November 2010
For a while I've had a magnetic swipe card reader lying around from Digikey, with no specific plans for it beyond idle curiosity about what kind of hidden information I carry around in my wallet. The reader is one of the Omron V3A series, which is quite easy to interface to and thus features fairly regularly in internet magswipe resources. Mine only reads track 2 data; ideally you would get all three tracks but it gets expensive and for the majority of cards track 2 is where the interesting data is. For an in-depth discussion about swipe card encoding standards the best reference source is the "Magtek IO" pdf, which is very google-able.
Eventually I did get around to hooking it up to a microcontroller and satisfying my curiosity about my various cards. For the most part there was nothing all that interesting on any of them, until I ran my university ID card through. The only data encoded on it was my university ID number!
Why is that significant? The ID card is used to as access control for a variety of offices and laboratories across the campus. Staff and student ID numbers are publicly available. If you had the ability to either fake a card or encode a blank, this implies that you could open any door provided you knew the name of one person authorized to open it. You'd never need to lay hands on their card - just look up their university ID number, operate your device and walk on in. I was dying to know if the situation could really be that bad.
Card writers are readily available - Sparkfun has one for $140 and blank cards for a dollar - cheap for the technology, but too pricey just for satisfying my curiosity. We are left with option B: a swipe card spoofer. That is, a device which will fool a card reader into thinking you swiped an arbitrary card.
The basic design behind such a device is not my own work and I'm not the first to do this; you can find a few projects around to implement a device like this. Let's set aside issues of redundancy and enjoy this, a fourth example of a mag-stripe spoofer.
A card stripe contains a pattern of magnetic fields reversals which the reader detects as you swipe the card through it. The basis of all the card-spoofing circuits is to make some kind of electromagnet, put it next to the read-head and manipulate the magnetic field in just the right way to mimic a card. My design is heavily based on Jarek's design which you can find here. The idea is to create your own electromagnet by winding a coil, but since your coil will probably not fit inside the card slot you employ a 'shim'. In this case that means a thin ferromagnetic core for your electromagnet which brings the magnetic field to the detector in the card reader.
Before we go too far into the details, let me show you my finished shim so you have some idea of what I'm talking about:
I used an old knife blade for this purpose. You first need to check that the thickness is suitable for the card slot and that the blade is ferromagnetic (e.g. will a fridge magnet stick to it?). I used a dremel to file out the dimensions I wanted and get all the edges smooth. Smooth edges are important for the next step; you can see in the picture where I've used some black electrical tape to cover some leftover sharp corners.
I then set about wrapping a coil of enamel coated wire around the shim, the thinnest I could get locally (0.25mm diameter). Enamel coating is important because you don't want the coil to short itself out. Sharp edges on the shim are bad news because they will cut through the enamel coating and produce a short. The strength of a magnetic field generated by a coil goes linearly with the number of turns, and for best results you want a lot. I honestly don't remember how many I did. It was not optimized in any way, I just wanted to be sure it would work first time. If you wanted to keep the size down I'm sure you could do some testing of the minimum field strength required. After I finished I wrapped the coil in some more tape to protect it, and soldered on a standard 0.1" 2 pin connector.
Now that the difficult part is done, you need something to intelligently power this coil so it creates the right field sequence. I put together an AVR board based on the Tiny2313.
The features I wanted were:
There is a main on/off power switch and a 5V linear regulator for the Tiny2313, which is running on an internal 1MHz oscillator. The Tiny outputs the selected card sequence once a second on one of its IO pins, but a momentary push switch isolates that from the transistor driver. So nothing actually happens at the coil unless I'm holding down the 'SEND' switch.
Note that you don't actually need to swap the polarity of the coil current; it suffices to just switch it on and off. That makes the drive electronics a lot easier. I put a reverse biased LED in parallel with the coil to be my snubber diode. As a nice side effect you get some visual feedback when the coil operates. It turns out you also get some audible feedback - the magstripe reader makes some sick-sounding bleepy noises when you fire the coil with the shim in place. Not entirely sure why, but it heightens the sense of being a wicked cool hacker from a 90's film.
The rest is pretty ordinary; a menu switch and some LEDs to cycle through memory slots, headers for a serial link connection and for a magstripe reader connection. The final assembly in action looks something like this:
The good news is that it works! As captured by a logic analyser, here is the output from swiping my real ID card, and under that is the output from faking my ID card. The extra channel on the spoofed data shows you what the I/O pin driving the coil was doing to generate this.
To clarify the operation of the 'card detect' signal from the reader: I initially thought this was based on some kind of mechanical switch that detected a card in the slot. But it's not - it's just based on getting a certain number of coil toggles. So you don't need to swipe the shim, you can just place it in the swipe slot so it's sitting on the read-head.
Zoomed out this far it doesn't look like a very good match, but if we look a little closer we can see that the spoofer did indeed make the card reader produce the same output sequence:
(This also hopefully clarifies the coil sequence; within one clock period a single toggle causes data high and two toggles causes data low)
So great, I succeeded at the dark art of magstripe spoofing! After this technical diversion, let's resume the story. Now that I can fake a card, was I able to open a door knowing only an ID number?
Sadly (but at the same time happily) no, it didn't work. There are a few possibilities here, but my suspicion is that whoever designed this security system did a decent job of it and used more than one data track. So in reality there is probably more than just the ID number on the card, but with only a track 2 reader that's all I saw. The design of the spoofer I've discussed can only fake one data track, which could still be interesting in some applications but is not enough here. (In principle you could fake three tracks at once but you would need a very complicated shim).
So my suspicious looking entry device was rejected and my office door remains secure ... against myself.