The smartcards used to pay for public transportation in the Netherlands may now be hacked with an Android phone, according to a report from NOS.nl. The crack requires two free apps that allow the cracker to load the card with money and travel without paying anything.

NOS carries little detail on the nature of the hack, but Dutch hackers appear to have a somewhat long and storied history of cracking Netherlands’ smartcard, the OV-Chipkaart. The chip inside the card has been modified repeatedly by the card creator, Trans Link, but there is no shortage of tutorials on how to hack them, and there are plenty of stories about hacks that have taken place. There are also less technical Android apps to circumvent paying for transport, like OV Hacker, which plays the tone a Chipkaart would make when successfully scanned in order to trick bus drivers.

A research article from 2009 laid out how the RFID chip inside the card can be read with an NFC reader, decrypted with one application, and then reloaded with the desired amount by another application. The chip has been modified since then, but there’s at least one thread on the xda-developers forums where a user notes that his Android smartphone was able to read out the (encrypted) contents of his OV-Chipkaart with the NFC reader inside his phone.

As recently as last month, the underlying chip inside the Netherlands transportation smartcard was the Mifare Classic, made by Netherlands-based NXP Semiconductors, said Karsten Nohl, chief scientist at Security Research Labs in Berlin. More than five years ago, Nohl was part of a team of researchers who cracked the encryption of the Mifare Classic after reverse engineering the card circuitry and discovering a flaw in the cryptographic algorithm stored there. He said he was aware of previous hacks on the Netherlands transportation card and said it wouldn't be surprising if Android-based hacks existed, too.

"Given that this micro-payment scheme still uses Mifare Classic, attack tools are readily available," Nohl told Ars. "Cards can be cloned, for example, which would result in diverting the counter on the duplicate cards and later be detected in the fraud monitoring. With the use of smartphones, cards can potentially also be 'shared,' allowing multiple people to use the same monthly subscription."

The Google Play market for Android apps hosts a variety of tools purporting to hack various Mifare smartcards. The Mifare Doctor, for example, claims to offer functionality that can read, write, and clone card data. Specific capabilities include resetting, increasing, or decreasing value blocks. The NFC Tag Cloner, meanwhile, claims it can "read one, write one tag" or "read one, write many tags." The developers go on to say the app supports "raw dumps of Mifare Ultralight and Mifare Classic tags."

We were not able to test these apps to see if they work as advertised. Nonetheless, they appear to mimic the same process as described in the above articles about the hack of the Mifare Classic: one to decrypt, one to reload. While NOS does not specify, an Android phone with an NFC reader would probably be required.