off the scope We can just write some Python and we can get some data back which looks like this So this is a bit more what we want to see You can see in bold we have some zeros and then we have a one zero zero one and then then at the end We have four ones and then we have a load of series. That's the kind of data. We're expecting to see so when you start putting loads of tickets through you eventually get a load of binary that looks pretty similar and This is truncated It's the first something bites of a load of travel cards and you can see the data looks really really similar Which is good because that's what we would expect. There are various bits at the end that don't look similar but data looks pretty similar except for the 17th of February which you can see is like offset of it. So something's gone a bit wrong So it's actually really easy to see ones that don't look like don't look correct Just by eye and we can remove it Now these are all travel cards. They all look the same which is not particularly useful When we're trying to reverse engineer the specification understand where data is Where data sits in the mag stripe we want to compare different types of tickets. So here are some other tickets So we have readying the the top ones are readying travel cards Then we have a readying to hook which is somewhere in Berkshire and hook to readying And the interesting thing is you can see the substring is repeated. So the one one one zero zero one There's a one zero one zero one is repeated But in a different place on the hooks are readying so we can make a pretty good guess since it doesn't repeat anywhere else in that string I checked but that indicates ready and When you move it because it's also in the travel cards remember so when we move it to the In the return portion we can see that it's moved. It's moved to the sort of further down the mag stripe So we now identified fairly fairly well the arrival and departure station Indication on the mag stripe just by looking at it and we can validate that by adding another ticket. So this is Oxford to Reading and Sorry Yeah, Oxford to Reading and you can see again that the return Portion has the the substring in that that same position that we would expect so that's really good We can read data from it. We can make some kind of interpretation about what it looks like The other thing that we can do is identify other things in this so you can see there that we have the arrive at the hook station code So again, it's kind of works both ways. We can validate that we are actually Making an inference about something that is correct So the hook hook go moves from the beginning of the mag stripe to the end of the mag stripe In the portion from Reading to hook and Reading moves from the front of the mag stripe at the end of the mag stripe When you're going from hook to Reading, that's what we expect So how what does this actually mean? So? Iona these are the NLCs at the end in bowls. So Reading is 3149 The beginning of it I Does not match the NLC I don't know how these are encoded, but they they seem to be there seems to be some kind of pattern the way that you would find this out is basically by putting more putting more mag stripe tickets through the machine and Recording loads more data But if we take a zoomed out view we can also identify other patterns in the data so the top block of these are the travel cards you saw before the bottom block aren't and You can see that just above the block shaded green There's a load of data in the travel cards and this appears to indicate that that's where you specify a travel card for TFL And obviously that's not present on tickets that don't Have a travel card because they're not a travel card. So they don't have any data there good That's what we expect to see and then you can see in the red section. That's the one and then two But there is some data there and those are tickets which are via London. So a ticket where you're going from Reading to leads or something via London and you need to use the tube to go through from one terminal station to another So again, we're seeing data where we expect to see it It's looks correct and we can begin to sort of deduce By putting more and more tickets through Exactly what this this could be and what the bits could actually mean I Have about a minute left. I think But just to sort of sum up so this is not encrypted We can see that because we get reliable data when you put multiple tickets Do they all look they do the same we can see patterns by eye, which is really good It's not hugely obscure either. You can buy one of these on eBay and do the same thing But you can't really do it with any other equipment I think if you want to do it manually you could do it sort of the old-school method by running Some reader over it, but I can't guarantee that will work because it is a really weird mag strike There is also a checksum. We don't know how to calculate the checksum So it's going to be pretty difficult to write a ticket that's going to be accepted by a barrier And you shouldn't put it through a barrier to check because that would not be legal. I understand so Pattern matching is doable and if you have a corpus of ticket data, you would be able to do that I think one of the things that probably shouldn't be the case is that you can buy these on eBay I'm not sure that's intended the intended electronic waste disposal method for them But it seems to be where they're going right now. I think it might become a bit of a problem because as soon as you Manage to crack these get you know work out exactly what's on the tickets and you can buy one of these machines You can probably just write your own Where is it going next? As I say collecting a lot of ticket data if you collect enough data You'll be able to do some alignment and work out exactly what stuff does One of the ideas is using blast or blast or faster. These are the bioinformatics tools usually used for aligning protein strands They can possibly be hacked to align ticket data strands with enough energy and time That could be quite an interesting thing because you get substrings that match and then you want to see the differences between between tickets so you basically Determining like the best alignment, which is what blast is for And the other interesting thing would be to dump the ROMs and also try writing by this machine Which I don't know how hard that is because I didn't try it. I don't have much time to talk about it So any ticket other than to say They're much better And just to sort of finish off This is very much security by obscurity. I'm already going with like a few tickets and a week Pulling quite a lot of interesting data off if anyone wants to send me more tickets to put through that would be really helpful Because with enough tickets you will be able to reverse engineer this Some of the assumptions that were made about how mag strike would be used I don't think it's true anymore, especially when you can buy this on eBay And it is only going to be a matter of time before someone is writing their own that has worked out how to calculate that checksum So really we need digital tickets now not in several years Because I don't think it's going to be too long before the fraudsters have up their game and can't write the mag strike as well As for in the tickets. I hope that was useful and That is it. Do you have any questions? You