Android app reads RFID transit cards

Eric Butler, creator of FireSheep, has released an Android app that can read RFID fare cards used on some major US transit systems. The app is not designed primarily as a tool for revealing private data or, as was the case of FireSheep, to raise awareness. However, it does demonstrate how simple it can be to access the information on these chips and highlights the need for them to be secure.

The app currently runs only on the Nexus S phone from Samsung. It is unclear what the maximum range is for reading a fare card with that phone, but Butler suggests that a user would be able to read a card in a wallet by brushing up against them. He also notes the type of information that is accessible. The ORCA card used in Seattle, for example, reveals a full trip history.

The easy availability of RFID (or NFC) readers in smartphones means that these systems need to be more secure, but smartphones might also be the key to realizing that. The lack of security in most contemporary RFID cards is due to a lack of power–both processing and electrical. However, smartphones have more than enough power to handle sophisticated authentication and encryption. By having an ORCA smartphone app rather than an ORCA card, the convenience of RFID can be offered securely.