DB Call a Bike

= New RFID enhanced Call a Bike bike rental system in Berlin = Since 2011 Deutsche Bahn is deploying an updated Call a Bike system called StadtRAD in Berlin and Hamburg. Interestingly the new system seems to use passive RFID technology] to rent bikes. On this page we will collect technical information in order to evaluate the system security. According to the magazine RFID im Blick Mifare 1K cards will be used.

We received one of these cards recently, and it's shipped empty with the default authentication key. The security is broken as only the card UID is used for authentication - the card content or keys are not used. It's a mistake not having a two factor authentication (card + PIN) to ensure that copied/emulated cards can't be used by attackers. The security can be easily circumvented by using gray market Mifare Classic card clones with changeable UIDs.

Open Questions & Wild Speculations

 * Terminal communicates via RF to the bike. What frequency is used (868 MHz or 2.4GHz ?)
 * A customer card with RFID capabilities can be used to unlock the bike. What (probably ISO 14443A Mifare 1K S50)
 * 2 Systems seem to coexist: Flex and Fix
 * Flex system seem to be a removable installation of a station where the position of your bike is defined by white stripes on the ground. The terminal optionally comes with a concrete pedestal and can be moved.
 * Fix seems to be a fixed installations with concrete blocks or metal pillars where bike positions are mechanically defined.